schnibitz
asked on
windows AD password policies
All, one of the things I'm working on is trying to make our passwords have more finely grained control. There is a passfilt dll hack that apparently works, but I haven't been able to get it working in a 2k3 environment, much less a 2k8 environment. There are commercial plugins available as well, but there are per-user costs involved, which make it a tough nut to crack. Active directory doesn't really give you the option to (for instance) require symbols in passwords. You can tell it to require symbols as one of the choices (3 out of 4), but you can craft a password that doesn't have a symbol in it.
There has to be a better way to accomplish what we're trying to do. Just wondering how y'all have handled it?
Thanks,
-S
There has to be a better way to accomplish what we're trying to do. Just wondering how y'all have handled it?
Thanks,
-S
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Neil
IF you have 2008 server then you can indeed have "Fine grained Password Policies".Well, but even with PSOs, there is still no option to require passwords to be more complex than with 2003.
ASKER
@McKnife
Exactly. What MS calls fine-grained is somewhat laughable to me. This is good so far. That adpassword filter looks HIGHLY interesting. I'll test it out for sure.
-S
Exactly. What MS calls fine-grained is somewhat laughable to me. This is good so far. That adpassword filter looks HIGHLY interesting. I'll test it out for sure.
-S
Yes, go and test. If you are looking for a large wordlist, take the trial from anixis and use theirs or download this one: http://www.openwall.com/wordlists/ - US$27.95, but you get a text file of more than 400 MB. Ooops... the product does not even support to check against dictionaries while the older one does? That's weak.
Let me clarify
Both 2003 and 2008 only allow you to specify that password complexity is ON or OFF.
When its ON, a new password is required to have three of the following four options
1. A lower case character
2. An Upper case character
3. A number
4. A symbol eg ($+!)
With 2003 you can't have multiple password policies within a domain - one policy applies to all. With 2008 you can implement fine grained password policies to apply different policies to different users (but you cant determine what rules govern a complex password)
If you want more flexibility yo will have to use a 3rd party tool such as this one http://www.specopssoft.com/products/specops-password-policy
Both 2003 and 2008 only allow you to specify that password complexity is ON or OFF.
When its ON, a new password is required to have three of the following four options
1. A lower case character
2. An Upper case character
3. A number
4. A symbol eg ($+!)
With 2003 you can't have multiple password policies within a domain - one policy applies to all. With 2008 you can implement fine grained password policies to apply different policies to different users (but you cant determine what rules govern a complex password)
If you want more flexibility yo will have to use a 3rd party tool such as this one http://www.specopssoft.com/products/specops-password-policy
ASKER
The chosen answer put me most on the right track. The adpasswordfilter project did what we needed. Best part is it's open source, so our devs can use it as a starting place to build something better.
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx