Overview π₯
Partners may notice that password policy values displayed in the Active Directory Inspector differ from what is configured in Group Policy (GPO).
Example:
Location Checked | Maximum Password Age |
Liongard Active Directory Inspector | Not Configured (0)  |
Group Policy Management | 90 Days  |
This often leads to concerns that:
β Liongard inspection data is incorrect
In reality:
β
Liongard is accurately reporting Active Directory domain password policy.
β
The comparison is being made against a different policy enforcement layer.
Understanding where password policies actually live in Windows environments resolves this confusion.
The Core Concept π
Windows password enforcement operates across multiple independent layers.
Liongard reports each layer separately β it does not merge policies.
Password Policy Architecture
βββββββββββββββββββββββββββββ
β Active Directory Domain β
β Default Domain Policy β
β (Authoritative Source) β
βββββββββββββββ¬ββββββββββββββ
β
β Replicated via AD
βΌ
ββββββββββββββββββββββββββββββββββββββββ
β Group Policy Objects (GPO) β
β - Default Domain Policy β
β - OU Policies β
β - Server Policies β
βββββββββββββββ¬βββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββ
β Windows Servers / Workstations β
β Effective Local Security Policy β
ββββββββββββββββββββββββββββββββββββββββ
What Each Liongard Inspector Reports π
Inspector | Reports | Policy Scope |
Active Directory Inspector | Domain password policy | AD Domain Level |
Windows Server Inspector | Effective applied policy | Server Level |
GPO Reports Dataset | Configured GPO settings | Policy Configuration |
All are correct β they simply answer different questions.
What the Active Directory Inspector Shows π₯οΈ
The Active Directory Inspector retrieves the Default Domain Password Policy stored directly in Active Directory.
This includes:
Maximum Password Age
Minimum Password Length
Password History
Complexity Requirement
Lockout Settings
Think of this as "The official domain-wide rulebook". If no domain policy exists, Liongard correctly reports:
Not Configured
or default AD values.
Why GPO Shows Different Password Settings π€
Administrators commonly configure password settings inside:
Group Policy Management Console (GPMC)
Example:
Maximum Password Age = 90 days
However:
β οΈ Not every GPO password setting becomes the domain password policy.
Password settings only become authoritative when:
β
Configured in Default Domain Policy
β
Linked at the domain root
Policies applied to:
Organizational Units (OU)
Servers
Test environments
Local policies
may appear active β but do not modify the AD domain password policy.
Why Values Differ π§
Example Environment:
Active Directory Domain Policy
Maximum Password Age β Not Configured
OU-Level GPO
Maximum Password Age β 90 Days
Result:
Location | Value Seen |
Active Directory Inspector | Not Configured (0) |
Windows Server Inspector | 90 Days |
GPO Editor | 90 Days |
β No data mismatch exists.
Different enforcement scopes are being viewed.
Where GPO Password Policies Exist in Liongard π
Liongard captures GPO policy data separately under:
GPOReport.GPOS.GPO[].Computer.ExtensionData[].Extension."q1:Account"
Example Metric Query:
GPOReport.GPOS.GPO[].Computer.ExtensionData[].Extension."q1:Account"
[? "q1:Name" == 'MaximumPasswordAge']
This shows:
β
Policies defined inside GPO
β
Intended configuration
β
Policy design β not domain authority
Why Windows Server Inspector Often Matches GPO π§βπ«
Servers apply policies differently. The Windows Server Inspector evaluates:
Effective Policy Applied To The Server
Meaning it reflects:
β GPO inheritance
β Local security policy
β Applied enforcement result
So it commonly matches what administrators expect from GPO.
Real Enforcement Flow (Important)
GPO Configured
β
Applied to Server
β
Server Enforces Policy
β
Active Directory Domain Policy
(May remain unchanged)
Liongard exposes both viewpoints.
PowerShell Validation Commands π₯οΈ
Verify Password Policies Directly in Active Directory
If there is uncertainty about password policy values shown in the Active Directory Inspector, administrators can validate the configuration directly from Active Directory using PowerShell.
These commands help confirm exactly what Active Directory and Group Policy are enforcing.
