none
Precedence between "Minimum password length" and "Password must meet complexity requirements"

    Question

  • Dear Experts,

    DLF and FFL : W2012 single Domain Single Forest, as DCs are W2012

    Currently our domain password policy is as below:
    1  : Enforce password history : 24
    2  : Maximum password age : 185 days
    3  : Minimum password age : 0 days
    4  : Minimum password length : 8
    5  : Password must meet complexity requirements : Disabled
    6  : Store passwords using reversible encryption : Disabled

    Now we need to change the password policy as below:
    1  : Enforce password history : 24
    2  : Maximum password age : 170 days
    3  : Minimum password age : 1 days
    4  : Minimum password length : 8
    5  : Password must meet complexity requirements : Enabled
    6  : Store passwords using reversible encryption : Disabled

    My concerns
    1  : A user doesn't logoff (He locks his workstation) will he be affected by the new password policy?
    2  : If a user reboots his computer will he be affected by the new password policy?

    If the users password age is less then 170 days before applying NEW policy, will he be prompted to change his password?

    Many thanks
    DevT


    testmonials

    Monday, August 31, 2015 1:30 PM

Answers

  • Hi,

    We have tested the precedence between "Maximum password length" and "Password must meet complexity requirements"

    The "Maximum password length" has the highest precedence over any other settings in the Password Policy

    Our findings:
    1  : A user has not crossed the Maximum password length and he logs off or reboots his computer : Policy does not get applied to the user
    2  : A user changes his password on his own : Policy will be applied for the user
    3  : Maximum password length crossed : Policy will be applied for the user


    testmonials

    Monday, August 31, 2015 2:05 PM
  • Hi,
     
    Thanks for sharing your test result here.
     
    So you have changed "Maximum password age", "Minimum password age", and "Password must meet complexity requirements" in your password policy.
     
    For Maximum/Minimum password age policy, changes to the these two settings will be in effect immediately or very soon, without a user logon, logoff, reboot. For "Password must meet complexity requirements",  it's also in effect immediately, but users are not impacted until a password change occurs.
     
    If the user's password age is less than 170 days, he should not be prompted to change his password.
     
    More info about when a password policy change affect a user:  http://blogs.technet.com/b/askpfeplat/archive/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, September 01, 2015 7:45 AM
    Moderator

All replies

  • Hi,

    We have tested the precedence between "Maximum password length" and "Password must meet complexity requirements"

    The "Maximum password length" has the highest precedence over any other settings in the Password Policy

    Our findings:
    1  : A user has not crossed the Maximum password length and he logs off or reboots his computer : Policy does not get applied to the user
    2  : A user changes his password on his own : Policy will be applied for the user
    3  : Maximum password length crossed : Policy will be applied for the user


    testmonials

    Monday, August 31, 2015 2:05 PM
  • Hi,
     
    Thanks for sharing your test result here.
     
    So you have changed "Maximum password age", "Minimum password age", and "Password must meet complexity requirements" in your password policy.
     
    For Maximum/Minimum password age policy, changes to the these two settings will be in effect immediately or very soon, without a user logon, logoff, reboot. For "Password must meet complexity requirements",  it's also in effect immediately, but users are not impacted until a password change occurs.
     
    If the user's password age is less than 170 days, he should not be prompted to change his password.
     
    More info about when a password policy change affect a user:  http://blogs.technet.com/b/askpfeplat/archive/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, September 01, 2015 7:45 AM
    Moderator
  • Hi,
     
    Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
     
    Thanks
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, September 04, 2015 1:45 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 07, 2015 4:12 AM
    Moderator