AD password complexirty group policy

Im running domain level 2012 R2
i would like to be able to specify the following for domain users passwords
stop users using passwords like Laptop 1 or company name 1
at least 2 uppercase etc
the group policy complexity does not cover these
how can i do this?
LVL 1
dougdogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You will like to check out the fine grain password policy (FGPP) for the specific user and Security group to apply since 2012 already support it at GUI level compared to past using ADSI etc. See this
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-fine-grained-password-policies.html

Also I do recommend passphrases, see the EE article on choosing the strong passphrase. Also the mentioned level of complexity should be possible if e consider the stated in MS link
Passwords must contain characters from three of the following five categories:
◦ Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
◦ Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
◦ Base 10 digits (0 through 9)
◦ Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
◦ Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx

Overall, we need to managed going overboard for the complexity and set a baseline.
So you may wish to consider below combination
 Set the minimum length to16 or higher - Increases the work time for attacker to break it.
 Require a minimum of 1 number and special character - Increases difficulty.
 Require upper and lower case - Increases difficulty.
 Enforce password history. Make it 10 or 12. - Increases the repeats of poor user "reuse" habit.
 Enforce minimum password age. - Work around several days to deter users recycling password.
 Set account lockout after 3 failed attempts. - Have a baseline for lockout duration and reset time.
McKnifeCommented:
The built-in policies cannot help here since their complexity checks are too loose.
They don't do similarity or dictionary checks, nor do they do keyboard pattern checks, so Even if you turn on complexity and require 10 characters, a password like "BugsBunny!" beats that :(
Consider buying http://anixis.com/products/ppe/ it can enforce better policies and is reasonably priced.
Cliff GaliherCommented:
Unfortunate fine grained password policies won't help here. The only way to get what you want here is 3rd-party software that checks the password pre-hash.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

btanExec ConsultantCommented:
Lookss like more work than what MS stated. I meant the depth required will be covered through the password filter DLL which is another nice way to implement custom requirements for passwords. There is this filter dll that is hooked for override with your needs..but looks like if you want to avoid development then the vendor supplied is the way forward..
https://msdn.microsoft.com/en-us/library/ms721878.aspx

Then to add on nfront is another good candidate, see how it compared to existing Dll of the Windows default.
http://nfrontsecurity.com/products/nfront-password-filter/nFrontPasswordFilterVSWindows2008.php
dougdogAuthor Commented:
we have used anixis before but need something that works alongside our password reset tool
arnoldCommented:
The password complexity can be set to a combination of three out of five one capital, one lower, one numeric, one symbol and the length of the password longer than X.
You would need to use a third party tools as mentioned to add validation/mask to password changing mechanism.

Making it clear to the users that weak passwords when compromised reflect on them as whose account was used and .........
McKnifeCommented:
"need something that works alongside our password reset tool" - could you please explain what your password reset tool has to do with the password policies? Password reset tools should not be able to circumvent the policies that anixis enforces, or was it?
harold mcmullennetwork techCommented:
From GP "Computer Configuration", "Windows Settings", "Security", "Account Policies", "Password Policy"

Right Click on: "Password must meet complexity requirements"

This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:

English uppercase characters (A through Z)

English lowercase characters (a through z)
Base 10 digits (0 through 9)

Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.
dougdogAuthor Commented:
when users reset their password they need to be reset using the company policy
so if i have anixis password enforcer which is setup to force users to use 4 uppercase etc and the user uses the password reset tool which is unable to work with the anixis enforcer it will not be able to enforce the 4 uppercase etc
dougdogAuthor Commented:
McKnife is correct here buit in windows policy will not enforce this as it is too basic
Anixis will but will not work when user resets their password
McKnifeCommented:
@dougdoug: users cannot reset their passwords. Reset=change without confirming the old pw. Only admins may do that. The anixis software (we run it) has an option to enforce itself even when admins reset.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
You may want to check out nfrontsecurity as I shared in prev post. Here is a glimpse on another of its example http://nfrontsecurity.com/products/nfront-web-password-change/
dougdogAuthor Commented:
im mean a self service password reset portal
btanExec ConsultantCommented:
Handle at code for the portal. The nfrontsecurity is a webform though
arnoldCommented:
Self service should mean as btan pointed out that you can enforce the password complexity requirement at the time of submission. validate on input in the portal when used,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.