Even though, AD has implemented strong authentication protocols like Kerberos to protect sensitive information stored in the directory, a malicious user, can still break into the directory by gaining knowledge of the username and password of a user stored in AD.

Generally, usernames are simple common name of the users themselves and it is easily visible to everyone. But, a password is unique and is known only by that particular user.

Even then, people, in fear of forgetting their passwords, set passwords that can be easily cracked using a brute force attack or a dictionary attack. These attacks try different combinations of letters to break the password of a user. If the user’s password is simple and short, the task is made that much easier for the attacker.

To ensure safety from these attacks, AD has a strong Password Policy and Account Lockout Policy. When set, these settings determine how often a password has to be changed, how many times a user can try different passwords before the account is locked out, etc.

Unlike other policy settings, there can be only one Password Policy and Account Lockout Policy for the entire domain. It’s not possible to configure one Password Policy for an OU and have another for the domain. The Password Policy and the Account Lockout Policy configured in the Default Domain Policy is applied to all the users in the domain, irrespective of the policies configured at the OU level in which these users are present.

If another GPO, which is linked to the Domain, has a higher link order than the Default Domain Policy, then the Password Policy and Account Lockout Policy configured in that GPO is applied rather than the one configured in the Default Domain Policy. No matter how many GPOs are linked to the domain, there can be only one Password Policy and Account Lockout Policy for the entire domain.