Solved

Password setting/command in Windows Server 2012

Posted on 2016-10-11
4
23 Views
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?
Also is the command the same in Active Directory or is there a difference?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x


Password must contain at least 1 numeric character
0
Comment
Question by:ubat
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41838376
Server 2012 will generally follow the settings defined by Group Policy on the domain. The requirements can be set by running GPEdit.msc and going to Computer Configuration\Windows Settings\Security settings\Account Policies\Password Policy or by deploying a GPO. The option there for "Passwords must meet complexity requirements" is enabled by default and requires all passwords to meet the following requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

It is not possible to set up Windows systems to have a password requirement that includes only 1 numeric character without using third party tools or significant code modifications to Windows. You can only set windows to require complexity or not. Passwords that require complexity must meet the rules above. Passwords that do not require complexity have no character type requirements tied to them.
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 250 total points
ID: 41839641
Well, regarding Windows server and domain this is a little bit more complicated.

First of all, you need to define password policy. For workgroup environment it needs to be done on every server separately. You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used.

So, mostly domain password policy is in use. More details you can find in an article on my blog showing how to do that at http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

This will define strength of your password policy. If you wish, you can simply use Active Directory Users and Computers snap-in to set up users password. This is a little bit inconvenient for multi user changes but it's really fine for single or small batch of users.

Domain Controllers by default contain tools to manage user passwords. On domain members you need to install RSAT (Remote Server Administrative Tools) for particular OS version.

From Windows Server 2008R2 and Windows 7 with RSAT, Microsoft introduced PowerShell module for Active Directory, where you can manage domain objects, i.e. users and set their password.

Every new Windows Server contains newer version of PowerShell and newer AD cmd-lets (name for those commands within PowerShell) which may vary with functionality or differentiate in total no of them.

In PowerShell you can use for user management:

  • Get-ADUser
  • - to get AD user from domain
  • Set-ADUser
  • - to modify AD user in a domain
  • New-ADUser
  • - create new AD user
  • Set-ADAccountPassword
  • - to set or modify user password

All the time, you have Microsoft DS tools, which are legacy command-line tools but still are working fine:

  • dsquery
  • - to make a search
  • dsget
  • - to get object
  • dsmod
  • - to modify object i.e. set up user's password
etc.

More details about DS tools, you can also find on my blog at:
Introduction
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-1/

dsquery
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-2/

dsget
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-3/

dsadd
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-4/

dsmod
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-5/

dsmove
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-6/

dsrm
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-7/

I hope it would be useful for you.

Regards,
Krzysztof
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41841484
Krzysztof, allow the comment on
"You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used." - no, when a domain password policy is in effect, the local policy is overwritten and will never be applied. Not for local accounts and, logically, not for domain accounts since those passwords cannot be changed without domain connectivity, anyway.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 41841501
Dear McKnife,
I re-read this paragraph once again and you're right. I put this not too clear and this is wrong, you're right. Thank you for clarifying this out.

What I meant was: "[..]you can also do that on domain member server[..] I meant, you can define password policy from member server with GPMC to edit Default Password policy and if there is no communication with a domain, password settings are stored locally, so local users need to follow rules and can change password. Of course, domain account cannot change password if there is no connection to the DC :)

As long as machine is a member of a domain, local password policy cannot be modified, it's simple grayed out :)
To have possibility to configure different local password policy on domain members, you need to create separate password policy within domain an apply it at particular server's OU. But this only affects local accounts.

Thank you once again for sorting this out and letting me know about mistake. In previous form, it's wrong, I agree

Regards,
Krzysztof
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now