As pointed out, it is possible to leverage a custom password filter leveraging the passfilt.dll. In fact, I make use of one such filter (or one of its forks) available on GitHub. It is called OpenPasswordFilter. I opted to use this filter because documentation for system administrators as to how to create and manage a custom password filter is sparse. While I generally have seen this used to configure a blacklist of passwords, one should be able to perform the validation of which you ask. The question would be how difficult is it to do so using a custom password filter?
However, these changes need to be rolled out to each Domain Controller and each new Domain Controller. Given today's level of automation and configuration management, it is likely not super difficult, but it is something else that has to be monitored and maintained.
All in all, it is a fine solution, but one with limited documentation. Your successor's may also have difficulty supporting, updating and extending this solution - a factor to consider when deciding to implement it.
I believe the most straightforward solution to your question is the use of Fine-Grained Password Policies. This can be implemented very quickly with minimal testing; these settings are automatically replicated among all Domain Controllers. The down side; however, is that it does require some end-user participation/election.
My solution would be the following:
- Create two new FGPPs
- 1: minimum legnth of 8; complexity enabled
- 2: minimum length of 16; complexity disabled
- Create two new security groups
- 1: pso_MinLength08
- 2: pso_MinLength16
- Assign each group as a subject of the appropriate FGPP
- Inform end users of thier options -- either a short "complex" password or a long "easy" password. They can switch back and forth whenever they want, with notice to you.
- Add users to the corresponding group based upon their election; you can default them to the short complex group.
- Change as necessary
Some notes on the above, or other considerations:
You can achieve the same thing with a single group. My preference for visibility is to use two, but by ensuring the Default Domain Password Policy is configured with a minimum length of 8 and complexity enabled, you limit the number of group changes that need to be made.
- you only have to add users to a group if they make an election
- you do not have to ensure that users are members of only one group, or
- you do not have to configure different precedece values on each FGPP
While I am onboard with NIST and Microsoft (for the most part) when it comes to password rotation, my employer does still mandates password rotation. I have chosen to "reward" users who accept longer password minimums by only rotating passwords once per year. Those with shorter password requirements are "penalized" with quarterly password change. In my mind, this is too frequent to be usefull, but I hope that this annoyance provides sufficient incentive for users to swith to longer password minimums.
While not noted above, if you do use FGPPs in this manner, I would certainly configure a different precedence on each of the Password Settings Options to ensure that there is no unexpected behavior when changing passwords. This would address the issue that one might experience if they are a member of both groups, and the precendce on both FGPPs was equal.
Regardless of what method you choose, I would point out that you should be sure to exclude the account "krbtgt" from any such password complexity validations. I have a separate FGPP for this account and those similar accounts used by Read-Only Domain Controllers to ensure that their password changes are not impacted. My krbtgt FGPP as no length, age, or complexity requirements.