I was setting up Windows Server 2008 on a test system today to get a better grip on Microsoft’s just released Hyper-V virtualization when I ran into a completely unexpected problem: I couldn’t set up the system’s initial password
I expected to have some trouble integrating Server 2008 into my network. My LAN, while it used AD (Active Directory), relies on Samba and LDAP (Lightweight Directory Access Protocol) so I expected to have some trouble with, at a minimum, some authentication issues. And, indeed, I did run into that kind of problem, but first I had to get logged into my server. This is not a problem I ever expected to have with a modern operating system.
Much to my annoyance, I found that I couldn’t get the system to accept any password. At first, I thought that, since the system was already physically hooked into the network, that I might already be running into a network authentication problem. The error message:
“Unable to update the password.
The value provided for the new password does not meet the length, complexity, or history requirements of the domain”
certainly wasn’t coming from my Kerberos server. I also couldn’t find any messages being passed from Kerberos to the Server 2008 machine that would have triggered an error message from that end.
So, what was going on here? My passwords tend to be arbitrary six to twelve alphanumeric strings. These are not user-friendly passwords. There is no way, I thought, that they couldn’t meet any standard for passwords. It turns out I was wrong.
Server 2008 has its own requirements for passwords and they went beyond mine. To be exact, passwords must have at least three of the four following characteristics. They must include 1) English uppercase characters; 2) English lowercase characters; 3) Base 10 digits . and 4) ASCII Non-alphabetic characters, such as “!, $, #, %.”
My mistake? I almost never use uppercase letters in my passwords so, ‘zym56bif08′ wasn’t complicated enough. “Zym56bif08” was just fine.
Now, that I know this, thanks to rooting around TechNet, it makes sense. Still, I do wish that Microsoft had linked in an explanation of what was what with it in the installation routine so I wouldn’t have to had waste so much time simply setting up my first password. Guys, you really didn’t need to make it this hard.
3 responses so far ↓
1 Kristian // Jul 1, 2008 at 9:09 am
Oh well, these restrictions aren’t new. They are the same ones MS used as Policy since Server 2003 at least. In ADS that is.
2 sjvn // Jul 1, 2008 at 9:15 am
Server 2003 ADS SP 1 to be precise–I’ve been looking further into this. What is new, as far as I can tell, is that it’s the default even before you set up a password policy.
Switching topics slightly, one of the things I really like about Server 2008 is the fine degree of control it gives you over password policies. You could always pull this kind of stuff up in Unix/Linux, but it took work. Server 2008, by contrast, make this almost mindlessly simple.
Steven
3 ndamours // Jul 11, 2008 at 12:38 pm
Thanks for this post. I ran into the same problem. I never use uppercase in my passwords. You saved me time.