GPO password minimum length limited to 14 characters

Baker, John (RC-US DI FA SRD TE) 1 Reputation point
2021-09-21T15:09:39.173+00:00

I've dug through threads where this question has been asked before but found no answers to this question.

We have a Windows 2016 domain running with an extensive set of group policies.
The domain controllers are running Windows Server 2016 Version 1607 (OS Build 14393.4651) and are updated to the latest patch levels.
When I attempt to edit a GPO for restricted accounts as required by corporate measure plans, the minimum password length is limited to 14 characters. The measure plan requires 15 or more.

Powershell shows the following
PS C:\Users\adminXXXXX> Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
DistinguishedName : CN=Schema,CN=Configuration,DC=aaaaa,DC=bbbbb,DC=ccc
Name : Schema
ObjectClass : dMD
ObjectGUID : e450e53f-24cc-47c0-956f-d1d1f53d381d
objectVersion : 87

I updated the schema to Server 2019

I mounted a Server 2019 ISO and executed F:\support\adprep>adprep /forestprep
which reported
Current Schema Version is 87

Upgrading schema to version 88

Verifying file signature
Connecting to "DC01.xxxx.net"
Logging in as current user using SSPI
Importing directory from file "F:\support\adprep\sch88.ldf"
Loading entries........
7 entries modified successfully.

The command has completed successfully
Connecting to "DC01.xxxx.net"
Logging in as current user using SSPI
Importing directory from file "F:\support\adprep\PAS.ldf"
Loading entries....................
26 entries modified successfully.

The command has completed successfully
Adprep successfully updated the forest-wide information.

I then executed adprep /domainprep
Which reported
Adprep successfully updated the domain-wide information.

PS C:\Users\adminbakejx> Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
DistinguishedName : CN=Schema,CN=Configuration,DC=jocy,DC=siemens,DC=net
Name : Schema
ObjectClass : dMD
ObjectGUID : e450e53f-24cc-47c0-956f-d1d1f53d381d
objectVersion : 88

I am at a loss as to how to get the GPO set to more than 14 characters.

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,129 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,303 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Tuen 6 Reputation points
    2022-03-25T04:35:55.447+00:00
    1 person found this answer helpful.
    0 comments
  2. Limitless Technology 37,746 Reputation points
    2021-09-21T19:58:05.447+00:00

    Hello John,

    I think you are missing the new policies after Windows version 2004 which introduces a new Group Policy setting that allows you to configure the minimum password length to a value greater than 14.

    But to let the new settings apply to workstations, we need to activate the Relax minimum password length limits setting, which was added with Windows 10 2004, the Group Policy Management Editor allows up to 128 characters.

    Hope this helps in your case,
    Regards,

    --If the the reply is helpful, please Upvote and Accept as answer--

    0 comments
  3. Baker, John (RC-US DI FA SRD TE) 1 Reputation point
    2021-09-22T12:02:18.427+00:00

    I am certainly missing new policies. The underlying question is how to get them updated at the domain level.
    This policy may comer into play with some of our Windows 10 workstations and VMs, it is the 2016 and 2019 servers that need to recognize it though.

    134239-image.png

    0 comments
  4. Campbell, Scott (CRAB) 1 Reputation point
    2022-03-08T15:30:59.057+00:00

    I have this exact same problem and was really excited when i found this thread. Too bad it doesn't have an answer.

    0 comments