본문 바로가기
운영체제 (LNX,WIN)

Minimum Password Length of 15 or more via GPO

by 날으는물고기 2011. 7. 26.

Minimum Password Length of 15 or more via GPO

Also known as "How to practice what we preach". I don't know how long I've been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won't be close to their original). But I've never tried setting it myself. Well, a client called me out. You can't! (well at least not through the UI )

TL;DR You can edit the GptTmpl.inf file in \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ and set "MinimumPasswordLength" to whatever you want it to be. (You need to replace any part of the path starting with a $ with the value applicable to your domain and group policy object)

I tested this out myself, and sure enough, once you get up to 14 on the iterator, it jumps back down to 0:

After some googling I came up pretty empty handed (hence the highly SEO'd title of this post). I asked the question on Twitter and got a bunch of different answers, but @RizzyRong's was the first one in that I could try out: (THANK YOU to everyone who shot me answers, I really appreciate it, and to those who shared my curiosity I hope this helps you out)

ADMod is a Joeware tool. Any windows Sys Admin should at the very least know of these tools as Penetration Testers use them to great effect:

RizzyRong's instructions are straight forward and so was the tool:

For copy paste purposes thats: admod -default minpwdlength::15

w00t, done right? Lets check:

We have a winner! Testing out a user:

14 characters…

Cool. This applied to the Default Domain Policy. That's a problem if I want to move this setting around or I don't actually apply the default policy to any objects. I also ran into some file permission errors when trying to set other GPO settings after I ran ADMod: (If anyone knows a better way to operate ADMod to this end please leave a comment below)


Alright, well need definitely need a cleaner and more repeatable / flexible solution. After fixing the file permission issues I noticed that in that file was my setting. I wonder if I can set this manually and have it actually stick. Lets try, we need the GUID, so lets make a policy that we can apply anywhere we want and as many times we want with JUST that minimum password length setting.

GUID acquired. To make Microsoft do most of the work we need to set the minimum password length setting in that policy to 14 or whatever, just so that we don't have to remember file and folder structure for the GPO. Next we go to the location where the policy setting is stored: \\$DOMAIN\SYSVOL\$DOMAIN\Policies\$PolicyGUID\Machine\Microsoft\Windows NT\SecEdit\ (replacing the 2 $DOMAIN instances with our domain name and $PolicyGUID with the GUID we copied from the policy page. If we set the policy to 14 there should be a line in the GptTmpl.inf file (you can open it with Notepad) that says 'MinimumPasswordLength = 14', change that to 15 or whatever you wish as so:

We check back or simply refresh our GPO settings:

Sweet, it's there, again, just to be thorough we test and sure enough it works.

A few quick notes: Your users might complain about a few popups:

Not much you can do about this one, and I doubt your users will care, but this next one might get you a few support calls:

I haven't found a way to make that say anything other than 14 characters (for that matter the 24 previous passwords number is incorrect as well)

If anyone knows how to fix this dialog or disable the previous one I am all ears. Please leave a comment so others can know how as well.


출처 :  Room362

728x90

댓글