Go Premium for a chance to win a PS4. Enter to Win


Password setting/command in Windows Server 2012

Posted on 2016-10-11
Medium Priority
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?
Also is the command the same in Active Directory or is there a difference?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x

Password must contain at least 1 numeric character
Question by:ubat
  • 2
LVL 43

Accepted Solution

Adam Brown earned 1000 total points
ID: 41838376
Server 2012 will generally follow the settings defined by Group Policy on the domain. The requirements can be set by running GPEdit.msc and going to Computer Configuration\Windows Settings\Security settings\Account Policies\Password Policy or by deploying a GPO. The option there for "Passwords must meet complexity requirements" is enabled by default and requires all passwords to meet the following requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

It is not possible to set up Windows systems to have a password requirement that includes only 1 numeric character without using third party tools or significant code modifications to Windows. You can only set windows to require complexity or not. Passwords that require complexity must meet the rules above. Passwords that do not require complexity have no character type requirements tied to them.
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 1000 total points
ID: 41839641
Well, regarding Windows server and domain this is a little bit more complicated.

First of all, you need to define password policy. For workgroup environment it needs to be done on every server separately. You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used.

So, mostly domain password policy is in use. More details you can find in an article on my blog showing how to do that at http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

This will define strength of your password policy. If you wish, you can simply use Active Directory Users and Computers snap-in to set up users password. This is a little bit inconvenient for multi user changes but it's really fine for single or small batch of users.

Domain Controllers by default contain tools to manage user passwords. On domain members you need to install RSAT (Remote Server Administrative Tools) for particular OS version.

From Windows Server 2008R2 and Windows 7 with RSAT, Microsoft introduced PowerShell module for Active Directory, where you can manage domain objects, i.e. users and set their password.

Every new Windows Server contains newer version of PowerShell and newer AD cmd-lets (name for those commands within PowerShell) which may vary with functionality or differentiate in total no of them.

In PowerShell you can use for user management:

  • Get-ADUser
  • - to get AD user from domain
  • Set-ADUser
  • - to modify AD user in a domain
  • New-ADUser
  • - create new AD user
  • Set-ADAccountPassword
  • - to set or modify user password

All the time, you have Microsoft DS tools, which are legacy command-line tools but still are working fine:

  • dsquery
  • - to make a search
  • dsget
  • - to get object
  • dsmod
  • - to modify object i.e. set up user's password

More details about DS tools, you can also find on my blog at:







I hope it would be useful for you.

LVL 57

Expert Comment

ID: 41841484
Krzysztof, allow the comment on
"You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used." - no, when a domain password policy is in effect, the local policy is overwritten and will never be applied. Not for local accounts and, logically, not for domain accounts since those passwords cannot be changed without domain connectivity, anyway.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 41841501
Dear McKnife,
I re-read this paragraph once again and you're right. I put this not too clear and this is wrong, you're right. Thank you for clarifying this out.

What I meant was: "[..]you can also do that on domain member server[..] I meant, you can define password policy from member server with GPMC to edit Default Password policy and if there is no communication with a domain, password settings are stored locally, so local users need to follow rules and can change password. Of course, domain account cannot change password if there is no connection to the DC :)

As long as machine is a member of a domain, local password policy cannot be modified, it's simple grayed out :)
To have possibility to configure different local password policy on domain members, you need to create separate password policy within domain an apply it at particular server's OU. But this only affects local accounts.

Thank you once again for sorting this out and letting me know about mistake. In previous form, it's wrong, I agree


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question