A user tries to change his/her password in a Windows domain and it's not accepted:
The password supplied does not meet the minimum complexity requirements
How can an end-user find out what the requirements are? (The obvious solution would be to contact IT but let's say it's not possible)
36 Answers
Every AD user can see the value of the attribute named "pwdProperties", your id probably set to "DOMAIN_PASSWORD_COMPLEX" (value "1", integer).
AdFind can be used to retrieve many attributes relative to passwords:
AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdpropertiesHere is an example of what you'll get:
AdFind V01.45.00cpp Joe Richards () March 2011
Using server: domain.example.org:389 Directory: Windows Server 2008 R2 Base DN: DC=domain,DC=example,DC=org
dn:DC=domain,DC=example,DC=org
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -344736000000000
minPwdAge: 0
minPwdLength: 7
pwdProperties: 1
pwdHistoryLength: 21 Objects returned
3
This Windows built-in command (use the Command Prompt : cmd.exe) prints the same details as the tool in answer:
net accountsExample output:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.Credits/source:
5Since it is AD, currently there is only a single complexity (per se) pattern available: the so-called 3 of 4 pattern. It is either on or off, unless you use a third party tool like Spec Ops to enforce some other level of complexity. Three of Four means your password needs to include at least one character from three of the 4 possible character sets:
- UPPER CASE
- lower case
- Numeric (0-9)
- Comic book curse words (aka special characters:
!@#$%^&*(*))_+etc)
Right Click "Password must meet complexity requirements", then select "Explain" tab.
Run in PowerShell:
Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUserOutput:
ComplexityEnabled : True
DistinguishedName : DC=ad,DC=company,DC=net
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 12
MaxPasswordAge : 180.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
objectClass : {domainDNS}
objectGuid : 641734ff-9d4c-40b4-a28a-b9628c021639
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : FalseI don't believe, short of brute force attempts, that there's any way programmatically to do this unless you're already an admin. So, you'll have to call IT. (The defaults vary depending on what they've got set up, although if you know that I guess you could look up the defaults and try. No guarantee that they haven't changed it, of course.)
