Change Password Policy in Windows Server 2008

Published on Friday, January 17, 2014

Sometimes, for example, in our development environment, we do not want our Windows Server use serious security policy such as password policy, because we want to set a simple password, and never expired, because it is for our development only, not for a real product line.

First let us know what password policy on Windows Server 2008 ?

Password must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.

So, how to remove or change password policy?

1: Run Local Security Policy on Windows Server 2008:

image

2: Click Account Policies > Password Policy on left panel, and you will see password policy setting options on right panel:

image

3: Remove password expires policy:

In right panel, click Maximum password age to change password expires policy:

image

Note: about Max password age:

Maximum password age

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources.

Default: 42.

So if we do not want the password expired, just set Maximum password age to 0.

4: Remove password policy:

On the right panel, click Password must meet complexity requirements, we set to disabled.

image

So now you can set a never expired and simple password which you like.