How can I find out the password complexity policy?
This Windows built-in command (use the Command Prompt : cmd.exe) prints the same details as the tool in answer:
net accounts
Example output:
C:\>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
Credits/source: http://windowsitpro.com/security/discovering-details-about-domains-password-policy
Every AD user can see the value of the attribute named "pwdProperties", your id probably set to "DOMAIN_PASSWORD_COMPLEX" (value "1", integer).
AdFind can be used to retrieve many attributes relative to passwords:
AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Here is an example of what you'll get:
AdFind V01.45.00cpp Joe Richards ([email protected]) March 2011
Using server: domain.example.org:389 Directory: Windows Server 2008 R2 Base DN: DC=domain,DC=example,DC=org
dn:DC=domain,DC=example,DC=org
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -344736000000000
minPwdAge: 0
minPwdLength: 7
pwdProperties: 1
pwdHistoryLength: 21 Objects returned
Since it is AD, currently there is only a single complexity (per se) pattern available: the so-called 3 of 4 pattern. It is either on or off, unless you use a third party tool like Spec Ops to enforce some other level of complexity. Three of Four means your password needs to include at least one character from three of the 4 possible character sets:
- UPPER CASE
- lower case
- Numeric (0-9)
- Comic book curse words (aka special characters:
!@#$%^&*(*))_+etc)