DVation191
asked on
Password Policy - Group Policy
On our SBS2000 server we want to implement our own minimum password security requirements. I know that in group policy there is an option to enable "Passwords must meet complexity requirements". However enabling this only uses Microsoft's default method of what a strong password is. They define it as
Not contain all or part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Nonalphanumeric characters (e.g., !, $, #, %)
All we want is 8 characters minimum, alphanumeric. How do I make this happen from group policy?
Not contain all or part of the user's account name
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Nonalphanumeric characters (e.g., !, $, #, %)
All we want is 8 characters minimum, alphanumeric. How do I make this happen from group policy?
You can set the min character length via group policy. So that you can have an 8 character min. while meeting the rest of the password complexity requirements. As far as I know, that is the only thing you can do via GPOs. YOu can only change what options Group Policy gives you.
ASKER
I have found instructions for customizing the password policy in 2003 server, I'm sure there is a way to do it in 2000 server as well.
ASKER
I have found that the password policy can be modified by editing the Passfilt.dll file. I found this information on microsoft's website, however I can't find out where to find and/or get the .dll nor can I find instructions on how to modify the .dll to reflect the changes I want to make. Help!
don't need to edit passfilt.dll
luv2smile has the GPO info
Rich
luv2smile has the GPO info
Rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So you're saying it's Microsoft's default or nothing? I can't modify the password filter at all?
Unless I am missing the point here, just define minimum password length to 8 and leave complexity undefined.
This will allow passwords 8 or more chars. and will allow alphanumeric (and other chars).
If you want to allow ONLY alphanumeric characters, then you have a problem. Both in implementation and password strength.
Regards
Bel
This will allow passwords 8 or more chars. and will allow alphanumeric (and other chars).
If you want to allow ONLY alphanumeric characters, then you have a problem. Both in implementation and password strength.
Regards
Bel
ASKER
Yes I think the point is being missed.
Setting the 8 character minimum is fine, that's one part of what I want to have happen.
However I also want to require both letters and numbers as well.
- If I disable complexity, they can use all letters, all numbers or whatever they want...which is NOT what I want...I want them to be required to use both, and have it enfoced via group policy
- If I enable complexity, it goes too far. It would require a lowercase, uppercase and number, or a lowercase number and symbol. That is more than what I want to require.
I need a middle ground. So I want to know how to create a custom password filter. I see that phrase referenced around the net but never seen any guides on how to accomplish it.
Setting the 8 character minimum is fine, that's one part of what I want to have happen.
However I also want to require both letters and numbers as well.
- If I disable complexity, they can use all letters, all numbers or whatever they want...which is NOT what I want...I want them to be required to use both, and have it enfoced via group policy
- If I enable complexity, it goes too far. It would require a lowercase, uppercase and number, or a lowercase number and symbol. That is more than what I want to require.
I need a middle ground. So I want to know how to create a custom password filter. I see that phrase referenced around the net but never seen any guides on how to accomplish it.
As I said: Microsoft offers no "middle ground"; that leaves you with three possibilities:
* You use Microsoft's preconfigured passfilt.dll, including all the passwords settings MS defines as secure.
* You write your own passfilt.dll with the password settings that you want (yes, that means actual programming; you can find an example at the second link above). There is no easy "drag'n'drop" solution available (that I'm aware of) that allows you to create your own passfilt.dll.
* You use a third-party product like the Password Policy Enforcer to verify that your passwords meet your requirements.
If you don't want the first approach, and you don't have a programmer at hand, the solution that's easiest to handle is certainly the last one. This allows you to create your own password policy using a GUI. (No, I don't work for Anixis, but I've used the PPE.)
* You use Microsoft's preconfigured passfilt.dll, including all the passwords settings MS defines as secure.
* You write your own passfilt.dll with the password settings that you want (yes, that means actual programming; you can find an example at the second link above). There is no easy "drag'n'drop" solution available (that I'm aware of) that allows you to create your own passfilt.dll.
* You use a third-party product like the Password Policy Enforcer to verify that your passwords meet your requirements.
If you don't want the first approach, and you don't have a programmer at hand, the solution that's easiest to handle is certainly the last one. This allows you to create your own password policy using a GUI. (No, I don't work for Anixis, but I've used the PPE.)
ASKER
I appoligize, I seem to have missed your second link that describes how to edit the passfilt.dll.
That's what I was looking for...thank you.
That's what I was looking for...thank you.