Password Policy - Group Policy

On our SBS2000 server we want to implement our own minimum password security requirements. I know that in group policy there is an option to enable "Passwords must meet complexity requirements". However enabling this only uses Microsoft's default method of what a strong password is. They define it as

Not contain all or part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Nonalphanumeric characters (e.g., !, $, #, %)


All we want is 8 characters minimum, alphanumeric. How do I make this happen from group policy?
 
 
LVL 20
DVation191Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luv2smileCommented:
You can set the min character length via group policy. So that you can have an 8 character min. while meeting the rest of the password complexity requirements. As far as I know, that is the only thing you can do via GPOs. YOu can only change what options Group Policy gives you.
0
DVation191Author Commented:
I have found instructions for customizing the password policy in 2003 server, I'm sure there is a way to do it in 2000 server as well.
0
DVation191Author Commented:
I have found that the password policy can be modified by editing the Passfilt.dll file. I found this information on microsoft's website, however I can't find out where to find and/or get the .dll nor can I find instructions on how to modify the .dll to reflect the changes I want to make. Help!
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

dreamcomputer2000Commented:
don't need to edit passfilt.dll

luv2smile has the GPO info

Rich
0
oBdACommented:
You'll have to write your own passfilt.dll and compile it. For an approach that's a bit easier to handle (and which will allow you to apply policies on group level instead of domain level only), have a look at Anixis' Password Policy Enforcer.

Password Policy Enforcer: Overview
http://www.anixis.com/products/ppe/default.htm

How To Password Change Filtering & Notification in Windows NT
http://support.microsoft.com/?kbid=151082
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DVation191Author Commented:
So you're saying it's Microsoft's default or nothing? I can't modify the password filter at all?
0
BeldoranCommented:
Unless I am missing the point here, just define minimum password length to 8 and leave complexity undefined.

This will allow passwords 8 or more chars. and will allow alphanumeric (and other chars).

If you want to allow ONLY alphanumeric characters, then you have a problem. Both in implementation and password strength.

Regards
Bel
0
DVation191Author Commented:
Yes I think the point is being missed.

Setting the 8 character minimum is fine, that's one part of what I want to have happen.

However I also want to require both letters and numbers as well.
   - If I disable complexity, they can use all letters, all numbers or whatever they want...which is NOT what I want...I want them to be required to use both, and have it enfoced via group policy

   - If I enable complexity, it goes too far. It would require a lowercase, uppercase and number, or a lowercase number and symbol. That is more than what I want to require.


 I need a middle ground. So I want to know how to create a custom password filter. I see that phrase referenced around the net but never seen any guides on how to accomplish it.
0
oBdACommented:
As I said: Microsoft offers no "middle ground"; that leaves you with three possibilities:
* You use Microsoft's preconfigured passfilt.dll, including all the passwords settings MS defines as secure.
* You write your own passfilt.dll with the password settings that you want (yes, that means actual programming; you can find an example at the second link above). There is no easy "drag'n'drop" solution available (that I'm aware of) that allows you to create your own passfilt.dll.
* You use a third-party product like the Password Policy Enforcer to verify that your passwords meet your requirements.
If you don't want the first approach, and you don't have a programmer at hand, the solution that's easiest to handle is certainly the last one. This allows you to create your own password policy using a GUI. (No, I don't work for Anixis, but I've used the PPE.)
0
DVation191Author Commented:
I appoligize, I seem to have missed your second link that describes how to edit the passfilt.dll.
That's what I was looking for...thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.