Including a specific word in an Active Directory password policy

Posted on 2010-01-05
Medium Priority
Last Modified: 2012-05-08

I have a query I was hoping someone can help with.  A recent audit on our IT environment suggested that we include the ability to reject a certain word if it was submitted as part of a domain password - does anyone know if this is able to be done?  

I argued that a strong password was security enough but was overruled by those who know better, so I need to know whether it can be done or whether I enforce the rule via a corporate policy.

Question by:kinda-clueless
  • 3
  • 2
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 26178222
Who are those that know better? You can show your security folks the NSA and other top guidelines...ok sorry about the tangent. I agree with you.
...but no you won't be able to exclude a certain word or phrase from the domain password policy from being used natively...can't do it with fine grained passwords in windows 2008 domains either.
If you want to do something like that then a third party tool like specops is what you need to test out http://www.specopssoft.com/web/specops-password-policy.aspx
LVL 74

Expert Comment

by:Glen Knight
ID: 26178224
You cannot do it natively with Active directory, you may find 3rd party tools out there that will but not natively.

Author Comment

ID: 26178232

Thanks for the prompt assistance and confirmation of what I suspected the answer would be - when I front the board in February I will make sure I have the policy sorted so there is no comeback on me!

Nice tangent by the way, lets just say those that know better have no idea what is going on, but that's always the way, right?

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 26178236
Thanks Demazter, I appreciate the quick answer, if it can't be done natively with Active Directory then it's not a risk I am prepared to take.

LVL 57

Expert Comment

by:Mike Kline
ID: 26178257
Thanks,  you may want to look at some of the guides I listed here
some recommended password policy settings from some top security agencies are in those guides.  Just some ammo for the board members that will be shooting bullets at you I'm sure.

Author Comment

ID: 26178268
Thanks again Mike, I really appreciate the bullet proof vest!

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question