How do I Modify Password Complexity Requirements?


  • I support a small organization that does not need super strict password requirements. My question is likely common, very straighforward, and I'm guessing a simple solution is available.

    Here it is:

    They have asked me to modify the password complexity to require following:

    • English Uppercase -AND- Lowercase
    • Base-10 digits (0-9) -OR- Non-alphanumeric (for example, !, $, #, %)

    Simple, right? There are no programmers, developers, or Senior Admins here so we just simply need to know how change this setting. Thanks in advance!

    Tuesday, October 03, 2006 12:52 AM

All replies

  • This isn't an Exchange specific question, you should probably post this in the Windows forums, however since you took the time to post here is some information for you:



    Open Active Directory Users and Computers.


    In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.


    Click Properties, and then click the Group Policy tab.


    Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit. You can also click New to create a new GPO, and then click Edit.


    In the console tree, click Password Policy (Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy)


    In the details pane, right-click the policy setting that you want, and then click Properties.


    If you are defining this policy setting for the first time, select the Define this policy setting check box.


    Select the options that you want, and then click OK.

    You will want to set: Password must meet complexity requirements and Minimum password length


    Tuesday, October 03, 2006 6:46 AM
  • With password complexity requirements enabled, it requires 3 out of  4 of the below:

    English uppercase characters (A through Z).

    English lowercase characters (a through z).

    Base-10 digits (0 through 9).

    Non-alphanumeric (for example, !, $, #, %). extended ASCII, symbolic, or linguistic characters.

    We're a small non-profit and just need 2 out of  4 for our minimal security needs. This should be a simple change, but no one anywhere seems to know how to make it.
    Tuesday, October 03, 2006 7:04 PM
  • There is no "easy" way to do this.  You either take the built in method or you can build your own Group Policy extension

    There might be some third party applications that already do this but I have not used any.


    Thursday, October 05, 2006 7:40 AM
  • Actually, there is no way to do this via group policy - unless something has changed in the Windows 2008 period, since the last time I faced this issue was a number of years ago now. What you are looking at is the requirement for writing a new password filter.

    The password filter from Microsoft is (or at least used to be) coded to either enforce complex passwords, for which the measurements are hard coded, or to not enforce them in which case you can obvisouly set the password to anything you want that still satisfies the remaining criteria like length.

    It does not matter whether you use the traditional GPO mechanism of modifying the default domain policy or whether you use the newer PSP objects, it's the filter located on the domain controllers that governs whether a password is complex enough.

    I realise you have no programmers so the following may not be of any interest to you, but that said here's two links that discuss the mechanics behind a password filter which you may wish to read out of curiosity. I haven't written a filter myself since probably around 2003, but it wasn't hard by any means.

    In any case though, unless something had changed in the 2008 era you can't do what you're asking with the default Microsoft password filter.


    Friday, July 30, 2010 11:49 AM
  • Hi,


    I wrote a small program for this a while ago:

    That worked with passwdhk.



    • Proposed as answer by functor_ Sunday, October 10, 2010 6:17 PM
    Sunday, October 10, 2010 6:15 PM
  • Everone Explain only default policy, cant we change existing default policy as we want
    Microsoft TechNet Forum Bandara
    • Proposed as answer by James Mattner Thursday, August 20, 2015 3:01 AM
    • Unproposed as answer by James Mattner Thursday, August 20, 2015 3:01 AM
    Wednesday, March 16, 2011 10:11 AM
  • Everone Explain only default policy, cant we change existing default policy as we want
    Microsoft TechNet Forum Bandara


    No.  "Complexity" is defined by Microsoft.  You can only enable it or disable it.  Otherweise you need to do custom development.


    Mike Crowley
    Check out My Blog!

