none
3 questions about lengthening 2008 R2 Group Policy minimum password length

    Question

  • Greetings,

    I want to lengthen our organizational policy (not the Default Domain Policy) from 10 to ultimately 16 characters.  I'm making an intermediate stop at 14 to give users a chance to adjust.  My users are in the following structure: company.local --> Company.  In here is where the company organizational policy is enforced, linked and filtered.  My admin accounts live in company.local --> Users.  A different set of organizational policies apply to them.  The domain is Win 2008 R2.

    Here are the questions:

    1) When I lengthen the password, will all the existing users be required to change their password immediately, or will the new requirements apply when their existing password expires?

    2) Based on my structure above, will this policy only apply to the "Company" OU, or will it hit the "Users" OU as well?

    3) I've read about MS limiting the enforceable minimum length to 14, but haven't had the search-fu to determine if that applies to 2008 R2 as well.  One replier on this forum stated that MS determined that "14 characters was long enough".  I'd just like a bit of clarification on that point, if someone has it...

    Thank you to all who took the time to read, and to all of those who share their knowledge!

    David

    Monday, February 18, 2013 10:03 PM

Answers

  • hello DaveinMI,

    >Will increasing the minimum length of the passwords cause all existing passwords that fall under the new threshold to immediately become invalid? No it will not.  The next time the user changes their password, the minimum length requirement will be enforced.

    >To recap what happened yesterday, when I shortened the Maximum Password Age, a bunch of users passwords expired.  Yes, that would be expected for those account who have passwords that are now more than the max age.

    >it didn't "reset the clock".  The password age attribute is not updated until the password is changed.

    > I'm really curious about how it's going to work with existing password lengths. See my first comment.



    IT Knowledge Base | itgeared.com |

    • Marked as answer by DaveinMI Monday, February 25, 2013 12:54 PM
    Thursday, February 21, 2013 10:30 PM

All replies

  • 1)

    It will not affect exisiting users until the next time they change their password.

    2)

    The policy will be applied where the policy link is set.

    3)

    Longer passwords are saver than short ones...


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Tuesday, February 19, 2013 8:36 AM
  • If you want to define another password policy for a certain OU, a GPO with other password policy settings will not work. You will have to create a PSO for password policy settings.

    http://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

    http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
    • Edited by Tom_Floor Tuesday, February 19, 2013 12:51 PM added links
    Tuesday, February 19, 2013 12:48 PM
  • With regard to applying a password policy at the OU level, that isnt going to work.  Password policy must be applied at the domain level.  If you want to apply a different set of password policy to a set of users, you can use Fine Grained Password Policies (FGPP) and apply the policy to the security principles (user/group objects).  Unfortunately, you cannot apply a FGPP to an OU directly either.

    Here is some additional information on why the domain policy must be linked to the domain object: Implementing a Password Policy




    IT Knowledge Base | itgeared.com |

    Tuesday, February 19, 2013 2:46 PM
  • 1) excellent, thank you!

    2) so far, so good...

    3) This I know, which is why I'm undertaking this endeavor - but I've read that the largest minimum length the GPO can enforce is 14 characters.  I want to eventually force 16, but many have wrote that this isn't possible, which is what I'm seeking clarification about

    Tuesday, February 19, 2013 4:30 PM
  • With regard to your response on #2 - "so far, so good", not sure if you understood my response...

    Applying a policy that contains password policy settings will not be applied to user objects in that OU.  If you take a closer look at a GPO, you will notice that password settings are within the computer configuration section.  Password policy applies to computer objects, not users.  If you read through the link I posted, there is a deeper explanation, if you are interested.

    Applying a GPO at an OU that contains password settings will apply to the computers in that OU.  Therefore, the only user accounts that will be affected will be those local user accounts that are defined on the computers... not domain user account.




    IT Knowledge Base | itgeared.com |

    Tuesday, February 19, 2013 4:54 PM
  • I'm still working my way through the links that you and Tom posted- it seems this little project is going to be quite a bit more complex than just turning up the minimums.  I'm poking around my domain, trying to figure out what GPOs are /currently/ applying and forcing the password requirements, because, as you and Tom stated, the enforcement in the GPO in my Company Organizational Policy isn't the one doing it.  Which is odd and a bit troublesome, because the Default Domain Policy isn't linked to anything or enforced- it's greyed out. O.o

    Please hang with me on this - I'm a department of one, and I frequently get pulled off-task.

    Tuesday, February 19, 2013 7:00 PM
  • Some more reading material

    http://technet.microsoft.com/en-us/library/hh994560(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/cc875814.aspx

    And don't forget it must be linked at the domain level, otherwise it will only affect local user accounts, not domain user accounts.

    It looks like you are right about 14 char limit, still applies to Server 2008.

    Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista

    This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.

    The Minimum password length policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

    Tuesday, February 19, 2013 8:31 PM
  • So, when my "Default Domain Policy" is listed as "GPO Status: All settings disabled", with no linking or enforcement, and the "CompanyName Organizational Policy" is linked to an OU one step down, what is presently enforcing my password complexity, minimum length, etc?  It couldn't be the "Default Domain Controllers Policy", could it? (because that's one step down from the domain too)  [EDIT: that policy doesn't even have any settings under Computer Config\Policies\Windows Settings\Security Settings\Account Policies/Password Policies].  No other GPOs have settings under that policy branch.

    In short, it appears that there is NO GPO in my Group Policy Management that is responsible for password complexity enforcement, yet my users still get prompted to change their passwords, and that they're not long enough or meet the complexity requirements...

    Finally, can someone confirm what butim said at the top about the passwords not being forced to change until the next expiration?  I'd start enabling Default Domain Policy if I wasn't worried about a couple dozen service accounts suddenly being expired [and my network bricking] because they didn't meet the new requirements...

    I really do appreciate all the feedback you all have given me- thank you very much...

    Dave


    • Edited by DaveinMI Wednesday, February 20, 2013 6:50 PM policy review
    Wednesday, February 20, 2013 6:39 PM
  • Am 20.02.2013 19:39, schrieb DaveinMI:
    > In short, it appears that there is NO GPO in my Group Policy
    > Management that is responsible for password complexity enforcement,
    > yet my users still get prompted to change their passwords, and that
    > they're not long enough or meet the complexity requirements...
     
    If you have no policy in place, then local defaults of a DC are
    enforcing that. And the default for a server is "complexity required"...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, February 20, 2013 7:18 PM
  • If you have no policy in place, then local defaults of a DC are
    enforcing that. And the default for a server is "complexity required"...

    Ok, so a bit of a terrifying development...  I took a look at one of the 3 DCs Local Security Policy, and considered these links:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1c13453e-1711-4537-bdf1-27ee60ee2478/

    http://techjournal.318.com/windows/changing-the-password-policy-on-windows-server-2008-domain-controllers/

    and adjusted the Maximum Password Age downward - something that I wanted to do anyway, but didn't think it would blow up my service accounts, etc.  For grins and giggles I took a look at the Default Domain Policy GPO, and the setting change was reflected there (so, yay?) and I thought: "well, this is a bit of progress; now as long as it doesn't force password changing when I lengthen the minimum, we're good".  Then the phone started ringing.  Anybody that's trying to access web services off-site is bombing out.  When users on-site log off and back on, the first login takes up to 4 minutes.  I'm guessing that the off-site users' apps are timing out. 

    So now I'm REALLY nervous about what will happen to the service accounts when I lengthen the minimums.  Can anyone explain what's going on here?

    Wednesday, February 20, 2013 8:21 PM
  • If you read through the link I posted, there is a deeper explanation, if you are interested.

    Applying a GPO at an OU that contains password settings will apply to the computers in that OU.  Therefore, the only user accounts that will be affected will be those local user accounts that are defined on the computers... not domain user account.

    I did- thank you for digging for me.  Now that I have flushed out *what* exactly is controlling my password policies on my domain (the local security policy on the DCs, which propagates back to the Default Domain Policy); and seeing the results of shortening the password aging,  I'm doubting butim's answer to the first question at the top of the thread.  Will increasing the minimum length of the passwords cause all existing passwords that fall under the new threshold to immediately become invalid?

    To recap what happened yesterday, when I shortened the Maximum Password Age, a bunch of users passwords expired.  Many were hired just outside the length of the new minimum password age, some weren't.  So the setting change affected the user accounts immediately, it didn't "reset the clock".  I'm really curious about how it's going to work with existing password lengths.

    Thursday, February 21, 2013 6:03 PM
  • hello DaveinMI,

    >Will increasing the minimum length of the passwords cause all existing passwords that fall under the new threshold to immediately become invalid? No it will not.  The next time the user changes their password, the minimum length requirement will be enforced.

    >To recap what happened yesterday, when I shortened the Maximum Password Age, a bunch of users passwords expired.  Yes, that would be expected for those account who have passwords that are now more than the max age.

    >it didn't "reset the clock".  The password age attribute is not updated until the password is changed.

    > I'm really curious about how it's going to work with existing password lengths. See my first comment.



    IT Knowledge Base | itgeared.com |

    • Marked as answer by DaveinMI Monday, February 25, 2013 12:54 PM
    Thursday, February 21, 2013 10:30 PM
  • I would like to thank everyone that commented on this question.  Thank you for your support and dedication to the community.
    Monday, February 25, 2013 12:58 PM