Password is not compliant with the System Password Complexity policy


If the administrator generates a password for a user through the Add User Wizard, it may not meet the requirements that are set by the System Password Complexity policy but it may be accepted anyway. The same behavior can occur if the administrator attempts to specify the password for a user.


This behavior occurs because the password is not compliant with the System Password Complexity policy. The Passfilt.dll file implements the following password policy:

  • Passwords must be at least six characters long.
  • Passwords may not contain your SAM account name when it is three or more characters in length or any full "token" in your display name that is also three or more characters in length. For example: If your SAM account name is etiennej and your display name is Jacques, Etienne P., there will be three blocked "tokens": etiennej, Jacques and Etienne. The middle initial is less than three characters and is therefore not considered a "token". Subsets like etiennej1 and Jacque12$ will not be blocked.
  • Passwords must contain characters from at least three of the following four classes:
    English upper case lettersA, B, C, ... Z
    English lower case lettersa, b, c, ... z
    Westernized Arabic numerals0, 1, 2, ... 9
    Non-alphanumeric ("special characters")Punctuation marks and other symbols
These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the user interface or registry. If you want to change these requirements, you must write your own .dll and implement it in the same way as the Microsoft version that is available with Windows NT 4.0 Service Pack 2.


To work around this behavior, as the administrator, when you use the Add User Wizard, select the I will specify user's password option, and then type in a password that meets the System Password Complexity policy requirements.


Artikelnummer: 279890 – Letzte Überarbeitung: 30.10.2006 – Revision: 1