Password setting/command in Windows Server 2012

I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?
Also is the command the same in Active Directory or is there a difference?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x


Password must contain at least 1 numeric character
LVL 4
ubatAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
Server 2012 will generally follow the settings defined by Group Policy on the domain. The requirements can be set by running GPEdit.msc and going to Computer Configuration\Windows Settings\Security settings\Account Policies\Password Policy or by deploying a GPO. The option there for "Passwords must meet complexity requirements" is enabled by default and requires all passwords to meet the following requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

It is not possible to set up Windows systems to have a password requirement that includes only 1 numeric character without using third party tools or significant code modifications to Windows. You can only set windows to require complexity or not. Passwords that require complexity must meet the rules above. Passwords that do not require complexity have no character type requirements tied to them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Krzysztof PytkoSenior Active Directory EngineerCommented:
Well, regarding Windows server and domain this is a little bit more complicated.

First of all, you need to define password policy. For workgroup environment it needs to be done on every server separately. You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used.

So, mostly domain password policy is in use. More details you can find in an article on my blog showing how to do that at http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

This will define strength of your password policy. If you wish, you can simply use Active Directory Users and Computers snap-in to set up users password. This is a little bit inconvenient for multi user changes but it's really fine for single or small batch of users.

Domain Controllers by default contain tools to manage user passwords. On domain members you need to install RSAT (Remote Server Administrative Tools) for particular OS version.

From Windows Server 2008R2 and Windows 7 with RSAT, Microsoft introduced PowerShell module for Active Directory, where you can manage domain objects, i.e. users and set their password.

Every new Windows Server contains newer version of PowerShell and newer AD cmd-lets (name for those commands within PowerShell) which may vary with functionality or differentiate in total no of them.

In PowerShell you can use for user management:

  • Get-ADUser
  • - to get AD user from domain
  • Set-ADUser
  • - to modify AD user in a domain
  • New-ADUser
  • - create new AD user
  • Set-ADAccountPassword
  • - to set or modify user password

All the time, you have Microsoft DS tools, which are legacy command-line tools but still are working fine:

  • dsquery
  • - to make a search
  • dsget
  • - to get object
  • dsmod
  • - to modify object i.e. set up user's password
etc.

More details about DS tools, you can also find on my blog at:
Introduction
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-1/

dsquery
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-2/

dsget
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-3/

dsadd
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-4/

dsmod
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-5/

dsmove
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-6/

dsrm
http://kpytko.pl/active-directory-domain-services/microsoft-ds-tools-part-7/

I hope it would be useful for you.

Regards,
Krzysztof
0
McKnifeCommented:
Krzysztof, allow the comment on
"You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used." - no, when a domain password policy is in effect, the local policy is overwritten and will never be applied. Not for local accounts and, logically, not for domain accounts since those passwords cannot be changed without domain connectivity, anyway.
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
Dear McKnife,
I re-read this paragraph once again and you're right. I put this not too clear and this is wrong, you're right. Thank you for clarifying this out.

What I meant was: "[..]you can also do that on domain member server[..] I meant, you can define password policy from member server with GPMC to edit Default Password policy and if there is no communication with a domain, password settings are stored locally, so local users need to follow rules and can change password. Of course, domain account cannot change password if there is no connection to the DC :)

As long as machine is a member of a domain, local password policy cannot be modified, it's simple grayed out :)
To have possibility to configure different local password policy on domain members, you need to create separate password policy within domain an apply it at particular server's OU. But this only affects local accounts.

Thank you once again for sorting this out and letting me know about mistake. In previous form, it's wrong, I agree

Regards,
Krzysztof
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.