the capacity of one person or thing to react with or affect another in some special way, as by attraction or the facilitation of a function or activity.

Default Password Policy Win Server 2008

Posted on | May 15, 2011 | Comments Off on Default Password Policy Win Server 2008

Changing Server 2008 Password Policy

I have been having some fun working on a couple of Windows Server 2008 R2 installations. Learning a lot of new things every day and this is something that I thought might be of interest.

In one installation the folks that were paying the bill did not like the default password policies that are now standard in windows server. They felt that in their small and close environment there was no real need for the stricter requirements being enforced by the new default policies. There were actually pretty lax in their password demands.

I did not and still do not agree with them but upon their insistence I had to figure out how to bypass this need for stronger passwords.

As a quick reminder Microsoft Server 2008 r2 now insists that your password meet certain ‘complexity’ requirements. This is a good thing – as long as you can remember your password and don’t write it somewhere obvious. Briefly:

Account Policies/Password Policy

Policy  ::  Settings

  • Enforce Password history  ::  24 passwords remembered
  • Maximum password age ::  42 days
  • Minimum password age ::  1 day
  • Minimum password length ::  7 characters
  • Password must meet complexity requirements ::  Enabled
  • Store passwords using reversible encryption ::  Disabled

Some of these settings can be adjusted at the user level in Active Directory Users and Computers. Modifying or shutting off the Complexity policy requirement in not accessible there.

Here is an explanation of the password complexity requirement option.

Password must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.


Enabled on domain controllers.
Disabled on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

There are probably several ways of working around this – but I chose the simple (not always the best no matter what anyone says) way. Please don’t laugh. I thought this was simple…

  1. Open Group Policy Management Editor
  2. Start->Run->gpme.msc
  3. New Window – Browse for a Group Policy Object
  4. Under the Domains/OUs tab select Default Domain Policy -> OK
  5. New Window – Group Policy Management Editor
  6. Default Domain Policy [servername.domain.extension]
  7. Expand Computer Configuration
  8. Expand Policies
  9. Expand Windows Settings
  10. Expand Security Settings
  11. Expand Account Policies
  12. Select Password Policy
  13. Now in the right pane :
  14. Right Click “Password must meet complexity requirements Enabled”
  15. Select Properties
  16. New Window – Select Security Policy Setting tab
  17. Select Disabled->OK

There is probably an easier, faster, or better way to do this. Let me know.



Comments are closed.

  • About

    This website is supported by Ken Lombardi @ analogman consulting.
    phone: 253.two.two.two-7626
    email: ken@analogman'dot'org
    tweet: analogmanorg

  • Admin