How to Check Password Complexity Requirements in Active Directory

by Robert Allen

In this tutorial, you will learn how to check if Password Complexity is required in your Active Directory Domain.

What is Password must meet complexity requirements?

If this policy is enabled in your AD Domain it means passwords must meet the following minimum requirements:

  1. Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  2. Be at least six characters in length
  3. Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)

How to Check if Password Complexity Requirements are Enabled

There are a few ways you can check if this setting is enabled, the easiest option is to use PowerShell.

Step 1. Open PowerShell and run the following command.

Get-ADDefaultDomainPasswordPolicy

Step 2. Check the value of ComplexityEnabled

This command will return the default password policy for your Active Directory domain. Check the ComplexityEnabled value, if it is True then Password Complexity is enabled for your domain.

check password complexity requirements powershell

The command will also show your other password policy settings. This is a very useful command to quickly get your domain password policy.

Another way to check if password complexity is enabled is to check the Default Domain Policy settings.

Open the group policy management console and edit the Default Domain Policy.

Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

Check the policy settings for “Password must meet complexity requirements”. You can see in the screenshot below that complexity is enabled in my domain.

A 3rd option is to use the AD Pro Toolkit.

Click on Reports > Security > Domain Password Policy.

This report will display your domain’s password policy in a grid view.

Password complexity can also be enabled in fine grained password policies.

Run the report below to check for any fine grained password policies and the complexity policy.

Reports > Fine grained password policy.

The AD Pro Toolkit includes over 200 Active Directory Reports, including computer, user, group policy, and security reports.

Download a Free Trial of Active Directory Pro Toolkit.

I hope you found this guide useful. If you have questions or comments post them below.

Related Content

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

Leave a Comment