When dealing with Active Directory password policies, many admins instinctively check Local Security Policy first, only to find the settings grayed out. The correct approach requires navigating through Group Policy Management Console (GPMC):
1. Open Group Policy Management (gpmc.msc)
2. Navigate to:
Forest → Domains → [YourDomain] → Group Policy Objects
3. Right-click "Default Domain Policy" → Edit
The password complexity rules are actually nested under:
Computer Configuration → Policies → Windows Settings →
Security Settings → Account Policies → Password Policy
Key policies you'll want to modify:
- Password must meet complexity requirements (Set to Disabled)
- Minimum password length (Optional adjustment)
- Password history (Optional adjustment)
For those managing multiple domains or needing automation:
Import-Module GroupPolicy
Set-GPRegistryValue -Name "Default Domain Policy" -Key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
-ValueName "PasswordComplexity" -Value 0 -Type DWord
Remember these critical points:
- Policy changes take effect after next gpupdate /force
- Existing passwords won't be affected until next change
- Consider creating Fine-Grained Password Policies instead of completely disabling complexity
After making changes, verify with:
gpresult /h report.html
# OR
Get-ADDefaultDomainPasswordPolicy | fl *
For granular checking of applied policies:
Get-GPOReport -Name "Default Domain Policy" -ReportType Html -Path "C:\report.html"
Many admins get stuck at the Local Security Policy level when trying to modify password requirements. The key is to access Domain Group Policy Objects (GPO) instead. Here's exactly where to look:
- Open
Group Policy Management Console (gpmc.msx) - Navigate to:
Forest → Domains → YourDomain → Group Policy Objects - Edit the Default Domain Policy or create a new GPO
Expand these nodes in order:
Computer Configuration
→ Policies
→ Windows Settings
→ Security Settings
→ Account Policies
→ Password Policy
You'll find these configurable parameters:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements (Set to Disabled)
For those managing multiple domains, here's a PowerShell snippet to disable complexity via CLI:
# Import AD module
Import-Module ActiveDirectory
# Get current policy
$currentPolicy = Get-ADDefaultDomainPasswordPolicy
# Disable complexity requirements
Set-ADDefaultDomainPasswordPolicy -Identity $currentPolicy.Identity
-ComplexityEnabled $false
-MinPasswordLength 1
| Consideration | Impact |
|---|---|
| Security implications | Weak passwords become possible |
| Replication time | Changes may take 15-90 minutes to propagate |
| Alternative approach | Use Fine-Grained Password Policies for exceptions |
After making changes, confirm with:
# Check effective policy
gpresult /r
# Or for specific user:
net accounts /domain