[German]There is one annoying flaw in the Group Policy for Active Directory. This prevents an administrator from setting a password policy that requires passwords of at least 15 characters. If an administrator tries to force the password length to 15 characters, an internal length of only 7 up to 14 characters is used. But there are workarounds.
I came across the topic via a Facebook post from German (ex)MVP colleague Mark Heitbrink and thought it might be of interest to some administrators.
(Facebook post from Mark Heitbrink)
Mark described the details on his German website gruppenrichtlinien.die within a post. Abstract: He intended to set 15 characters as the default minimum length for Active Directory passwords via group policy (the editor allows 20 characters). But Microsoft’s Security Baseline simply says 14 characters is the maximus (due to a bug).
Because this is the longest allowed length of passwords that can be specified without side effects. Marc describes what happens when an administrator attempts to set the default password length to 15 characters via a default domain password policy. The default password length of x characters (here set to 7 during a test) is retained after a gpupdate, and is passed on as the default policy in the AD. This can be recognized because in the Event Viewer warnings of the type SceCli 1202, The security policies were propagated with warnings. 0x57 : Incorrect parameter mas be found.
Mark writes: The administrator assumes that the default 15 characters apply, but the default policy, which suddenly takes effect, also allows passwords with 7 characters.
Mark describes the solutions to this dilemma. You can set the minimum password length using PowerShell for the minPwdLength AD attribute. However, this has the disadvantage that the warnings continue to arrive in the Event Viewer. Mark suggests setting the default domain policy to 14 characters password length. Details can be found in his German article.