This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

• Not contain the user's entire Account Name or entire Full Name. The Account Name and Full Name are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the Account Name or Full Name are split and all sections are verified not to be included in the password. There is no check for any character or any three characters in succession.
  
  
• Contain characters from three of the following five categories:
  
  
  • English uppercase characters (A through Z)
    
    
  • English lowercase characters (a through z)
    
    
  • Base 10 digits (0 through 9)
    
    
  • Non-alphabetic characters (for example, !, $, #, %)
    
    
  • A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific.
    
    

Important
Complexity requirements are enforced when passwords are changed or created.

To create custom password filters, see the Microsoft Platform Software Development Kit and TechNet on the Microsoft Web site.

Default:

• Enabled on domain controllers.
  
  
• Disabled on stand-alone servers.
  
  

Note
By default, member computers follow the configuration of their domain controllers.

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

For specific instructions about how to configure password policy settings, see Apply or modify password policy.

For more information, see:

• Strong passwords
  
  
• Password Best practices
  
  
• Password Policy
  
  
• Security Configuration Manager tools