Windows Server 2008 Password Complexity Requirements.
I finally got to install Windows Server 2008 Standard today. I did a Server Core installation and was surprised how little I had to interact with the installer. It seemed like I answered three or four questions, went for Diet Coke, and when I returned, the server was at the login prompt.
During the installation process, I was not prompted for an administrator password, as I did when installing previous Windows Server operating systems. I entered the Administrator as the username and hit Enter and I was automatically logged into the server.
Windows immediately suggested that I change the administrator password. I tried to reuse some of my default passwords, but they kept getting rejected with the following error:
â€œUnable to update the password. The value specified for the new password does not meet the domain’s length, complexity, or history requirements “
I tried to create a new password a few more times but nothing worked. Finally, I decided to find out what the default password policy requirements were for Windows 2008.
When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:
- Passwords cannot contain a user account name or portions of a user’s full name that are longer than two consecutive characters.
- Passwords must be at least six characters long.
- Passwords must contain characters from three of the following four categories:
Capital letters of the English alphabet (A through Z).
English lowercase letters (a through z).
Base 10 digits (0 to 9).
Non-alphabetic characters (e.g.!, $, #,%).
I found it interesting to find the following explanation on the same web page:
“Password must meet complexity requirements –
This policy setting validates all new passwords to ensure that they meet basic strong password requirements. By default, this policy setting in Windows Server 2008 is set to Disabled, but the Windows Server 2008 domain for both environments described in this guide is set to Enabled.
This was not the behavior I encountered with the initial installation of Windows Server 2008. It was a basic installation and not a domain member, so why was the policy enabled?
On the other hand, if you want to log off Server Core, just type logoff