none
Minimum Password length to 15 characters in Windows Server 2012 R2

    Question

  • Hi,

    Not able to set the minimum password length to 15 characters in Windows server 2012 R2 via GPO. Some suggested to use ADSIEdit to change the attributes. Is this supported officially by Microsoft? I do not want to mess up anything.

    Thanks,


    • Edited by tamangketa Tuesday, January 3, 2017 8:55 PM
    Tuesday, January 3, 2017 8:45 PM

Answers

  • Hi,
    As Richard suggested, you might need to have to modify Active Directory using ADSIEdit.msc, you could follow the article as below step by step to have a try:
    http://windowsitpro.com/windows/jsi-tip-10083-how-do-i-set-minimum-password-length-15
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by krishnaaindia Wednesday, January 4, 2017 8:04 AM
    • Marked as answer by tamangketa Thursday, January 5, 2017 1:20 PM
    Wednesday, January 4, 2017 7:58 AM
    Moderator
  • > All I want to know is if modifying the minimum password length in AD using ADSIEdit SUPPORTED by MICROSOFT.
     
    Basically: Yes it is supported. The domain head attributes are bound to the default domain policy. So if you edit the domain head via ADSIedit, the change will be reflected in the default domain policy. If you use your own domain policy, this will confuse things :)
     
     
    Nevertheless: https://msdn.microsoft.com/en-us/library/ms677113(v=vs.85).aspx says it has no Range-Lower and no Range-Upper, so you can set it basically to anything the "Change password" dialog can handle (up to 128 characters).
     
    The 14 character limit is hardcoded in gpedit (to be precise, in secpol.msc), and the number 14 is also hardcoded in the "password change refused" dialog window.
     
    Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 15
    is noted as an example explicitly :-))
     
    • Marked as answer by tamangketa Thursday, January 5, 2017 1:20 PM
    Wednesday, January 4, 2017 2:37 PM
  • You need permissions of the Domain Administrator to assign a value. If you use Group Policy to assign a minimum password length for all users, it needs to be done in the default domain policy. It will have no affect if done in other policies. The alternative, as Mr X suggests, is to use Fine Grained Password Policies.

    In ADSI Edit you would modify the minPwdLength attribute of the domain object. Again, you need permissions of the Domain Administrator. And the setting will apply to all users (unless you use Fine Grained Password Policies).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by tamangketa Tuesday, January 10, 2017 1:16 PM
    Tuesday, January 3, 2017 11:11 PM

All replies