Re: Windows 2003 server password questions.

From: Marin Marinov (
Date: 07/05/04

  • Next message: ChrisA: "have no one be able to delete parent folder"
    Date: Mon, 5 Jul 2004 11:57:10 -0400

    Hi Nina,
    You shouldn't set the domain password settings to "Not defined" but
    rather to a specific value (which for some can be 0 to disable them).The
    reason for this is special behaviour on the part of DC - when a password
    (or account) policy is not defined at the domain level they use their
    *local* security policy. I won't go into detail here, but bottom line is
    that to keep things "obvious" you should set specific values for these
    settings in domain-level policies.

    Password complexity refers to a password that:
    * Is >= 6 characters
    * Contains at least 3 of the below 4 types of chars:
            - small letters a-z
            - CAPS (A-Z)
            - digits (0-9)
            - special symbols (punctuation and all types of symbols even those
    that can be input only using their ASCII code)

    By default, in a Win2K3 domain password complexity is enabled, as well
    as minimum password length, age, history, etc. Also remember that all
    password and account policies *must* be defined in a domain-level GPO.
    So what you need to do to allow short and non-complex passwords is edit
    Default Domain Policy to:
    * Explicitly *disable* "Password must meet complexity requirements"
    * Set "Minimum password length" to 0 (allow blank password) or more


       Marin Marinov
       MCT, MCSE 2003/2000/NT4.0,
       MCSE:Security 2003/2000, MCP+I
    This posting is provided "AS IS" with no warranties, and confers no 
    "True knowledge exists in knowing that you know nothing."

  • Next message: ChrisA: "have no one be able to delete parent folder"

    Relevant Pages

    • Re: What Happened? Passwords all expired...
      ... really explain how the new account policy settingmade it to the DCs. ... I would strongly suggest enabling Success/Failure for Account Management ... >>>post that says "I check my GPO's and password complexity ... >>>>account logon events success and fail ...
    • Re: GPO - password policy - Urgent
      ... Set password complexity to "disabled" - NOT undefined in Domain ... You can also use the mmc snapin for Resultant Set of Policy [again ... assuming Windows 2003] in logging mode on the domain controller to see what ... problems being that domain controllers are not pointing only to themselves ...
    • 2003 GP/Password complexity questions
      ... I have a new 2003 AD domain and am looking for some guidance with the ... In regard to password complexity being enabled by default, ... policy options to disable this in the "Default Domain Policy" and I've ... best to use separate GPO's for both. ...
    • Re: password complexity
      ... Marin and Dave, ... Here is what is happening when you remove the domain policy - account policy ... the domain policy for password complexity is removed from the DCs ...
    • Re: User Creation
      ... Didn't catch which version of Windows Active Directory you were running? ... > trivial matter of creating user accounts made me so ... >>W2k3 by default has password complexity enabled in Default ... >>password doesnot meet the password policy requirements. ...