none
password complexity not always observed by DC

    Question

  • Sometimes when some users change their password, they're somehow allowed to change them to a simpler password that would normally be allowed. A asked a new employee to set a new password using characters from all 4 classes (upper, lower, special symbol, digit), but he somehow 'forgot' about the symbol. And guess what? It worked.

    The default gpo is a minimum of 11 characters and that the password respects the 'minimum complexity' whatever. Of course, if you try to change the password to another one which doesn't contain a symbol or at least one character that belongs to one of the four classes, it doesn't work. It only works sometimes, for some reason.

    This happened on a Windows 7 Pro (64 bits, if it makes any difference).

    I'm using as DCs two Windows Server 2012 R2.

    • Moved by nzpcmad1 Sunday, March 12, 2017 5:29 PM From ADFS
    Friday, March 10, 2017 3:55 PM

Answers

  • Hi Lethargos,

    Unless you are using a third party or custom password filter it is not possible in AD to set a policy that requires a character from all 4 character classes.

    Requires password complexity only requires that the password contain 3 of those character classes:

    https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx

    Password complexity requires 3 of 5 character classes (upper,lower,special,digit,unicode non-alpha) and that the password does not contain any part of the users name or username.

    Good Luck!

    Shane


    Saturday, March 11, 2017 8:35 PM

All replies

  • Hi Lethargos,

    Unless you are using a third party or custom password filter it is not possible in AD to set a policy that requires a character from all 4 character classes.

    Requires password complexity only requires that the password contain 3 of those character classes:

    https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx

    Password complexity requires 3 of 5 character classes (upper,lower,special,digit,unicode non-alpha) and that the password does not contain any part of the users name or username.

    Good Luck!

    Shane


    Saturday, March 11, 2017 8:35 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 9:26 AM
    Moderator
  • Hi,

    I don't understand your answer exactly. The last paragraph seems to contradict what you said before. So can I set a password complexity (without third-party solutions) to impose 5 character classes?

    Friday, March 17, 2017 2:22 PM
  • I believe the statement by Shawn Wright should be:

    Password complexity requires 3 of 5 character classes (upper,lower,special,digit,unicode non-alpha).

    Edit: This article makes it clear:

    https://technet.microsoft.com/en-us/library/hh994562%28v=ws.11%29.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, March 17, 2017 2:43 PM
  • Sorry. Didn't read it correctly. I read it as "or". Thanks for pointing it out.
    Monday, March 27, 2017 9:07 PM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 30, 2017 4:45 AM
    Moderator