• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 38
  • Last Modified:

Password setting in Windows Server 2012

I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x


Password must contain at least 15 characters
0
ubat
Asked:
ubat
3 Solutions
 
reredokIT ConsultantCommented:
For AD use Group Policy - Windows Settings - Account Settings - .... Password length etc.
Domain-Policy - AD --> independent from OS (Windows XP, Vist, 8.1, 10...)
For stand alone Server user GPEDIT.MSC
0
 
ubatAuthor Commented:
Thanks. Can the setting be scripted? E.g. in AIX 7.1 the command for password length is minlen=8, do a similar command exist in Windows Server 2012?
0
 
ubatAuthor Commented:
To be precise minlen = minimum length 8 = 8 characters. Hence what is the command in Windows for 15 characters?
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Adam BrownSr Solutions ArchitectCommented:
There isn't a single command that will do that for individual computers. Windows usually has two different types of accounts you can work with, Domain accounts and Local accounts. Domain accounts apply to all computers on a Windows Domain while Local accounts apply to specific computers. It's possible to modify the Domain account password policies on a Windows 2012 Domain Controller with Powershell using set-addefaultdomainpasswordpolicy: https://technet.microsoft.com/en-us/library/ee617251.aspx 

But there is, currently, no command included by default in windows that will do the same for a local account. There are scripts that can accomplish the task and downloadable powershell modules that can do it, but nothing straight out of the box can.
0
 
McKnifeCommented:
When we are talking about domain accounts, you cannot use local settings, these are simply not even evaluated by the system.
So you need to set this in the default domain GPO. Settings in there would apply to all accounts, local accounts, too.

If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.
0
 
ubatAuthor Commented:
>If however you want to govern local accounts only (and NOT domain accounts), you could use the local policies and yes, there exist commands to setup password requirements.

So I guess my question(s) should be,

1. Please define the exact commands (settings?) to be used for setting up a password requirement for "password must be minimum 15 characters". This both for local accounts as well as the domain GPO.

2. Where can I find the documentation for this?
2b In addition to https://technet.microsoft.com/en-us/library/ee617251.aspx should I read/look up something else?
0
 
McKnifeCommented:
You don't use command for that, why should you, GPO is much faster to setup?
0
 
ubatAuthor Commented:
What I am trying to do is to write a password "policy" document with real world examples  from different operating systems.
The requirement(s) as stated in words are e.g. Privileged user must have password length of minimum 15 characters.
This can be translated into "pseudocode" e.g. password length >= 15 characters
Which then needs to be translated into the actual way of implementing the requirement in the operating system.
(Finally a way of checking is needed to ensure thtat whatever is supposed to have been installed/implemented/set up/scripted actually IS existing in the configuration. e.g. by using a scanner, Qualys of something else e.g. a script.)

The first step is to determine the "pseudocode" for a requirement
The second step is to determine if the requirement can be implemented in each/a given operating system / version
The third step is to clearly define the "settings" for
Windows Server 2008, 2012 etc
AIX 7.1
Solaris
IBM i
etc

e.g. Password Requirement  = minimum 15 characters
The setting to implement this in,
AIX is minlen=15
Windows Server 2012 is
OpenBSD 9 is
Solaris ver x is
etc

In the end I am going to end up with a spread sheet/a matrix. The aim of which is to clearly define to management as well as to technicians/administrators WHY, WHAT and HOW it should be done.

For windows Server 2012 it seems to be the case that the command/the setting can be Set-ADDefaultDomainPasswordPolicy (and a lot of "switches". Is this correct? Or what am I missing?

Note: I am not (yet) familiar with GPO:s in the Windows world... There is/must be a whole lot else I don't know...
0
 
McKnifeCommented:
ubat, though I see "you have a plan", I think you are not processing it in the correct order.
First, you need some knowledge about AD. You cannot judge comments here, even.
You need to understand
-why the pw policy is special
-why normally, no one would use commands to tune it
-that there are even two styles of password policies, the legacy one and the PSO one (google pso and GPO together) - the PSO can be applied to users, while the GPO can only be applied to each and any user.
-that here, the client OS does not even matter
-that the server OS does matter (because PSOs need a server 2008R2 or higher)
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now