When trying to create a password longer than 16 chars on my Windows 2012 server, it is refused due to the password being to long. I have tried looking for a GPO called 'Maximum Password Length' - which i.
Windows Domain Maximum Password Length
I've been given a requirement to enforce a minimum password length of 15 characters on my Windows-based systems. Supposedly, this is possible and is being done on some other systems already. However, I can't seem to get it to work.
The key problem appears to be that the policy is normally limited to only accepting values of 0 to 14.
I've tried setting it higher, but it does not work.
How is anyone able to get around this?
I need a solution that will work both through domain-based GPO and on standalone systems. If possible, I need a fix that's backward-compatible down to XP/2003. Third-party tools are not an option.
IsziIszi3 Answers
Yes, you can but I don't believe it's supported. You would have to modify Active Directory using ADSIEdit.msc. If you view the attributes for the AD Schema, there is a Min-Pwd-Length
attribute. Change this attribute's value to 15 and the minimum password length of 15 will be enforced.
Read more about it here: https://msdn.microsoft.com/en-us/library/ms677113%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
bentekbentekYou can create a registry-based policy that will stuff 15 as the value for minimum password length. A method is described here.
Maximum Password Length Windows 2012
You can do this on a stand alone server/workgroup computer:
1: Open regedit
2: Navigate to 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesNetwork' in the left-hand pane then right-click on the entry.
3: Create a new REG_BINARY value. Name the value 'MinPwdLen' and set the minimum password length to seven.
4: Close Registry Editor then restart the computer
You create a policy that applies to all the machines in the domain (a domain-wide policy, make sure it won't conflict with existing policies that set minimum password length by policy means, as you have tried) that will set the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesNetworkMinPwdLen
value to BINARY 0x0F.
If your domain is 2012 or above you can now configure a longer password using “Fined Grained Password Policies” or Password Setting Object (PSO)
NOTE: XP2003 have been out of support for a long time. Strong passwords can't protect you. There is an RCE called 'Eternal Blue' in SMB that makes passwords for these old systesm obsolete. Anyone can log in remotely without a password now.
DETAIL:https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
PSOs in Windows 2012+
Setting up PSO’s within Windows 2012+ is easy and won’t affect users until they attempt their next password change.
Control Panel -> System and Security -> Administrative Tools -> Advice Directory Administrative Center
DomainName -> System -> Password Settings Container
Right Click -> New -> Password Settings
Complete the PSO settings and assign a User or User Group target. To assign the policy to all users, use “Domain Users”. Notice in this test we have specified 20 characters to be the minimum length for acceptable passwords.
SOURCE:https://www.blackhillsinfosec.com/increase-minimum-character-password-length-15-policies-active-directory/
Windows Domain Maximum Password Length 2016 In California
Not the answer you're looking for? Browse other questions tagged password-policy or ask your own question.
What is the maximum length of a Windows domain + username? That is, what is the legal limit for a domain/username in Windows?
StarPilotMaximum Password Length
4 Answers
Read this
for windows 2000: http://technet.microsoft.com/it-it/library/bb726984(en-us).aspx
for windows 2003: http://technet.microsoft.com/en-us/library/cc783323.aspx
Andrea GirardiAndrea GirardiThe maximum lengths are hash defined in lmcons.h. DNLEN is the maximum domain length and UNLEN is the maximum user name length.
In the version of this file I have on my XP machine (installed as part of Visual Studio 8), DNLEN = 15 and UNLEN = 256.
JohnTESladeJohnTESladeThere is a constant UNLEN which is defined in Lmcons.h that defines the maximum length of a username
Rowland ShawRowland Shawcompmgmt.msc allows usernames for local account at max with 20 characters.dsa.msc allows domain user names to be 256.