Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'.
$RegistryPath = 'HKEY_LOCAL_MACHINE:SOFTWARE\Policies\Microsoft Services\AdmPwd' $Name = 'PasswordLength' $Value = '15'
If (-NOT (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force
Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'.
$RegistryPath = 'HKEY_LOCAL_MACHINE:SOFTWARE\Policies\Microsoft Services\AdmPwd' $Name = 'PasswordComplexity' $Value = '4'
If (-NOT (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force
Ensure 'Minimum password length' is set to '14 or more character(s)'.
Check GP using PowerShell:
# Export security policy settings to a text file
secedit.exe /export /cfg "$env:temp\security_policy.txt" | Out-Null
$MinimumPasswordLength = Get-Content "$env:temp\security_policy.txt" | Select-String "MinimumPasswordLength\s*=\s*(\d+)"
if ($MinimumPasswordLength) {
$length = $MinimumPasswordLength.Matches.Groups[1].Value
Write-Host "Minimum Password Length Policy is configured with length $length."
} else {
Write-Host "Minimum Password Length Policy is not configured."
}
Set GP using cmd:@echo off set "infFilePath=C:\set_minimum_password_length.inf" set "minimumPasswordLength=14" echo [Unicode] > %infFilePath% echo Unicode=yes >> %infFilePath% echo [Version] >> %infFilePath% echo signature="$CHICAGO$" >> %infFilePath% echo Revision=1 >> %infFilePath% echo [System Access] >> %infFilePath% echo MinimumPasswordLength=%minimumPasswordLength% >> %infFilePath% secedit /configure /db C:\Windows\security\new.sdb /cfg %infFilePath% del %infFilePath% echo Done.
Ensure 'Password must meet complexity requirements' is set to 'Enabled'.
Check GP using PowerShell:
secedit.exe /export /cfg "$env:temp\security_policy.txt"
$PasswordComplexityEnabled = Get-Content "$env:temp\security_policy.txt" | Select-String "PasswordComplexity\s*=\s*1"
if ($PasswordComplexityEnabled) {
Write-Host "Password Complexity Policy is enabled."
} else {
Write-Host "Password Complexity Policy is disabled."
}
Set GP using cmd:@echo off set "infFilePath=C:\enable_password_complexity.inf" echo [Unicode] > %infFilePath% echo Unicode=yes >> %infFilePath% echo [Version] >> %infFilePath% echo signature="$CHICAGO$" >> %infFilePath% echo Revision=1 >> %infFilePath% echo [System Access] >> %infFilePath% echo PasswordComplexity=1 >> %infFilePath% secedit /configure /db C:\Windows\security\new.sdb /cfg %infFilePath% del %infFilePath% echo Done.