none
Password Minimum Length Not Available

    Question

  • The box where you change the minimum length of passwords in Group Policy Editor is grey'd out and I'm unable to change it.  I'm logged on as the Domain Administrator in a remote session.
    Monday, June 29, 2015 10:29 PM

Answers

  • Hi,

    >> Is there a switch to run gpedit and get the Default Domain Policy? 

    Sorry, there is no such switch. However, Gpedit.msc is to open local group policy editor whereas GPMC.msc is to open the editing console for domain GPOs.

    >>It in the Default Domain Policy I can change the minimum password length

    This tells me that there is no issue regarding editing the policy setting.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ed_CalifSoft Friday, July 10, 2015 1:37 PM
    Friday, July 10, 2015 1:34 AM
    Moderator

All replies

  • Hello,

    Did you login with the domain administrator of that respective domain?

    Please ensure that you login with the domain administrator / enterprise administrator of the respective domain !

    Regards,

    Mitul aka v2min

    Tuesday, June 30, 2015 2:01 PM
  • Thanks for the reply.  As I said in my original post, I was logged on as the domain administrator (we have only one domain so it must be the respective domain).  Other policies that have counters (e.g. like minimum password age) are available and can be changed.  Is there another policy that affects the minimum password length?
    Tuesday, June 30, 2015 2:46 PM
  • Did you observe that after opening GPEDIT.msc or while updating and group policy??

    As on the domain controller while opening gpedit.msc you would observe the same...

    Wednesday, July 01, 2015 5:34 PM
  • Thanks again for the reply.  I see the issue after I've opened GPEdit.msc and navigated to: Local Computer Policy>Computer Configuration>Windows Settings>Security Settings>Account Policy>Password Policy>Minimum password length>Properties (Local Security Setting tab).

    I inherited this server. Someone else set it up and I've found some unique changes in other areas (e.g. Terminal Services port changed from 3389).  Is it possible that they have disabled the Domain Administrators permission to change the minimum password length?  Again, remember I can change other settings in Password Policy.

    Thursday, July 02, 2015 12:40 PM
  • Hi,

    Before going further, sorry for the late response.

    >>I see the issue after I've opened GPEdit.msc and navigated to: Local Computer Policy>Computer Configuration>Windows Settings>Security Settings>Account Policy>Password Policy>Minimum password length>Properties (Local Security Setting tab).

    Based on the description, we can run command gpreuslt/h report.html with admin privileges to collect group policy result report to check what account policies have been applied in our domain.  If the Minimum Password Length setting has been configured in domain GPO, then it's right and normal that we can't edit it via local GPO. In a domain, account policies should be controlled at domain level, and once configured, we can't edit them via local GPO.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, July 09, 2015 8:24 AM
    Moderator
  • Hello,  thanks for the reply.  I'm a little confused if I run %windir%\system32\gpedit.msc I on the sever I get the Local policy.  If I run Group Policy Management in the Administrative Tools I get Default Domain Policy.  Is there a switch to run gpedit and get the Default Domain Policy?  It in the Default Domain Policy I can change the minimum password length.
    Thursday, July 09, 2015 2:39 PM
  • Hi,

    >> Is there a switch to run gpedit and get the Default Domain Policy? 

    Sorry, there is no such switch. However, Gpedit.msc is to open local group policy editor whereas GPMC.msc is to open the editing console for domain GPOs.

    >>It in the Default Domain Policy I can change the minimum password length

    This tells me that there is no issue regarding editing the policy setting.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ed_CalifSoft Friday, July 10, 2015 1:37 PM
    Friday, July 10, 2015 1:34 AM
    Moderator
  • Thanks for the help.  I'm still a little confused however, I tried GPMC.msc and could not find a place to edit the password length.  It does list the domain, but I don't know how to get to the specific policies?  I wanted to create an icon on the desktop to launch the console to edit the specific policies in the Default Domain Policy (guess I'll just have to press Ctrl and drag it from Administrative Tools?). I was hoping to know the executable to get to the Default Domain Policy console. 
    Friday, July 10, 2015 1:56 PM
  • > Sorry, there is no such switch.
     
    Of course there is a switch :-) But it is not suitable for this issue:
     
    mmc.exe %systemroot%\system32\gpme.msc /s
    /gpobject:"LDAP://%userdnsdomain%/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=yourdomain,DC=com"
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 13, 2015 9:05 AM