Password setting in Windows Server 2012

Posted on 2016-10-11
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x

Password must contain at least 15 characters
Question by:ubat

Accepted Solution

reredok earned 167 total points
ID: 41838340
For AD use Group Policy - Windows Settings - Account Settings - .... Password length etc.
Domain-Policy - AD --> independent from OS (Windows XP, Vist, 8.1, 10...)
For stand alone Server user GPEDIT.MSC

Author Comment

ID: 41838360
Thanks. Can the setting be scripted? E.g. in AIX 7.1 the command for password length is minlen=8, do a similar command exist in Windows Server 2012?

Author Comment

ID: 41838362
To be precise minlen = minimum length 8 = 8 characters. Hence what is the command in Windows for 15 characters?
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 167 total points
ID: 41838394
There isn't a single command that will do that for individual computers. Windows usually has two different types of accounts you can work with, Domain accounts and Local accounts. Domain accounts apply to all computers on a Windows Domain while Local accounts apply to specific computers. It's possible to modify the Domain account password policies on a Windows 2012 Domain Controller with Powershell using set-addefaultdomainpasswordpolicy:

But there is, currently, no command included by default in windows that will do the same for a local account. There are scripts that can accomplish the task and downloadable powershell modules that can do it, but nothing straight out of the box can.
LVL 53

Assisted Solution

McKnife earned 166 total points
ID: 41838451
When we are talking about domain accounts, you cannot use local settings, these are simply not even evaluated by the system.
So you need to set this in the default domain GPO. Settings in there would apply to all accounts, local accounts, too.

If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.

Author Comment

ID: 41838460
>If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.

So I guess my question(s) should be,

1. Please define the exact commands (settings?) to be used for setting up a password requirement for "password must be minimum 15 characters". This both for local accounts as well as the domain GPO.

2. Where can I find the documentation for this?
2b In addition to should I read/look up something else?
LVL 53

Expert Comment

ID: 41838476
You don't use command for that, why should you, GPO is much faster to setup?

Author Comment

ID: 41838519
What I am trying to do is to write a password "policy" document with real world examples  from different operating systems.
The requirement(s) as stated in words are e.g. Privileged user must have password length of minimum 15 characters.
This can be translated into "pseudocode" e.g. password length >= 15 characters
Which then needs to be translated into the actual way of implementing the requirement in the operating system.
(Finally a way of checking is needed to ensure thtat whatever is supposed to have been installed/implemented/set up/scripted actually IS existing in the configuration. e.g. by using a scanner, Qualys of something else e.g. a script.)

The first step is to determine the "pseudocode" for a requirement
The second step is to determine if the requirement can be implemented in each/a given operating system / version
The third step is to clearly define the "settings" for
Windows Server 2008, 2012 etc
AIX 7.1

e.g. Password Requirement  = minimum 15 characters
The setting to implement this in,
AIX is minlen=15
Windows Server 2012 is
OpenBSD 9 is
Solaris ver x is

In the end I am going to end up with a spread sheet/a matrix. The aim of which is to clearly define to management as well as to technicians/administrators WHY, WHAT and HOW it should be done.

For windows Server 2012 it seems to be the case that the command/the setting can be Set-ADDefaultDomainPasswordPolicy (and a lot of "switches". Is this correct? Or what am I missing?

Note: I am not (yet) familiar with GPO:s in the Windows world... There is/must be a whole lot else I don't know...
LVL 53

Expert Comment

ID: 41838772
ubat, though I see "you have a plan", I think you are not processing it in the correct order.
First, you need some knowledge about AD. You cannot judge comments here, even.
You need to understand
-why the pw policy is special
-why normally, no one would use commands to tune it
-that there are even two styles of password policies, the legacy one and the PSO one (google pso and GPO together) - the PSO can be applied to users, while the GPO can only be applied to each and any user.
-that here, the client OS does not even matter
-that the server OS does matter (because PSOs need a server 2008R2 or higher)

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now