Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Password setting/command in Windows Server 2012

Posted on 2016-10-11
Medium Priority
Last Modified: 2016-10-21
I am currently working on a check list for password related settings in different operating systems. Can someone help me with the exact command/settings for Windows Server 2012?
Also is the command the same in Active Directory or is there a difference?

Password requirement                                            Operating system command/setting for Windows Server 2012 ver x

Password must contain at least 1 numeric character
Question by:ubat
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 42

Accepted Solution

Adam Brown earned 1000 total points
ID: 41838376
Server 2012 will generally follow the settings defined by Group Policy on the domain. The requirements can be set by running GPEdit.msc and going to Computer Configuration\Windows Settings\Security settings\Account Policies\Password Policy or by deploying a GPO. The option there for "Passwords must meet complexity requirements" is enabled by default and requires all passwords to meet the following requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

It is not possible to set up Windows systems to have a password requirement that includes only 1 numeric character without using third party tools or significant code modifications to Windows. You can only set windows to require complexity or not. Passwords that require complexity must meet the rules above. Passwords that do not require complexity have no character type requirements tied to them.
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 1000 total points
ID: 41839641
Well, regarding Windows server and domain this is a little bit more complicated.

First of all, you need to define password policy. For workgroup environment it needs to be done on every server separately. You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used.

So, mostly domain password policy is in use. More details you can find in an article on my blog showing how to do that at

This will define strength of your password policy. If you wish, you can simply use Active Directory Users and Computers snap-in to set up users password. This is a little bit inconvenient for multi user changes but it's really fine for single or small batch of users.

Domain Controllers by default contain tools to manage user passwords. On domain members you need to install RSAT (Remote Server Administrative Tools) for particular OS version.

From Windows Server 2008R2 and Windows 7 with RSAT, Microsoft introduced PowerShell module for Active Directory, where you can manage domain objects, i.e. users and set their password.

Every new Windows Server contains newer version of PowerShell and newer AD cmd-lets (name for those commands within PowerShell) which may vary with functionality or differentiate in total no of them.

In PowerShell you can use for user management:

  • Get-ADUser
  • - to get AD user from domain
  • Set-ADUser
  • - to modify AD user in a domain
  • New-ADUser
  • - create new AD user
  • Set-ADAccountPassword
  • - to set or modify user password

All the time, you have Microsoft DS tools, which are legacy command-line tools but still are working fine:

  • dsquery
  • - to make a search
  • dsget
  • - to get object
  • dsmod
  • - to modify object i.e. set up user's password

More details about DS tools, you can also find on my blog at:







I hope it would be useful for you.

LVL 56

Expert Comment

ID: 41841484
Krzysztof, allow the comment on
"You can also do that on domain member servers and workstations if no communication with domain is possible then local password policy is being used." - no, when a domain password policy is in effect, the local policy is overwritten and will never be applied. Not for local accounts and, logically, not for domain accounts since those passwords cannot be changed without domain connectivity, anyway.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 41841501
Dear McKnife,
I re-read this paragraph once again and you're right. I put this not too clear and this is wrong, you're right. Thank you for clarifying this out.

What I meant was: "[..]you can also do that on domain member server[..] I meant, you can define password policy from member server with GPMC to edit Default Password policy and if there is no communication with a domain, password settings are stored locally, so local users need to follow rules and can change password. Of course, domain account cannot change password if there is no connection to the DC :)

As long as machine is a member of a domain, local password policy cannot be modified, it's simple grayed out :)
To have possibility to configure different local password policy on domain members, you need to create separate password policy within domain an apply it at particular server's OU. But this only affects local accounts.

Thank you once again for sorting this out and letting me know about mistake. In previous form, it's wrong, I agree


Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question