Room362.com

Blatherings of a security addict.

Minimum Password Length of 15 or More via GPO

| Comments

Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )

TL;DR _You can edit the GptTmpl.inf file in

1
\\$DOMAIN\SYSVOL\$DOMAIN\Policies$\PolicyGUID\Machine\Microsoft\Windows NT\SecEdit

and set “MinimumPasswordLength” to whatever you want it to be. (You need to replace any part of the path starting with a $ with the value applicable to your domain and group policy object_)

I tested this out myself, and sure enough, once you get up to 14 on the iterator, it jumps back down to 0:

After some googling I came up pretty empty handed (hence the highly SEO’d title of this post). I asked the question on Twitter and got a bunch of different answers, but @RizzyRong’s was the first one in that I could try out: (THANK YOU to everyone who shot me answers, I really appreciate it, and to those who shared my curiosity I hope this helps you out)

ADMod is a Joeware tool. Any windows Sys Admin should at the very least know of these tools as Penetration Testers use them to great effect:

RizzyRong’s instructions are straight forward and so was the tool:

For copy paste purposes thats: admod -default minpwdlength::15

w00t, done right? Lets check:

We have a winner! Testing out a user:

14 characters…

Cool. This applied to the Default Domain Policy. That’s a problem if I want to move this setting around or I don’t actually apply the default policy to any objects. I also ran into some file permission errors when trying to set other GPO settings after I ran ADMod: (If anyone knows a better way to operate ADMod to this end please leave a comment below)

Alright, well need definitely need a cleaner and more repeatable / flexible solution. After fixing the file permission issues I noticed that in that file was my setting. I wonder if I can set this manually and have it actually stick. Lets try, we need the GUID, so lets make a policy that we can apply anywhere we want and as many times we want with JUST that minimum password length setting.

GUID acquired. To make Microsoft do most of the work we need to set the minimum password length setting in that policy to 14 or whatever, just so that we don’t have to remember file and folder structure for the GPO. Next we go to the location where the policy setting is stored:

1
\\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit

(replacing the 2 $DOMAIN instances with our domain name and $PolicyGUID with the GUID we copied from the policy page. If we set the policy to 14 there should be a line in the GptTmpl.inf file (you can open it with Notepad) that says ‘MinimumPasswordLength = 14’, change that to 15 or whatever you wish as so:

We check back or simply refresh our GPO settings:

Sweet, it’s there, again, just to be thorough we test and sure enough it works.

A few quick notes: Your users might complain about a few popups:

Not much you can do about this one, and I doubt your users will care, but this next one might get you a few support calls:

I haven’t found a way to make that say anything other than 14 characters (for that matter the 24 previous passwords number is incorrect as well)

If anyone knows how to fix this dialog or disable the previous one I am all ears. Please leave a comment so others can know how as well.

Update on 2011-07-26 17:10 by Rob Fuller

Jason mentioned that if you don’t increment the policy version in

1
%SystemRoot\SYSVOL\domain\Policies\{PolicyGuid}\GPT.ini

then it won’t get pushed to the domain.

Thanks Jason!

Update on 2011-07-26 18:25 by Rob Fuller

‘cc’ commented below, but I thought this should be hilighted…

“In a 2K3 domain, the password policy can only be specified in the “default domain policy” object. Policies defined elsewhere are ignored”

Are you F@#$!!@#! serious? Microsoft you suck…

Update on 2011-07-26 18:30 by Rob Fuller

after a bit some complaining on twitter, ArchangelAmael came back with: https://twitter.com/#!/ArchangelAmael/status/95921096762728448

And points at: http://technet.microsoft.com/en-us/library/cc738216(WS.10).aspx

which basically says that you can have it in a separate policy but it needs to supercede the default group policy at the domain level (making it essentially pointless to do so for anything other than ease of administration and beautification of the GPO list) (which is a valid reason for doing so)

if you need to apply policy at the OU level it needs to be in a Windows 2008 functional level domain.

Comments