Minimum Password Length: Default Domain Policy Versus Set ...

Windows 10 2004 introduces a new Group Policy setting that allows you to configure the minimum password length to a value greater than 14. This was already possible via PowerShell. However, the new audit policy shows conflicts between the two mechanisms. Read 4sysops without ads for freeContents

1. Fine-grained password policies with no limit
2. Limit of 14 remains for older OS versions
3. Setting MinPasswordLength with PowerShell
4. Auditing the password length

• Author
• Recent Posts

Wolfgang SommergutWolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de. Latest posts by Wolfgang Sommergut (see all)

• Assign recommended Windows security settings with the free Harden Windows Security app - Wed, Jun 11 2025
• Activate Windows authentication with a PIN - Mon, Jun 2 2025
• Hyper-V Quick Create: Deploy custom VM images - Mon, May 19 2025

A higher value for the minimum password length is a prerequisite if administrators want to enforce the use of passphrases. A passphrase is a sequence of several words or whole sentences that users can remember more easily than long passwords. In combination with the complexity requirements, they provide a high level of security.

Fine-grained password policies with no limit

In Windows domains, such a rule could already be implemented with a fine-grained password policy in the past. However, such a policy cannot be assigned to an OU or domain but only to security groups in Active Directory.

Fine grained password policies don't have the 14 character limit for the minimum password length

To define the requirements for passwords across the domain, the default domain policy contains respective settings in most environments. But if you want to increase the value for the minimum password length in the GPO editor, then 14 characters was the limit until now. However, if you activate the Relax minimum password length limits setting, which was added with Windows 10 2004, the Group Policy Management Editor allows up to 128 characters.

New settings to increase the minimum length of passwords and to monitor this action

Limit of 14 remains for older OS versions

If you edit the GPO on an older version of Windows, the standard limit of 14 characters applies again, even if you have previously increased the setting to a higher value.

Even if the value has already been set higher, the GPO editor can configure a maximum of only 14 characters in older OS versions

Even if you can't configure the setting with a higher value on older systems, the policy for longer passwords still applies to users on such a PC. So they have to comply with it when changing passwords.

Setting MinPasswordLength with PowerShell

The situation becomes even more confusing if you change the default password policy for the domain with the Set-ADDefaultDomainPasswordPolicy cmdlet. A value higher than 14 can also be set here:

Read 4sysops without ads for free Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 16 -Identity contoso.com

As expected, using the command

Get-ADDefaultDomainPasswordPolicy

will then show MinPasswordLength as 16.

Set ADDefaultDomainPasswordPolicy can also be used to set values higher ​​than 14 for the minimum password length

This also applies to the GPO editor, which contains this value when the GPO is reloaded. Configuring more than 14 characters, however, is only possible in Windows 10 2004 with the password length restriction setting activated.

One could conclude from this that the new policy only serves to enable the GPO editor to configure a minimum length for passwords of more than 14 characters.

Auditing the password length

Another new setting in the current release of Windows 10, called Minimum password length audit, causes the system to record events related to longer passwords. In its description, it states:

If this setting is defined and is greater than the minimum password length and the length of a new account password is less than this setting, a monitoring event is generated.

The corresponding entries can be found in the system log. You can read them by using the following PowerShell command: Read 4sysops without ads for free

Get-WinEvent -ProviderName Microsoft-Windows-Directory-Services-SAM

An entry in the event log suggests that longer passwords cannot be forced without the new setting

If you have configured a value greater than 14 with PowerShell, but have not activated the new setting for longer passwords under Windows 10 2004, you will find the following message under ID 16979:

The domain is incorrectly configured with a MinimumPasswordLength setting greater than 14, while RelaxMinimumPasswordLengthLimits is either undefined or disabled.

NOTE: Until this is corrected, the domain will force the smaller MinimumPasswordLength setting of 14.

However, it turned out that when the password was changed, Windows still expected the minimum length, which was entered in the Default Domain Password Policy and was greater than 14. The new policy does not appear to be a prerequisite for forcing longer passwords via the Default Domain Password Policy.

1 Comment Read 4sysops without ads for free

Join our IT community and read articles without ads!