I need someone to help me set a password complexity requirement for our domain users but excluding all service accounts and adm accounts. The complexity we would need is as follows :n Minimum length of 8 characters n One uppercase letter n One lowercase letter n One whole number (1,2,3, etc.), no fractions n One non-alphanumeric character (neither words nor numbers -- a period, a comma, a percent sign, etc.) Any help on this would be appreciated. Thanks

Hello, I suggest you read this article to accomplish it "Passwords Technical Overview":http://technet.microsoft.com/en-us/library/hh994558(v=ws.10) Regards, Ravikumar P

Hi, > I need someone to help me set a password complexity requirement for our domain users but excluding all > service accounts and adm accounts. I notice you mentioned Windows Server 2003, I think you mean your DC is Windows Server 2003. In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. > Minimum length of 8 characters Configure the policy: GPO_name \Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length > One uppercase letter > One lowercase letter > One whole number (1,2,3, etc.), no fractions > One non-alphanumeric character (neither words nor numbers -- a period, a comma, AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide a percent sign, etc.) Configure the policy: GPO_name \Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ Password must meet complexity requirements For definition of Password complexity requirements, please refer to this article: http://technet.microsoft.com/en-us/library/hh994562(v=ws.10) For more information please refer to following MS articles: Windows Domain Password Policies http://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc770842.aspxLawrence TechNet Community Support

Thanks, my next question is for the service accounts we have them checked to never expire. Since in the 03 DC environment can only specify all users would the accounts that have the never expired check be affected as well?

Hi, > Since in the 03 DC environment can only specify all users would the accounts that have the never expired > check be affected as well? An account that has a setting of Password never expired overrides the Maximum Password Age settings in Password Policy in Group Policy, thereby enabling a user to keep the same password forever. Also, the Password never expires settings overrides the User must change password at next logon settings. For more information please refer to following MS articles: Configuring User Rights Policies http://technet.microsoft.com/en-us/library/bb726986.aspx Operating System Security Best Practices http://technet.microsoft.com/en-us/library/cc181379.aspxLawrence TechNet Community Support

Thanks Lawrence, one more question on the password complexity requirement, if I were to enable that it would only require the users to meet 3 of the 4 criteria. We need it to be required for all four which is Upper case, lower case, digits, and special character such as !@#$%~ and etc.

Hi, Actually, the policy definition is passwords must contain characters from three of five categories (not four): Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)Base 10 digits (0 through 9)Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. However, you can create custom password filter according to your requirement (4 categories or even 5), password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy. For more information please refer to following MS articles: Passwords must meet complexity requirements http://technet.microsoft.com/en-us/library/cc786468(v=WS.10).aspx Password Filters http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspxLawrence TechNet Community Support

Hi, Actually, the policy definition is passwords must contain characters from three of five categories (not four): Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)Base 10 digits (0 through 9)Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. However, you can create custom password filter according to your requirement (4 categories or even 5), password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy. For more information please refer to following MS articles: Passwords must meet complexity requirements http://technet.microsoft.com/en-us/library/cc786468(v=WS.10).aspx Password Filters http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspxLawrence TechNet Community Support

Thanks again, but not quite sure where on those 2 links shows how to make it require all of the categories and not just 3? Thanks

Thanks again, but not quite sure where on those 2 links shows how to make it require all of the categories and not just 3? Thanks Basically you need to either develop or find code to compile a dll to import into the registry. So... creating passfilt.dll you would import into the registry under packagenotificiations registry mentioned in the above links as "passfilt" w/o the DLL extension tag. Here is a source that may help you as much as it has helped others. Test on a lab machine before you deploy in your real environment. http://sourceforge.net/projects/passwdhk/ However, 3/5 is not bad for security. I would cease any chases to find enpasflt.dll unless you perform these actions on Federal systems. ENPASFLT.DLL was a password filter generated by NSA for Federal and Military systems. You will not gain access to the dll w/o clearance AND need to know. There are also paid solutions out there... I don't know if you even have budget based on the discussion to pick up this product but its up to you. I figured I would leave it in here anyway. http://nfrontsecurity.com/products/nfront-password-filter/ Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft Community Contributor Award 2011 All opinions expressed on my own behalf and not that of my company. This posting is "as is" without warranties and confers no rights.

Hi You can configure your desired configuration under security settings in GPO Computer configuration - windows settings - Account policies - Password policies Here you must enable Password must meet complexity reqirements and minimum password lenght NOTE: you can satisfy three from four condition for complexity password. Also for password never expire just check, checkmark "password never expire in active directory desired account properties Best regards Dubravko Marak MCP Blog: Windows Server Administration Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. Please VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.