Until recently it was not possible to set the default domain password length via GPMC to anything longer that 14 characters (see below). This limit was enforced via the UI but it was possible to set a password value longer manually if the user chose a longer password. Most likely the reason that this limit was enforced was that the LM Password hash limit for Windows 98 and NT 4 was 14 characters.Â
But good news, with the release of the latest version of GPMC for Windows 10 1803 Microsoft has now changed this UI limit value to 20 characters.Â
However, Microsoft still warns that:
“Older versions of Windows (such as Windows 98 and Windows NT 4.0) do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords.â€.
So as always, test carefully before rolling out this setting and be sure that you do not have any legacy device still running on your domain before you set this option.Â
Another thing to be cautious of is that if an admin attempts to change this setting via an older version of GPMC then it will force the minimum length back to 14 characters. But this is just another reason why you should always have the latest version of GPMC installed in your environment.
So now you can go forth and force longer passwords for all… HORAA!!! But if you are going to increase the minimum password length consider also implementing some of the other current guidance and for the sake of the users sanity. For example it is now recommend by some that removing maximum password age and complexity (see https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach ) is actually more secure especially when you have a longer password that is more conducive to picking a phrase rather than just one word. In any case, the new raised minimum value as an option is welcome change…
Source: https://twitter.com/PyroTek3/status/1000565062501888001
Test Comment
Hi Alan, when I make this change to the default domain policy directly from a 2016 v1607 server from 14 to 20 characters I get eventID 1202 on the DC and on the workstations. The change is not being pushed. I read elsewhere to use fine grained pw policies to apply 15+ characters. Are you aware if anything change on MS from the time you wrote your article?
Log Name: Application
Source: SceCli
Date: 1/17/2020 10:01:14 AM
Event ID: 1202
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: workstation.child.domain.local
Description:
Security policies were propagated with warning. 0x57 : The parameter is incorrect.
Advanced help for this problem is available on https://support.microsoft.com. Query for “troubleshooting 1202 events”.
Thanks.