When administering Windows systems, the net user command is a common tool for local user management. However, you'll encounter a peculiar limitation when trying to set passwords longer than 14 characters:
net user TestUser ThisIsAVeryLongPassword123 /ADDWindows responds with:
The password entered is longer than 14 characters. Computers with Windows prior to Windows 2000 will not be able to use this account. Do you want to continue this operation? (Y/N) [Y]:
This behavior stems from legacy compatibility concerns with pre-Windows 2000 systems that used the weaker LAN Manager (LM) hash. Modern Windows versions (NT 6.0+) support much longer passwords (up to 127 characters for local accounts, 256 for domain accounts), but the command-line tool maintains this warning for backward compatibility.
For scripting purposes, we need methods to bypass this interactive prompt:
Method 1: Using PowerShell
The modern approach is to use PowerShell's Set-LocalUser:
$password = ConvertTo-SecureString "MyVeryLongPassword123456" -AsPlainText -Force
Set-LocalUser -Name "TestUser" -Password $passwordMethod 2: net user with Input Redirection
For pure command-line solutions, pipe the response:
echo y | net user TestUser ThisIsAVeryLongPassword123 /ADDOr create a response file:
echo y > response.txt
net user TestUser LongPassword12345 /ADD < response.txt
del response.txtMethod 3: Windows API Approach
For programmers, using the NetUserSetInfo API provides complete control:
#include
#include
void SetLongPassword(LPCWSTR username, LPCWSTR password) {
USER_INFO_1003 ui;
ui.usri1003_password = (LPWSTR)password;
if(NetUserSetInfo(NULL, username, 1003, (LPBYTE)&ui, NULL) != NERR_Success) {
// Handle error
}
} - Always store passwords securely (never in plaintext scripts)
- Consider using Windows Credential Manager for production systems
- For domain environments, use proper Group Policy settings
- Audit password changes through Windows Event Log
While longer passwords improve security, remember that:
- Password complexity often matters more than pure length
- Automated password setting creates potential security audit trails
- Consider Windows Hello or certificate-based auth for critical systems
When administering Windows systems programmatically, the net user command is a common tool for user management. However, attempting to set passwords longer than 14 characters triggers an interactive confirmation prompt:
net user TestUser ThisIsALongPassword123 /ADD
This produces the warning:
The password entered is longer than 14 characters. Computers with Windows prior to Windows 2000 will not be able to use this account. Do you want to continue this operation? (Y/N) [Y]:
The limitation stems from legacy LAN Manager (LM) hash compatibility. Windows NT 4.0 and earlier versions had a 14-character password limit. While modern Windows versions support longer passwords, the warning persists for backward compatibility considerations.
Method 1: Using PowerShell Instead
The modern approach is to use PowerShell, which doesn't have this limitation:
$password = ConvertTo-SecureString "MyVeryLongPassword12345" -AsPlainText -Force
New-LocalUser -Name "TestUser" -Password $password
Method 2: Automated Response to Prompt
For scenarios where you must use net user, you can pipe the response:
echo y | net user TestUser ThisIsALongPassword123 /ADD
Or more robustly in a batch script:
@echo off
(
echo y
) | net user %1 %2 /ADD
Method 3: Disabling the LM Hash Storage
You can modify the registry to prevent Windows from storing LM hashes (which enables long passwords without warning):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f
After this change, Windows will only store the more secure NT hashes.
In Automated Deployment Scripts
For large-scale deployments, combine these approaches:
@echo off
:: Disable LM hash storage first
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f
:: Create user with long password
powershell -Command "$pwd = ConvertTo-SecureString 'P@ssw0rdLongerThan14Chars!' -AsPlainText -Force; New-LocalUser -Name 'DeployUser' -Password $pwd"
:: Add to administrators group
net localgroup administrators DeployUser /ADD
When working with passwords in scripts:
- Never store passwords in plaintext in source control
- Consider using Group Policy Preferences with encrypted passwords for domain environments
- For local accounts, generate passwords at runtime when possible
- Use proper ACLs to protect scripts containing credentials
The best modern practice is to use PowerShell's New-LocalUser or Set-LocalUser cmdlets, as they provide better control and don't have the legacy limitations of net user.