[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Password Policy - Group Policy

On our SBS2000 server we want to implement our own minimum password security requirements. I know that in group policy there is an option to enable "Passwords must meet complexity requirements". However enabling this only uses Microsoft's default method of what a strong password is. They define it as

Not contain all or part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Nonalphanumeric characters (e.g., !, $, #, %)

All we want is 8 characters minimum, alphanumeric. How do I make this happen from group policy?
1 Solution
You can set the min character length via group policy. So that you can have an 8 character min. while meeting the rest of the password complexity requirements. As far as I know, that is the only thing you can do via GPOs. YOu can only change what options Group Policy gives you.
DVation191Author Commented:
I have found instructions for customizing the password policy in 2003 server, I'm sure there is a way to do it in 2000 server as well.
DVation191Author Commented:
I have found that the password policy can be modified by editing the Passfilt.dll file. I found this information on microsoft's website, however I can't find out where to find and/or get the .dll nor can I find instructions on how to modify the .dll to reflect the changes I want to make. Help!
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

don't need to edit passfilt.dll

luv2smile has the GPO info

You'll have to write your own passfilt.dll and compile it. For an approach that's a bit easier to handle (and which will allow you to apply policies on group level instead of domain level only), have a look at Anixis' Password Policy Enforcer.

Password Policy Enforcer: Overview

How To Password Change Filtering & Notification in Windows NT
DVation191Author Commented:
So you're saying it's Microsoft's default or nothing? I can't modify the password filter at all?
Unless I am missing the point here, just define minimum password length to 8 and leave complexity undefined.

This will allow passwords 8 or more chars. and will allow alphanumeric (and other chars).

If you want to allow ONLY alphanumeric characters, then you have a problem. Both in implementation and password strength.

DVation191Author Commented:
Yes I think the point is being missed.

Setting the 8 character minimum is fine, that's one part of what I want to have happen.

However I also want to require both letters and numbers as well.
   - If I disable complexity, they can use all letters, all numbers or whatever they want...which is NOT what I want...I want them to be required to use both, and have it enfoced via group policy

   - If I enable complexity, it goes too far. It would require a lowercase, uppercase and number, or a lowercase number and symbol. That is more than what I want to require.

 I need a middle ground. So I want to know how to create a custom password filter. I see that phrase referenced around the net but never seen any guides on how to accomplish it.
As I said: Microsoft offers no "middle ground"; that leaves you with three possibilities:
* You use Microsoft's preconfigured passfilt.dll, including all the passwords settings MS defines as secure.
* You write your own passfilt.dll with the password settings that you want (yes, that means actual programming; you can find an example at the second link above). There is no easy "drag'n'drop" solution available (that I'm aware of) that allows you to create your own passfilt.dll.
* You use a third-party product like the Password Policy Enforcer to verify that your passwords meet your requirements.
If you don't want the first approach, and you don't have a programmer at hand, the solution that's easiest to handle is certainly the last one. This allows you to create your own password policy using a GUI. (No, I don't work for Anixis, but I've used the PPE.)
DVation191Author Commented:
I appoligize, I seem to have missed your second link that describes how to edit the passfilt.dll.
That's what I was looking for...thank you.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now