Disabling Password Complexity Policy on Hyper-V Server 2008 R2 via Command Line


2 views

Hyper-V Server 2008 R2's Server Core installation presents unique administrative challenges, particularly when attempting to modify security policies without GUI tools. The absence of gpedit.msc requires alternative command-line approaches.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableDomainCreds /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v DisablePasswordChange /t REG_DWORD /d 1 /f

Use secedit to export, modify, and reimport security policy:

secedit /export /cfg config.inf
(Edit config.inf to modify PasswordComplexity = 0)
secedit /configure /db config.sdb /cfg config.inf

When creating accounts via command line, use this PowerShell alternative:

$password = ConvertTo-SecureString "SimplePass123" -AsPlainText -Force
Set-LocalUser -Name "NewUser" -Password $password -PasswordNeverExpires $true

Confirm policy changes with:

net accounts

Look for "Password complexity: Disabled" in output.

While disabling complexity requirements may be necessary for specific test environments, always:

  • Document the change in security logs
  • Re-enable policies after temporary use
  • Consider using certificate-based authentication instead

Working with Microsoft Hyper-V Server 2008 R2's Core installation presents unique challenges when you need to create local user accounts. The default password policy enforces complexity requirements that can be unnecessarily restrictive for test environments or specific use cases.

By default, Hyper-V Server 2008 R2 Core enforces these password rules:

  • Minimum 6 characters length
  • Cannot contain username or parts of full name
  • Must include characters from 3 of these 4 categories:
    • Uppercase letters (A-Z)
    • Lowercase letters (a-z)
    • Digits (0-9)
    • Special characters (!@#$% etc.)

Since the Core edition lacks GUI tools like gpedit.msc, we'll use the secedit utility:


:: Export current security policy to inf file
secedit /export /cfg C:\temp\secpol.inf

:: Edit the exported file (replace values as shown)
notepad C:\temp\secpol.inf

:: Apply modified policy
secedit /configure /db C:\temp\secpol.sdb /cfg C:\temp\secpol.inf

In the exported secpol.inf file, locate and change these values:


[System Access]
PasswordComplexity = 0
MinimumPasswordLength = 1
PasswordHistorySize = 0

After applying changes, verify with:


net accounts

This should show "Password complexity requirements: Disabled"

For scripted environments, you can modify registry directly:


reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLmHash" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PasswordComplexity" /t REG_DWORD /d 0 /f

Before disabling complexity requirements:

  • Only implement in isolated test environments
  • Never use simple passwords on internet-facing servers
  • Consider using certificate-based authentication instead
  • Document the change in your security policy