- Secure DNS requests over HTTPS (DoH) in Windows 10/11 - Thu, Jul 22 2021
- Microsoft Windows 365: Fixed-price cloud PC with simplified deployment - Fri, Jul 16 2021
- Deactivate Windows 10 widget "News and interests" with Group Policy - Thu, Jul 15 2021
A higher value for the minimum password length is a prerequisite if administrators want to enforce the use of passphrases. A passphrase is a sequence of several words or whole sentences that users can remember more easily than long passwords. In combination with the complexity requirements, they provide a high level of security.
Fine-grained password policies with no limit ^
In Windows domains, such a rule could already be implemented with a fine-grained password policy in the past. However, such a policy cannot be assigned to an OU or domain but only to security groups in Active Directory.
Fine grained password policies don't have the 14 character limit for the minimum password length
To define the requirements for passwords across the domain, the default domain policy contains respective settings in most environments. But if you want to increase the value for the minimum password length in the GPO editor, then 14 characters was the limit until now. However, if you activate the Relax minimum password length limits setting, which was added with Windows 10 2004, the Group Policy Management Editor allows up to 128 characters.
New settings to increase the minimum length of passwords and to monitor this action
Limit of 14 remains for older OS versions ^
If you edit the GPO on an older version of Windows, the standard limit of 14 characters applies again, even if you have previously increased the setting to a higher value.
Even if the value has already been set higher, the GPO editor can configure a maximum of only 14 characters in older OS versions
Even if you can't configure the setting with a higher value on older systems, the policy for longer passwords still applies to users on such a PC. So they have to comply with it when changing passwords.
Setting MinPasswordLength with PowerShell ^
The situation becomes even more confusing if you change the default password policy for the domain with the Set-ADDefaultDomainPasswordPolicy cmdlet. A value higher than 14 can also be set here:
1 | Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 16 -Identity contoso.com |
As expected, using the command
1 | Get-ADDefaultDomainPasswordPolicy |
will then show MinPasswordLength as 16.
Set ADDefaultDomainPasswordPolicy can also be used to set values higher than 14 for the minimum password length
This also applies to the GPO editor, which contains this value when the GPO is reloaded. Configuring more than 14 characters, however, is only possible in Windows 10 2004 with the password length restriction setting activated.
One could conclude from this that the new policy only serves to enable the GPO editor to configure a minimum length for passwords of more than 14 characters.
Auditing the password length ^
Another new setting in the current release of Windows 10, called Minimum password length audit, causes the system to record events related to longer passwords. In its description, it states:
If this setting is defined and is greater than the minimum password length and the length of a new account password is less than this setting, a monitoring event is generated.
The corresponding entries can be found in the system log. You can read them by using the following PowerShell command:
1 | Get-WinEvent -ProviderName Microsoft-Windows-Directory-Services-SAM |
An entry in the event log suggests that longer passwords cannot be forced without the new setting
If you have configured a value greater than 14 with PowerShell, but have not activated the new setting for longer passwords under Windows 10 2004, you will find the following message under ID 16979:
The domain is incorrectly configured with a MinimumPasswordLength setting greater than 14, while RelaxMinimumPasswordLengthLimits is either undefined or disabled.
NOTE: Until this is corrected, the domain will force the smaller MinimumPasswordLength setting of 14.
Subscribe to 4sysops newsletter!
However, it turned out that when the password was changed, Windows still expected the minimum length, which was entered in the Default Domain Password Policy and was greater than 14. The new policy does not appear to be a prerequisite for forcing longer passwords via the Default Domain Password Policy.
