Password setting/command in Windows Server 2012

Posted on 2016-10-11
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?
Also is the command the same in Active Directory or is there a difference?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x

Password must contain at least 1 numeric character
Question by:ubat
  • 2
LVL 39

Accepted Solution

Adam Brown earned 250 total points
ID: 41838376
Server 2012 will generally follow the settings defined by Group Policy on the domain. The requirements can be set by running GPEdit.msc and going to Computer Configuration\Windows Settings\Security settings\Account Policies\Password Policy or by deploying a GPO. The option there for "Passwords must meet complexity requirements" is enabled by default and requires all passwords to meet the following requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

It is not possible to set up Windows systems to have a password requirement that includes only 1 numeric character without using third party tools or significant code modifications to Windows. You can only set windows to require complexity or not. Passwords that require complexity must meet the rules above. Passwords that do not require complexity have no character type requirements tied to them.
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 250 total points
ID: 41839641
Well, regarding Windows server and domain this is a little bit more complicated.

First of all, you need to define password policy. For workgroup environment it needs to be done on every server separately. You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used.

So, mostly domain password policy is in use. More details you can find in an article on my blog showing how to do that at

This will define strength of your password policy. If you wish, you can simply use Active Directory Users and Computers snap-in to set up users password. This is a little bit inconvenient for multi user changes but it's really fine for single or small batch of users.

Domain Controllers by default contain tools to manage user passwords. On domain members you need to install RSAT (Remote Server Administrative Tools) for particular OS version.

From Windows Server 2008R2 and Windows 7 with RSAT, Microsoft introduced PowerShell module for Active Directory, where you can manage domain objects, i.e. users and set their password.

Every new Windows Server contains newer version of PowerShell and newer AD cmd-lets (name for those commands within PowerShell) which may vary with functionality or differentiate in total no of them.

In PowerShell you can use for user management:

  • Get-ADUser
  • - to get AD user from domain
  • Set-ADUser
  • - to modify AD user in a domain
  • New-ADUser
  • - create new AD user
  • Set-ADAccountPassword
  • - to set or modify user password

All the time, you have Microsoft DS tools, which are legacy command-line tools but still are working fine:

  • dsquery
  • - to make a search
  • dsget
  • - to get object
  • dsmod
  • - to modify object i.e. set up user's password

More details about DS tools, you can also find on my blog at:







I hope it would be useful for you.

LVL 54

Expert Comment

ID: 41841484
Krzysztof, allow the comment on
"You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used." - no, when a domain password policy is in effect, the local policy is overwritten and will never be applied. Not for local accounts and, logically, not for domain accounts since those passwords cannot be changed without domain connectivity, anyway.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 41841501
Dear McKnife,
I re-read this paragraph once again and you're right. I put this not too clear and this is wrong, you're right. Thank you for clarifying this out.

What I meant was: "[..]you can also do that on domain member server[..] I meant, you can define password policy from member server with GPMC to edit Default Password policy and if there is no communication with a domain, password settings are stored locally, so local users need to follow rules and can change password. Of course, domain account cannot change password if there is no connection to the DC :)

As long as machine is a member of a domain, local password policy cannot be modified, it's simple grayed out :)
To have possibility to configure different local password policy on domain members, you need to create separate password policy within domain an apply it at particular server's OU. But this only affects local accounts.

Thank you once again for sorting this out and letting me know about mistake. In previous form, it's wrong, I agree


Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question