From what we learned in result of longer passwords in real world application, implementing a 12-character password as the default domain policy should be a baseline goal for any Domain Administrator for all user objects. Based on business and support requirements, that might not be an achievable goal without third party solutions to assist in the offloading the leasing of our employees’s memory for password storage and applications dependent on user objects. Introduced in Windows Server 2008, Microsoft provides Fine Grained Password Policies that allow us to target specific classes of employees such as Tier 0 & Tier 1 administrators, Finance, or VIPs with greater requirements. A combination of training and Fine Grained Password Policy can lead to your organization meeting that 12-character baseline over time.
At a basic level, an Active Directory administrator needs to understand the scope of user objects that lie outside the baseline standards. Here are some simple Active Directory queries using PowerShell to generate quick reports of user objects that are not meeting your Domain Password Policy based on password age and encryption state. They can be useful as a tool to track progress over time as your remediate user objects that fall outside the default domain policy. A rigorous reporting regiment over Active Directory can start with simple PowerShell scripts like these if not already in place. In order to run these code snippets, you need to have access to the Active Directory PowerShell Module and read rights to the Active Directory domain.