Hello,

I understand that you have an AWS managed AD and about six weeks / two months ago, you have changed passwords which started expiring after two weeks, even though your Domain User policy is 90 days.

I want to inform you regrading the password policies as below.

➜ AWS Managed Microsoft AD enables you to define and assign different fine-grained password and account lockout policies (also referred to as fine-grained password policies) for groups of users you manage in your AWS Managed Microsoft AD domain. When you create an AWS Managed Microsoft AD directory, a default domain policy is created and applied to the directory. This policy includes the following settings:

Enforce password history 24 passwords remembered Maximum password age 42 days * Minimum password age 1 day Minimum password length 7 characters

• Note: The 42 day maximum password age includes the admin password.

Please refer below document.

[+] Manage password policies for AWS Managed Microsoft AD https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_password_policies.html

➜ AWS Managed Microsoft AD includes five fine-grained policies with a non-editable precedence value. The policies have a number of properties you can configure to enforce the strength of passwords, and account lock-out actions in the event of login failures. You can assign the policies to zero or more Active Directory groups. If an end-user is a member of multiple groups and receives more than one password policy, Active Directory enforces the policy with the lowest precedence value.

[+] Supported policy settings - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/supportedpolicysettings.html

To verify the password policy applied to the user, Please follow the below action plan.

Action Plan:

• The Fine Grained User Policies is for a specific groups or users, if the AD user doesn’t be applied any Fine Grained User Policies, the AD user will have Domain-Level Password Policy, where you can use Get-ADUserResultantPasswordPolicy to get the final password policy result from the below command, if AD user doesn’t be applied any Fine Grained User Policies, this powershell command result is empty. Please refer document[1,2] from references.

Get-ADUserResultantPasswordPolicy -Identity 'FGPP-Test-User'

• For Domain-Level Password Policy, you can use net user command to query the policy result. Please note that the Fine Grained User Policies has high priority than Domain-Level Password Policy, if an AD user has applied Fine Grained User Policies, this AD user will has two password results from Get-ADUserResultantPasswordPolicy and net user command, but this AD user will follow Fine Grained User Policies as final password policy. Please refer document[3] from references.

net user /domain username

• Also, Please do verify that if the affected users are in multiple AWS pre-defined fine grained password policies i.e CustomerPSO-01, CustomerPSO-02, CustomerPSO-03, CustomerPSO-04, CustomerPSO-05.

Based on the above action plan, you can verify which password policy is getting affected.

References:

[1] https://aws.amazon.com/blogs/security/how-to-configure-even-stronger-password-policies-to-help-meet-your-security-standards-by-using-aws-directory-service-for-microsoft-active-directory/

[2] https://catalog.us-east-1.prod.workshops.aws/workshops/b4a4be0e-d4f9-4ff5-af82-ebfb86dbe46a/en-US/3-aws-managed-microsoft-ad-security-and-compliance/fgpp

[3] Supported policy settings - Precedence - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/supportedpolicysettings.html#precedence