Windows Domain Maximum Password Length 2016

When trying to create a password longer than 16 chars on my Windows 2012 server, it is refused due to the password being to long. I have tried looking for a GPO called 'Maximum Password Length' - which i.

Active1 year, 7 months ago

Windows Domain Maximum Password Length

I've been given a requirement to enforce a minimum password length of 15 characters on my Windows-based systems. Supposedly, this is possible and is being done on some other systems already. However, I can't seem to get it to work.

Length

The key problem appears to be that the policy is normally limited to only accepting values of 0 to 14.

I've tried setting it higher, but it does not work.

How is anyone able to get around this?

I need a solution that will work both through domain-based GPO and on standalone systems. If possible, I need a fix that's backward-compatible down to XP/2003. Third-party tools are not an option.

IsziIszi
1,1016 gold badges18 silver badges33 bronze badges

3 Answers

Yes, you can but I don't believe it's supported. You would have to modify Active Directory using ADSIEdit.msc. If you view the attributes for the AD Schema, there is a Min-Pwd-Length attribute. Change this attribute's value to 15 and the minimum password length of 15 will be enforced.

Read more about it here: https://msdn.microsoft.com/en-us/library/ms677113%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

bentekbentek
1,9371 gold badge9 silver badges22 bronze badges

You can create a registry-based policy that will stuff 15 as the value for minimum password length. A method is described here.

Maximum Password Length Windows 2012

You can do this on a stand alone server/workgroup computer:

1: Open regedit

2: Navigate to 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesNetwork' in the left-hand pane then right-click on the entry.

3: Create a new REG_BINARY value. Name the value 'MinPwdLen' and set the minimum password length to seven.

4: Close Registry Editor then restart the computer

You create a policy that applies to all the machines in the domain (a domain-wide policy, make sure it won't conflict with existing policies that set minimum password length by policy means, as you have tried) that will set the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesNetworkMinPwdLen value to BINARY 0x0F.

VesperVesper
4811 gold badge4 silver badges22 bronze badges

If your domain is 2012 or above you can now configure a longer password using “Fined Grained Password Policies” or Password Setting Object (PSO)

NOTE: XP2003 have been out of support for a long time. Strong passwords can't protect you. There is an RCE called 'Eternal Blue' in SMB that makes passwords for these old systesm obsolete. Anyone can log in remotely without a password now.

DETAIL:https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

PSOs in Windows 2012+

Setting up PSO’s within Windows 2012+ is easy and won’t affect users until they attempt their next password change.

Control Panel -> System and Security -> Administrative Tools -> Advice Directory Administrative Center

DomainName -> System -> Password Settings Container

Right Click -> New -> Password Settings

Complete the PSO settings and assign a User or User Group target. To assign the policy to all users, use “Domain Users”. Notice in this test we have specified 20 characters to be the minimum length for acceptable passwords.

SOURCE:https://www.blackhillsinfosec.com/increase-minimum-character-password-length-15-policies-active-directory/

Windows Domain Maximum Password Length 2016 In California

HackSlashHackSlash

Not the answer you're looking for? Browse other questions tagged password-policy or ask your own question.

Active3 years ago

What is the maximum length of a Windows domain + username? That is, what is the legal limit for a domain/username in Windows?

StarPilot
2,1191 gold badge12 silver badges17 bronze badges
crauschercrauscher

Maximum Password Length

3,38712 gold badges52 silver badges84 bronze badges

4 Answers

Read this

for windows 2000: http://technet.microsoft.com/it-it/library/bb726984(en-us).aspx

for windows 2003: http://technet.microsoft.com/en-us/library/cc783323.aspx

Andrea GirardiAndrea Girardi
2,4878 gold badges59 silver badges90 bronze badges

The maximum lengths are hash defined in lmcons.h. DNLEN is the maximum domain length and UNLEN is the maximum user name length.

In the version of this file I have on my XP machine (installed as part of Visual Studio 8), DNLEN = 15 and UNLEN = 256.

JohnTESladeJohnTESlade
7,6311 gold badge19 silver badges19 bronze badges

There is a constant UNLEN which is defined in Lmcons.h that defines the maximum length of a username

2016Rowland ShawRowland Shaw
33.2k12 gold badges84 silver badges153 bronze badges

compmgmt.msc allows usernames for local account at max with 20 characters.dsa.msc allows domain user names to be 256.

Daniel Fisher lennybaconDaniel Fisher lennybacon

Not the answer you're looking for? Browse other questions tagged windowsusernamemax or ask your own question.