Getting started with Lithnet Password Protection - Part 3 - Rewarding password length over complexity

Password complexity requirements can be frustrating. It comes as no surprise that the current NIST guidelines recommend doing away with them altogether. There was no way I was getting approval to do that across the board in my organization, but I could make the case for having less stringent requirements on longer passwords.

Lithnet Password Protection for Active Directory (LPP) has a built-in policy to do exactly this. You can define up to 3 password-length thresholds, each with their own complexity requirements. In my organization, we still have the usual '3 out of 4' character set policy in place for passwords less than 13 characters in length. However, we decided that passwords over 13 characters would have no special requirements.

You'll need to determine what rules are appropriate for your organization. Use resources such as to help you gauge the relative strength of passwords based on length and character sets, and come to a decision that's right for you.

Once you've done that, setting up LPP to enforce this is straightforward. At this point I'll assume you've followed part 1 of the getting started guide, and have LPP installed and a group policy configured.

Firstly, set the minimum password length policy to the appropriate value. In my example, I'm setting 8 as the minimum length.

If you have this set in AD, you technically don't need to do so here, but having it set in LPP will mean you will get more meaningful rejection messages in your Active Directory event log and when using the LPP PowerShell cmdlets.

Now, turn on the Enable length-based complexity rules policy. Here you will find three thresholds to configure. You don't need to configure them all, leave the thresholds that you don't need blank. Each threshold level requires you to specify a length of password that the settings apply to. Then you choose between either having a certain number of character sets present, or specific character sets present.

In the example shown below, I've specified that for passwords less than 13 characters, They must contain a lower case letter, upper case letter, and either a number or a symbol.

For passwords 13 characters or greater, but less than 128 characters (the maximum AD password length), a single character set is all that is required.

I've excluded the third threshold level and left it blank, because I do not need it.

At this stage, you'll want to disable Active Directory's built-in complexity requirements policy. Otherwise your long passwords will still be rejected by AD for not being complex enough. Before you do, turn on the Reject passwords that contain the user's username policy, as well as the Reject passwords that contain the user's display name in the LPP policy. These two checks are part of AD's built-in complexity check, so disabling it means we need to check them ourselves.

Run gpupdate on the server with LPP installed. Now to confirm it all works, we can use the Get-PasswordFilterResult cmdlet.

Our "short" password is rejected with a LengthRequirementsNotMet error. Our "notcomplex" password which was less than 13 characters long was rejected with a ComplexityThresholdNotMet error. Our "longbutnotcomplex" password greater than 13 characters was approved. The attempts to use my username and part of my full name were rejected as expected.

It's worth quickly covering the remaining LPP policy settings available to you. The first is a points-based complexity policy. This allows you to assign a minimum number of points a password must reach, and how those points are gained. The other settings allow you to specify regular expression that a password must meet, or not meet, to be approved.

That concludes this introductory series on getting started with Lithnet Password Protection for Active Directory.

Follow me on Twitter to keep up to date with the latest news and updates @RyanLNewington.

If you find any issues, or need some help, head on over to GitHub and log an issue.