Change Password Policy on Windows 2003 Server

In Windows 2003, when the server is a domain controller or password policy is in effect, you must have a "strong" password in order to create an account. By default, this password policy requires at least 7 characters and at least 1 numeric character or at least 1 special character (*&^%$#@, etc.)

When you attempt to create an account, you will probably see a dialog that says this:

Windows cannot set the password for [user] because:

The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

To change the password policy for this server, go to the Start Menu -> Administrative Tools -> Domain Security Policy.

Tree open Security Settings -> Account Policies -> Password Policy. This is where the password policy is stored for this server.

Right-click the Minimum password length and select Properties to change this policy.

In the properties dialgo, you can set the password policy for the number of characters to allow. Use discretion and keep security in mind as you set this. Then click OK.

NOTE: You may be templted on all these dialogs to uncheck the Define this policy setting. DO NOT DO THIS!!! This will actually default it to use the full security policy. It is a bit unintuitive but basically, when you disable this policy, Windows 2003 will revert to the most secure policy available which by default is MORE secure than what is even here.

Now, if you want to disable the special characters and numbers requirement, right-click Password must meet complexity requirements and choose Properties.

Disable this policy to not check for special characters. DO NOT uncheck the Define this policy setting box. Then click OK.

Now open a command prompt either from the Accessories directory in the start menu or by choose Run -> cmd on the run menu. We need to update the group policy to apply this password policy change. We do this by entering the following command at the command prompt:

gpupdate /force

Then hit enter to run the policy refresh.

No need to restart as the group policy is already updated and applied so now any user that changes their password will be using this new password policy.

If you want to define your own custom rules for how a password is validated, this cannot be done automatically through the dialogs. You have to create your own custom DLL to handle this. Microsoft has a tutorial and more information about how to do this here as well as a sample DLL project you can use to get started with:

http://msdn.microsoft.com/en-us/library/ms722439.aspx

You can also purchase a custom solution that is more flexible from a 3rd party that will give you a lot of control with exact password policies. One tool that I have heard good things about is Anixis Password Policy Enforcer. It can be found here:

http://www.anixis.com/products/ppe/default.htm