1οΈβ£ Check Default Domain Password Policy (Authoritative Source)
Run the following command on a Domain Controller or from a system with RSAT installed:
Get-ADDefaultDomainPasswordPolicy
Example Output
MaxPasswordAge : 42.00:00:00
MinPasswordLength : 8
PasswordHistoryCount : 24
ComplexityEnabled : True
LockoutThreshold : 5
β This command shows:
The true domain password policy
The same values reported by the Liongard Active Directory Inspector
If this differs from GPO settings, the domain policy itself has not been modified.
2οΈβ£ Verify Domain Policy Using Legacy Command
You may also validate using:
net accounts
Example output:
Maximum password age (days): 42
Minimum password length: 8
Lockout threshold: 5
β Reads policy directly from Active Directory.
3οΈβ£ Check Fine-Grained Password Policies (FGPP)
Organizations may apply password rules to specific users or groups.
To list Fine-Grained Password Policies:
Get-ADFineGrainedPasswordPolicy -Filter *
To see which users or groups receive them:
Get-ADFineGrainedPasswordPolicySubject -Identity "PolicyName"
β These policies may override domain defaults for targeted accounts.
4οΈβ£ View Password Policy Configured in Group Policy (GPO)
To confirm what is configured inside GPO:
Get-GPOReport -All -ReportType Html -Path C:\Temp\GPOReport.html
Then open:
C:\Temp\GPOReport.html
Navigate to:
Computer Configuration
β Policies
β Windows Settings
β Security Settings
β Account Policies
β Password Policy
β Shows configured GPO settings, not necessarily domain authority.
5οΈβ£ Check Effective Password Policy Applied to a Server
Run locally on a server or workstation:
secedit /export /cfg C:\Temp\SecurityPolicy.cfg
notepad C:\Temp\SecurityPolicy.cfg
Look for:
MaximumPasswordAge
MinimumPasswordLength
PasswordComplexity
β Displays the effective policy applied to that machine.
This commonly matches what administrators observe via GPO.
6οΈβ£ Confirm Which GPO Applies to a System
To identify which policies are actually applied:
gpresult /h C:\Temp\GPResult.html
Open:
C:\Temp\GPResult.html
This shows:
Applied GPOs
Inheritance order
Winning policy source
π Validation Mapping (Quick Reference)
Validation Goal | Command |
Domain password policy |
|
Legacy domain verification |
|
Fine-grained policies |
|
GPO configured settings |
|
Effective server policy |
|
Applied GPOs |
|
β Expected Outcome
After running these commands:
Domain policy values should match Active Directory Inspector
Server values may match Windows Server Inspector
GPO configuration may differ depending on scope
This confirms Liongard is accurately reporting each policy layer.
Fine-Grained Password Policies (FGPP) βοΈ
Modern AD environments may use: Fine-Grained Password Policies
These apply password rules to:
Specific users
Security groups
Result:
User Group | Password Age |
Standard Users | 90 Days |
Admin Accounts | 30 Days |
FGPP can cause additional expected differences.
Common Misunderstandings π¨βπ§
Assumption | Reality |
Liongard password policy is wrong | AD policy differs from GPO |
GPO always equals domain policy | Only domain-root policies do |
Inspectors conflict | They report different layers |
Values must always match | Differences are normal |
Summary π€©
Password policy differences between Liongard and Group Policy are typically caused by comparing:
Domain-level Active Directory policy
vsServer or OU-level Group Policy settings
Liongard accurately reports each configuration source independently to preserve visibility and prevent hidden misconfigurations.
When validating password configuration:
β Check Active Directory Inspector β Domain authority
β Check Windows Server Inspector β Effective enforcement
β Review GPO Reports β Configuration source
β Confirm via PowerShell
Microsoft Reference Documentation π
Microsoft confirms password policy scope behavior:
βΌοΈ Disclaimer
This article references third-party documentation published by Microsoft for informational purposes only. External documentation is owned and maintained by the respective vendor and may change without notice. Liongard does not control or guarantee the accuracy, availability, or future behavior of third-party APIs, features, or documentation referenced herein.