Solved

Meeting Password Complexity Requirements on a Workstation Computer

Posted on 2004-09-04
2
335 Views
Last Modified: 2010-04-19
I'm running a Windows Server 2003 AD Environment with five workstations and one server.  For security we use the built-in password requirments including:
 - User must change password every 90 days
 - Password must be at least 7 characters long
 - Password cannot have been used within last 12 passwords
 - Password must contain 3 of the follwing four items:
  * Uppercase English characters
  * Lowercase English characters
  * Numbers
  * Punctuation
 - Password cannot contain user name/full name

The problem is, when it comes time for a user to change their password, they can't.  Any password chosen, regardless of whether it meets the complexity requirements, is denied.  This only happens at a client workstation.  I can set the password to ANYthing valid on the server.

When I try to change the password on the workstation, I recieve the error:
 Your password must be at least 7 characters; cannot repeat any of your previous 12 passwords; must contain capitals, numberals or punctuation; and cannot contain account or full name.  Please type a different password.  Type password which meets these requirements in both text boxes.
0
Comment
Question by:lordcelerborn
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 11981757
Does it let you change the password at all?
For example if you entered something like

!2S%d5zx

Does it let you change it?

What about (just in case you have made an error)

!QWE?-123lkj

(Which is three punctuation, three upper, three lower and three numbers).

You need to verify whether it is a general problem with changing password or just complexity requirements.

I will say that those requirements are quite tough - even I am not that mean to my users.
Password complexity is a difficult business. Make it too easy and compromised accounts could cause a problem. Make it too tough and you have no security as users will write them down on post it notes.

Simon.
0
 

Author Comment

by:lordcelerborn
ID: 11982110
Well, thanks to Simon's reccomendation to check that Complexity Requirements was the ONLY factor, I noticed a minimum password age of 89 days (compared to the maximum age of 90), giving users a one day password change window.

Now that I changed it, the passwords are working fine.  As far as the "harshness" of my password requirements, I partially agree.  Unfortunately, you cannot adjust the complexity requirements (the part which requires three of the four character types).  Personally I would only want two, but 2003 Server doesn't let you change it.

Thanks,
Mike
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now