Solved

Password setting in Windows Server 2012

Posted on 2016-10-11
9
26 Views
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x


Password must contain at least 15 characters
0
Comment
Question by:ubat
9 Comments
 
LVL 4

Accepted Solution

by:
reredok earned 167 total points
ID: 41838340
For AD use Group Policy - Windows Settings - Account Settings - .... Password length etc.
Domain-Policy - AD --> independent from OS (Windows XP, Vist, 8.1, 10...)
For stand alone Server user GPEDIT.MSC
0
 
LVL 4

Author Comment

by:ubat
ID: 41838360
Thanks. Can the setting be scripted? E.g. in AIX 7.1 the command for password length is minlen=8, do a similar command exist in Windows Server 2012?
0
 
LVL 4

Author Comment

by:ubat
ID: 41838362
To be precise minlen = minimum length 8 = 8 characters. Hence what is the command in Windows for 15 characters?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 167 total points
ID: 41838394
There isn't a single command that will do that for individual computers. Windows usually has two different types of accounts you can work with, Domain accounts and Local accounts. Domain accounts apply to all computers on a Windows Domain while Local accounts apply to specific computers. It's possible to modify the Domain account password policies on a Windows 2012 Domain Controller with Powershell using set-addefaultdomainpasswordpolicy: https://technet.microsoft.com/en-us/library/ee617251.aspx 

But there is, currently, no command included by default in windows that will do the same for a local account. There are scripts that can accomplish the task and downloadable powershell modules that can do it, but nothing straight out of the box can.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 41838451
When we are talking about domain accounts, you cannot use local settings, these are simply not even evaluated by the system.
So you need to set this in the default domain GPO. Settings in there would apply to all accounts, local accounts, too.

If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.
0
 
LVL 4

Author Comment

by:ubat
ID: 41838460
>If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.

So I guess my question(s) should be,

1. Please define the exact commands (settings?) to be used for setting up a password requirement for "password must be minimum 15 characters". This both for local accounts as well as the domain GPO.

2. Where can I find the documentation for this?
2b In addition to https://technet.microsoft.com/en-us/library/ee617251.aspx should I read/look up something else?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41838476
You don't use command for that, why should you, GPO is much faster to setup?
0
 
LVL 4

Author Comment

by:ubat
ID: 41838519
What I am trying to do is to write a password "policy" document with real world examples  from different operating systems.
The requirement(s) as stated in words are e.g. Privileged user must have password length of minimum 15 characters.
This can be translated into "pseudocode" e.g. password length >= 15 characters
Which then needs to be translated into the actual way of implementing the requirement in the operating system.
(Finally a way of checking is needed to ensure thtat whatever is supposed to have been installed/implemented/set up/scripted actually IS existing in the configuration. e.g. by using a scanner, Qualys of something else e.g. a script.)

The first step is to determine the "pseudocode" for a requirement
The second step is to determine if the requirement can be implemented in each/a given operating system / version
The third step is to clearly define the "settings" for
Windows Server 2008, 2012 etc
AIX 7.1
Solaris
IBM i
etc

e.g. Password Requirement  = minimum 15 characters
The setting to implement this in,
AIX is minlen=15
Windows Server 2012 is
OpenBSD 9 is
Solaris ver x is
etc

In the end I am going to end up with a spread sheet/a matrix. The aim of which is to clearly define to management as well as to technicians/administrators WHY, WHAT and HOW it should be done.

For windows Server 2012 it seems to be the case that the command/the setting can be Set-ADDefaultDomainPasswordPolicy (and a lot of "switches". Is this correct? Or what am I missing?

Note: I am not (yet) familiar with GPO:s in the Windows world... There is/must be a whole lot else I don't know...
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41838772
ubat, though I see "you have a plan", I think you are not processing it in the correct order.
First, you need some knowledge about AD. You cannot judge comments here, even.
You need to understand
-why the pw policy is special
-why normally, no one would use commands to tune it
-that there are even two styles of password policies, the legacy one and the PSO one (google pso and GPO together) - the PSO can be applied to users, while the GPO can only be applied to each and any user.
-that here, the client OS does not even matter
-that the server OS does matter (because PSOs need a server 2008R2 or higher)
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question