How can I find out the password complexity policy?

Solution 1:

Every AD user can see the value of the attribute named "pwdProperties", your id probably set to "DOMAIN_PASSWORD_COMPLEX" (value "1", integer).

AdFind can be used to retrieve many attributes relative to passwords:

AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties

Here is an example of what you'll get:

AdFind V01.45.00cpp Joe Richards ([email protected]) March 2011

Using server: domain.example.org:389 Directory: Windows Server 2008 R2 Base DN: DC=domain,DC=example,DC=org

dn:DC=domain,DC=example,DC=org

lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -344736000000000
minPwdAge: 0
minPwdLength: 7
pwdProperties: 1
pwdHistoryLength: 2

1 Objects returned

Solution 2:

This Windows built-in command (use the Command Prompt : cmd.exe) prints the same details as the tool in answer:

net accounts

Example output:

C:\>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

Credits/source: http://windowsitpro.com/security/discovering-details-about-domains-password-policy

Solution 3:

Since it is AD, currently there is only a single complexity (per se) pattern available: the so-called 3 of 4 pattern. It is either on or off, unless you use a third party tool like Spec Ops to enforce some other level of complexity. Three of Four means your password needs to include at least one character from three of the 4 possible character sets:

UPPER CASE
lower case
Numeric (0-9)
Comic book curse words (aka special characters: !@#$%^&*(*))_+ etc)

Solution 4:

Right Click "Password must meet complexity requirements", then select "Explain" tab.

enter image description here

Solution 5:

Run in PowerShell:

Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser

Output:

ComplexityEnabled           : True
DistinguishedName           : DC=ad,DC=company,DC=net
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 12
MaxPasswordAge              : 180.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
objectClass                 : {domainDNS}
objectGuid                  : 641734ff-9d4c-40b4-a28a-b9628c021639
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False