- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
A higher value for the minimum password length is a prerequisite if administrators want to enforce the use of passphrases. A passphrase is a sequence of several words or whole sentences that users can remember more easily than long passwords. In combination with the complexity requirements, they provide a high level of security.
Fine-grained password policies with no limit
In Windows domains, such a rule could already be implemented with a fine-grained password policy in the past. However, such a policy cannot be assigned to an OU or domain but only to security groups in Active Directory.
Fine grained password policies don't have the 14 character limit for the minimum password length
To define the requirements for passwords across the domain, the default domain policy contains respective settings in most environments. But if you want to increase the value for the minimum password length in the GPO editor, then 14 characters was the limit until now. However, if you activate the Relax minimum password length limits setting, which was added with Windows 10 2004, the Group Policy Management Editor allows up to 128 characters.
New settings to increase the minimum length of passwords and to monitor this action
Limit of 14 remains for older OS versions
If you edit the GPO on an older version of Windows, the standard limit of 14 characters applies again, even if you have previously increased the setting to a higher value.
Even if the value has already been set higher, the GPO editor can configure a maximum of only 14 characters in older OS versions
Even if you can't configure the setting with a higher value on older systems, the policy for longer passwords still applies to users on such a PC. So they have to comply with it when changing passwords.
Setting MinPasswordLength with PowerShell
The situation becomes even more confusing if you change the default password policy for the domain with the Set-ADDefaultDomainPasswordPolicy cmdlet. A value higher than 14 can also be set here:
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 16 -Identity contoso.com
As expected, using the command
Get-ADDefaultDomainPasswordPolicy
will then show MinPasswordLength as 16.
Set ADDefaultDomainPasswordPolicy can also be used to set values higher than 14 for the minimum password length
This also applies to the GPO editor, which contains this value when the GPO is reloaded. Configuring more than 14 characters, however, is only possible in Windows 10 2004 with the password length restriction setting activated.
One could conclude from this that the new policy only serves to enable the GPO editor to configure a minimum length for passwords of more than 14 characters.
Auditing the password length
Another new setting in the current release of Windows 10, called Minimum password length audit, causes the system to record events related to longer passwords. In its description, it states:
If this setting is defined and is greater than the minimum password length and the length of a new account password is less than this setting, a monitoring event is generated.
The corresponding entries can be found in the system log. You can read them by using the following PowerShell command:
Get-WinEvent -ProviderName Microsoft-Windows-Directory-Services-SAM
An entry in the event log suggests that longer passwords cannot be forced without the new setting
If you have configured a value greater than 14 with PowerShell, but have not activated the new setting for longer passwords under Windows 10 2004, you will find the following message under ID 16979:
The domain is incorrectly configured with a MinimumPasswordLength setting greater than 14, while RelaxMinimumPasswordLengthLimits is either undefined or disabled.
NOTE: Until this is corrected, the domain will force the smaller MinimumPasswordLength setting of 14.
Subscribe to 4sysops newsletter!
However, it turned out that when the password was changed, Windows still expected the minimum length, which was entered in the Default Domain Password Policy and was greater than 14. The new policy does not appear to be a prerequisite for forcing longer passwords via the Default Domain Password Policy.
Hi Wolfgang,
I am struggling with this as we speak. Our DC’s are Windows Server 2016 version 1607 build 14393.5066. So I am unable, through the Default Domain Policy, to set the minimum password length to greater than 14. There is no option to Relax password minimum length limits. Can I apply a fine grained password policy to Domain Users? Microsoft told me I have to upgrade to something they are calling Windows Server 2016 version 2004 but is that even a thing?
Thanks,
Kim