Configure Password Policies

  • Article

Using strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

  • Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.
  • Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Nonalphanumeric characters (such as , !, $, #, and %)
  • Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.
  • Policies go into effect. You can specify when the policies take effect. The default is three days, but the range is "immediately" to seven days.
    You can choose to configure the password policies immediately or after a specified period of time. If you choose to configure password policies immediately, you must use strong passwords to log on to each client computer. You can simplify the process of setting up client computers by choosing to delay configuring the password policies until your configuration is complete. You will be able to work on the client computers without the password policy restrictions. If you use this option, choose to enable the policies after you have set up the client computers but before the users log on for the first time.