Account Policy on New User Not Enforced

• Microsoft Windows NT operating system version 3.1
• Microsoft Windows NT Advanced Server version 3.1

SYMPTOMS

Windows NT and Windows NT Advanced Server do not enforce account policy of minimum password length restriction to new users created from the User Manager. The behavior is different in Windows NT and Windows NT Advanced Server as follows:

If the account policy is made so that the minimum password length must be at least five characters:

• On a Windows NT Advanced Server machine:

      - If a new user is created from the User Manager for domains with just
        the option of "User Must Change Password at Next Logon," any password
        of fewer than five characters is accepted. The user can logon with
        this invalid password and the subsequent password follows the account
        policy and prompts if the password length is less than five
        characters.
  

      - If the new user is created with the remaining options of Password
        Never Expires or Password Cannot Be Changed, the account policy is
        enforced by prompting for a password of at least five characters.
  

• On a Windows NT machine, a user can be created from User Manager with any of the following options and it accepts a password with fewer characters than the minimum password length, thereby not following the account policy:

      - "User Must Change Password at Next Logon"
      - Password Never Expires
      - Password Cannot Be Changed
  

STATUS

Microsoft has confirmed this to be a problem in Windows NT and Windows NT Advanced Server version 3.1. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.