33
6
A user tries to change his/her password in a Windows domain and it's not accepted:
The password supplied does not meet the minimum complexity requirements
How can an end-user find out what the requirements are? (The obvious solution would be to contact IT but let's say it's not possible)
Siim K
Posted 2011-12-06T15:19:09.540
Reputation: 6 776
15
Every AD user can see the value of the attribute named "pwdProperties", your id probably set to "DOMAIN_PASSWORD_COMPLEX" (value "1", integer).
AdFind can be used to retrieve many attributes relative to passwords:
AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Here is an example of what you'll get:
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: domain.example.org:389 Directory: Windows Server 2008 R2 Base DN: DC=domain,DC=example,DC=org
dn:DC=domain,DC=example,DC=org
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -344736000000000
minPwdAge: 0
minPwdLength: 7
pwdProperties: 1
pwdHistoryLength: 21 Objects returned
Shadok
Posted 2011-12-06T15:19:09.540
Reputation: 3 760
3
Information about the complexity requirements can be found here: http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
– kroimon – 2014-09-13T14:55:06.5032
Not sure this would be very useful if the domain is using a custom password filter. https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882.aspx
– Zoredache – 2016-03-15T23:16:24.50345
This Windows built-in command (use the Command Prompt : cmd.exe) prints the same details as the tool in answer:
net accounts
Example output:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
Credits/source: http://windowsitpro.com/security/discovering-details-about-domains-password-policy
David Balažic
Posted 2011-12-06T15:19:09.540
Reputation: 1 242
You the real MVP. https://technet.microsoft.com/en-us/library/bb490698.aspx
– HackSlash – 2018-01-25T22:58:05.8177You should add that "/domain" is required in an AD controlled environment: "net accounts /domain" – HackSlash – 2018-01-25T23:00:10.260
@HackSlash What do you mean? My workstation is a member of a domain and the plain net accounts command prints all of the above information without problems. – David Balažic – 2019-04-12T14:19:47.347
When you use the /domain you see this message:
The request will be processed at a domain controller for domain – HackSlash – 2019-04-15T15:22:55.113
4
Since it is AD, currently there is only a single complexity (per se) pattern available: the so-called 3 of 4 pattern. It is either on or off, unless you use a third party tool like Spec Ops to enforce some other level of complexity. Three of Four means your password needs to include at least one character from three of the 4 possible character sets:
!@#$%^&*(*))_+ etc)
geoffc
Posted 2011-12-06T15:19:09.540
Reputation: 1 113
1What version of windows are you talking about? There are six configurable parameters in the default Password Policy provided by AD. – HackSlash – 2018-01-25T22:57:34.067
Space is also considered a special character. – brianary – 2018-05-21T21:03:12.987
0
Run in PowerShell:
Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser
Output:
ComplexityEnabled : True
DistinguishedName : DC=ad,DC=company,DC=net
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 12
MaxPasswordAge : 180.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
objectClass : {domainDNS}
objectGuid : 641734ff-9d4c-40b4-a28a-b9628c021639
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
Feriman
Posted 2011-12-06T15:19:09.540
Reputation: 1
-4
I don't believe, short of brute force attempts, that there's any way programmatically to do this unless you're already an admin. So, you'll have to call IT. (The defaults vary depending on what they've got set up, although if you know that I guess you could look up the defaults and try. No guarantee that they haven't changed it, of course.)
Shinrai
Posted 2011-12-06T15:19:09.540
Reputation: 18 051
8Not always so theoretical, having been trying to help an end user with this exact problem when the sysadmin was on vacation... It's a pretty big design flaw that Windows doesn't tell the user what the complexity requirements are during the password change process. – Brian Knoblauch – 2014-08-28T15:01:35.730
If there is an AD in place, who manages it and why can't they be contacted? – Dave M – 2011-12-06T15:23:20.463
2@Dave: it's a theoretical question :) I'm just curious if it can be done – Siim K – 2011-12-06T15:26:39.743