    Thursday, March 17, 2011 12:32 PM
  • Is that

    I dont think soo

    Microsoft TechNet Forum Bandara
    Monday, March 28, 2011 6:06 PM
  • Hey! Bandara even I think the same.But so far I was not able to find it. Do you know any way of doing it. My requirment is to allow users to use only alphanumeric not non-alphanumeric.
    Thursday, January 12, 2012 7:51 AM
  • Microsoft said that

    Strong passwords

    The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your organization. The Microsoft® Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. If the password is blank or does not meet complexity requirements, the Windows Setup dialog box appears, warning you of the dangers of not using a strong password for the Administrator account. If you leave this password blank, you will not be able to access this account over the network.

    Weak passwords provide attackers with easy access to your computers and network, while strong passwords are considerably harder to crack, even with the password-cracking software that is available today. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer has strong passwords for all user accounts.

    A weak password:

    • Is no password at all.

    • Contains your user name, real name, or company name.

    • Contains a complete dictionary word. For example, Password is a weak password.

    A strong password:

    • Is at least seven characters long.

    • Does not contain your user name, real name, or company name.

    • Does not contain a complete dictionary word.

    • Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.

    • Contains characters from each of the following four groups:

    Group Examples

    Uppercase letters

    A, B, C …

    Lowercase letters

    a, b, c …


    0, 1,2, 3, 4, 5, 6, 7, 8, 9

    Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)

    ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , . /

    An example of a strong password is J*p2leO4>F.

    A password can meet most of the criteria of a strong password but still be rather weak. For example, Hello2U! is a relatively weak password even though it meets most of the criteria for a strong password and also meets the complexity requirements of password policy. H!elZl2o is a strong password because the dictionary word is interspersed with symbols, numbers, and other letters. It is important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.

    You can create passwords that contain characters from the extended ASCII character set. Using extended ASCII characters increases the number of characters that you can choose when you create a password. As a result, it might take more time for password-cracking software to crack passwords that contain these extended ASCII characters than it does to crack other passwords. Before using extended ASCII characters in your password, test them thoroughly to make sure that passwords containing extended ASCII characters are compatible with the applications that your organization uses. Be especially cautious about using extended ASCII characters in passwords if your organization uses several different operating systems.

    You can find extended ASCII characters in Character Map. Some extended ASCII characters should not be used in passwords. Do not use a character if a keystroke is not defined for it in the lower-right corner of the Character Map dialog box. For more information about how to use Character Map, see Using Character Map.

    Examples of passwords that contain characters from the extended ASCII character set are kUµ!¶0o and Wf©$0k#»g¤5ªrd.

    You can implement a password policy setting that enforces password complexity requirements. For more information about this policy setting, see Passwords must meet complexity requirements. For information about how to apply a password policy, see Apply or modify password policy.

    Windows passwords can be up to 127 characters long. However, if you are on a network that also has computers running Windows 95 or Windows 98, consider using passwords that are not longer than 14 characters. Windows 95 and Windows 98 support passwords of up to 14 characters. If your password is longer, you might not be able to log on to your network from those computers.

    Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator My blog:
    Thursday, January 12, 2012 8:07 AM
  • Hello,

    are you aware that the starting of this thread was in 2006 and the OP din't answer anymore?

    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, January 12, 2012 8:10 AM
  • sorry but i am help only 

    Maybe any one need the answer at all thanks for note


    Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator My blog:
    Thursday, January 12, 2012 8:13 AM
  • This is probably a stupid question, but I have an existing domain, and want to enforce password complexity (it's not currently enabled). What will happen to existing users who passwords are not due to expire, and have current passwords that are not complex? Will they be fine with their existing password until they need to change?
    Monday, August 06, 2012 5:42 PM
  • Hello,

    same for you, are you aware that the starting of this thread was in 2006 and the OP din't answer anymore? And for your problem you should create a new thread instead of hijacking this one.

    If you have acoutns with passwords that never expire that are NOT effected from the change. ONLY at that time you change the password the changes take effect and you have to use the new settings.

    So if you modify a password policy do NOT forget to change also accounts with that settings.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, August 06, 2012 6:47 PM
  • Hello Mr. Weber,

    My apologies for reviving a thread that was so old. I appreciate your response.

    thank you,


    Steve J.

    Monday, August 06, 2012 7:21 PM