Windows Server 2012R2 password policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1586535%22%20slang%3D%22en-US%22%3EWindows%20Server%202012R2%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586535%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20creating%20new%20users%20I%20am%20required%20to%20enter%20a%20password%20of%2014%20characters.%26nbsp%3B%20I%20have%20checked%20in%20the%20default%20domain%20policy%20for%20the%20password%20policy%20settings%20and%20these%20are%20not%20defined%20so%20I%20assume%20it%20should%20pickup%20the%20default%20password%20length%20of%207%20characters.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20fine%20grained%20password%20settings%20setup%20for%20the%20domain%20one%20for%20staff%20and%20one%20for%20students%20but%20when%20creating%20a%20new%20user%20it%20is%20not%20in%20any%20of%20those%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20find%20out%20where%20and%20why%20it%20is%20picking%20up%20the%2014%20characters%20setting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20help%20you%20can%20give%20me%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1586535%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emanagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586570%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202012R2%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586570%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F49948%22%20target%3D%22_blank%22%3E%40Theresa%20Stock%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20your%20position%2C%20I%20would%20run%20a%20Group%20Policy%20Results%20against%20the%20user%20and%20the%20computer%20-%20this%20should%20give%20you%20information%20on%20which%20GPO's%20are%20being%20applied%20for%20the%20password%20settings%2C%20then%20drill%20down%20at%20the%20GPO%20and%20see%20the%20individual%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%20from%20my%20test%20domain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22gpo.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212209i92C8CA71B4579C7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22gpo.png%22%20alt%3D%22gpo.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%20Let%20us%20know%20how%20you%20get%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1587068%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202012R2%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587068%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20very%20much%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20that%20but%20it%20seems%20to%20have%20opened%20up%20an%20even%20bigger%20can%20of%20worms%3A(%26nbsp%3B%20Someone%20else%20setup%20this%20network%20and%20has%20since%20left.%26nbsp%3B%20I%20can't%20see%20anything%20in%20the%20GPO%20results%20that%20is%20forcing%20it%20to%2014%20characters.%26nbsp%3B%20Although%20the%20default%20domain%20policy%20does%20not%20have%20this%20set%2C%20is%20it%20possible%20that%20it%20is%20making%20the%20default%2014%20rather%20than%207%3F%26nbsp%3B%20I%20wonder%20if%20I%20should%20try%20setting%20this%20and%20see%20what%20happens%3F%26nbsp%3B%20I%20don't%20want%20to%20break%20anything%20though!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1587181%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202012R2%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587181%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F49948%22%20target%3D%22_blank%22%3E%40Theresa%20Stock%3C%2FA%3E%26nbsp%3B-%20very%20odd.%20I've%20not%20seen%20any%20case%20where%20the%20password%20policy%20would%20show%20as%207%20days%20but%20revert%20over%20to%2014%2C%20unless%20there%20is%20some%20kind%20of%203rd%20party%20management%20app%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20AD%20Poweshell%2C%20could%20you%20run%20the%20following%20and%20let%20me%20know%20the%20result%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22crayon-v%22%3ESet%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-o%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-v%22%3EADDefaultDomainPasswordPolicy%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22crayon-o%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-i%22%3EMinPasswordLength%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22crayon-cn%22%3E16%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22crayon-o%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-e%22%3EIdentity%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-v%22%3Econtoso%3C%2FSPAN%3E%3CSPAN%20class%3D%22crayon-e%22%3E.com%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20run%20the%20GPO%20Result%2C%20does%20it%20specify%20the%20set%20password%20length%20and%20the%20winning%20GPO%20as%20per%20my%20previous%20screenshot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

When creating new users I am required to enter a password of 14 characters.  I have checked in the default domain policy for the password policy settings and these are not defined so I assume it should pickup the default password length of 7 characters.

 

There are fine grained password settings setup for the domain one for staff and one for students but when creating a new user it is not in any of those groups.

 

How can I find out where and why it is picking up the 14 characters setting?

 

Thanks in advance for any help you can give me:smile:

3 Replies
Highlighted

Hi @Theresa Stock 

 

In your position, I would run a Group Policy Results against the user and the computer - this should give you information on which GPO's are being applied for the password settings, then drill down at the GPO and see the individual settings.

 

Example from my test domain:

 

gpo.png

 

Hope this helps. Let us know how you get on.

 

Mark

Highlighted

Thanks very much @HidMov 

 

I did that but it seems to have opened up an even bigger can of worms:(  Someone else setup this network and has since left.  I can't see anything in the GPO results that is forcing it to 14 characters.  Although the default domain policy does not have this set, is it possible that it is making the default 14 rather than 7?  I wonder if I should try setting this and see what happens?  I don't want to break anything though!

Highlighted

Thanks @Theresa Stock - very odd. I've not seen any case where the password policy would show as 7 days but revert over to 14, unless there is some kind of 3rd party management app?

 

In AD Poweshell, could you run the following and let me know the result? 

 

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 16 -Identity contoso.com

 

When you run the GPO Result, does it specify the set password length and the winning GPO as per my previous screenshot.

 

Thanks,

Mark