New-ADUser - Password minimum length RRS feed

  • Question

  • I need to create approximately 600 user accounts.  I have them listed in a CSV file, when I try to import the users into AD I get an error because the passwords are less than 8 characters long.  I have added leading zeros to make all of the passwords 8 characters long, but when converted into secure text it removes the leading zeros and causes the error.  

    New-ADUser -name "John Doe" -DisplayName "John Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@ad.domain.local" -GivenName "John" -Surname "Doe" -Description "ADUser" -AccountPassword (convertto-securestring -asplaintext '00001234' -force) -Enabled $true -Path "OU=useraccounts,dc=ad,dc=domain,dc=local" -ChangePasswordAtLogon $false -server ad.domain.local -ErrorAction Continue

    How can I use the convertto-securestring command without it removing the leading zeros?

    Monday, August 7, 2017 8:56 PM

All replies

  • Don't use all numeric passwords.  Start with a character and pad.  All numeric passwords are easy to crack. Passwords should use three or more modes of complexity including punctuation characters, number and mixed case.  Test this and you will see.


    • Edited by jrv Monday, August 7, 2017 9:10 PM
    Monday, August 7, 2017 9:09 PM

  • Hi JPB_619,

    To the question : 

    "How can I use the convertto-securestring command without it removing the leading zeros?"

    I took your onliner commandlet and changed the password from '
    00001234' to '000Yohoo28*'
    and it worked. The user got created and the password set. 

    Managing Office 365, Identities and Requirements
    Windows Server Virtualization, Configuration

    If you find the answer helpful, please click 'Propose as Answer' link.
    Tuesday, August 8, 2017 4:21 PM
  • Password complexity is more than just length.


    Tuesday, August 8, 2017 4:38 PM
  • I couldn't agree more.  I am all for strong passwords, but this is for an elementary school and administration has decided that they want the student passwords to be their ID number, so I'm kinda stuck with trying to figure out a way to make it work.  
    Tuesday, August 8, 2017 5:30 PM
  • Then you need to tell you AD Admin to change the password settings GPO.  Password complexity is a domain-wide setting. In current AD deployments it is set for 7 chars, mixed case and punctuation marks.


    Tuesday, August 8, 2017 5:33 PM
  • This should be the domain default:

    PS C:\scripts> Get-ADDefaultDomainPasswordPolicy

    ComplexityEnabled           : True
    DistinguishedName           : DC=TESTNET,DC=local
    LockoutDuration             : 00:10:00
    LockoutObservationWindow    : 00:10:00
    LockoutThreshold            : 6
    MaxPasswordAge              : 00:00:00
    MinPasswordAge              : 00:00:00
    MinPasswordLength           : 7
    objectClass                 : {domainDNS}
    PasswordHistoryCount        : 24
    ReversibleEncryptionEnabled : False


    Tuesday, August 8, 2017 5:36 PM
  • Hi JPB_619,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 30, 2017 8:58 AM