<div>
You will like to check out the fine grain password policy (FGPP) for the specific user and Security group to apply since 2012 already support it at GUI level compared to past using ADSI etc. See this <br />
<a href="http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-fine-grained-password-policies.html" rel="ugc">http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-fine-grained-password-policies.html</a><br />
<br />
Also I do recommend passphrases, see the <a href="https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html" rel="ugc">EE article on choosing the strong passphrase</a>. Also the mentioned level of complexity should be possible if e consider the stated in MS link
<blockquote>
Passwords must contain characters from three of the following five categories: <br />
◦ Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)<br />
◦ Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)<br />
◦ Base 10 digits (0 through 9)<br />
◦ Nonalphanumeric characters: ~!@#$%^&amp;*_-+=`|\(){}[]:;&quot;'<wbr />&lt;&gt;,.?/<br />
◦ Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
</blockquote>
<a href="https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx" rel="ugc">https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx</a><br />
<br />
Overall, we need to managed going overboard for the complexity and set a baseline. <br />
So you may wish to consider below combination <br />
&nbsp;Set the minimum length to16 or higher - Increases the work time for attacker to break it.<br />
&nbsp;Require a minimum of 1 number and special character - Increases difficulty.<br />
&nbsp;Require upper and lower case - Increases difficulty.<br />
&nbsp;Enforce password history. Make it 10 or 12. - Increases the repeats of poor user &quot;reuse&quot; habit.<br />
&nbsp;Enforce minimum password age. - Work around several days to deter users recycling password.<br />
&nbsp;Set account lockout after 3 failed attempts. - Have a baseline for lockout duration and reset time.
</div>


<div>
The built-in policies cannot help here since their complexity checks are too loose.<br />
They don't do similarity or dictionary checks, nor do they do keyboard pattern checks, so Even if you turn on complexity and require 10 characters, a password like &quot;BugsBunny!&quot; beats that :(<br />
Consider buying <a href="http://anixis.com/products/ppe/" rel="ugc">http://anixis.com/products/ppe/</a>&nbsp;it can enforce better policies and is reasonably priced.
</div>


<div>
Unfortunate fine grained password policies won't help here. The only way to get what you want here is 3rd-party software that checks the password pre-hash.
</div>


<div>
Lookss like more work than what MS stated. I meant the depth required will be covered through the password filter DLL which is another nice way to implement custom requirements for passwords. There is this filter dll that is hooked for override with your needs..but looks like if you want to avoid development then the vendor supplied is the way forward..<br />
<a href="https://msdn.microsoft.com/en-us/library/ms721878.aspx" rel="ugc">https://msdn.microsoft.com/en-us/library/ms721878.aspx</a><br />
<br />
Then to add on nfront is another good candidate, see how it compared to existing Dll of the Windows default.<br />
<a href="http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php" rel="ugc">http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php</a>
</div>


<div>
we have used anixis before but need something that works alongside our password reset tool
</div>


<div>
The password complexity can be set to a combination of three out of five one capital, one lower, one numeric, one symbol and the length of the password longer than X.<br />
You would need to use a third party tools as mentioned to add validation/mask to password changing mechanism.<br />
<br />
Making it clear to the users that weak passwords when compromised reflect on them as whose account was used and .........
</div>


<div>
&quot;need something that works alongside our password reset tool&quot; - could you please explain what your password reset tool has to do with the password policies? Password reset tools should not be able to circumvent the policies that anixis enforces, or was it?
</div>


<div>
From GP &quot;Computer Configuration&quot;, &quot;Windows Settings&quot;, &quot;Security&quot;, &quot;Account Policies&quot;, &quot;Password Policy&quot;<br />
<br />
Right Click on: &quot;Password must meet complexity requirements&quot;<br />
<br />
This security setting determines whether passwords must meet complexity requirements.<br />
If this policy is enabled, passwords must meet the following minimum requirements:<br />
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters<br />
<i>Be at least six characters in length</i><br />
<b>Contain characters from three of the following four categories:<br />
</b><br />
<i>English uppercase characters (A through Z)<br />
</i><br />
<i>English lowercase characters (a through z)</i><br />
<i>Base 10 digits (0 through 9)<br />
</i><br />
<i>Non-alphabetic characters (for example, !, $, #, %)<br />
</i><br />
Complexity requirements are enforced when passwords are changed or created.<br />
Default:<br />
Enabled on domain controllers.<br />
Disabled on stand-alone servers.
</div>


<div>
when users reset their password they need to be reset using the company policy<br />
so if i have anixis password enforcer which is setup to force users to use 4 uppercase etc and the user uses the password reset tool which is unable to work with the anixis enforcer it will not be able to enforce the 4 uppercase etc
</div>


<div>
McKnife is correct here buit in windows policy will not enforce this as it is too basic<br />
Anixis will but will not work when user resets their password
</div>


<div>
You may want to check out nfrontsecurity as I shared in prev post. Here is a glimpse on another of its example <a href="http://nfrontsecurity.com/products/nfront-web-password-change/" rel="ugc">http://nfrontsecurity.com/products/nfront-web-password-change/</a>
</div>


<div>
im mean a self service password reset portal
</div>


<div>
Handle at code for the portal. The nfrontsecurity is a webform though
</div>


<div>
Self service should mean as btan pointed out that you can enforce the password complexity requirement at the time of submission. validate on input in the portal when used,
</div>


<div>
<div class="content wysiwyg-content">
Im running domain level 2012 R2<br />
i would like to be able to specify the following for domain users passwords<br />
stop users using passwords like Laptop 1 or company name 1<br />
at least 2 uppercase etc<br />
the group policy complexity does not cover these<br />
how can i do this?
</div>
</div>


Im running domain level 2012 R2
i would like to be able to specify the following for domain users passwords
stop users using passwords like Laptop 1 or company name 1
at least 2 uppercase etc
the group policy complexity does not cover these
how can i do this?

AD password complexirty group policy

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.