Freeware or password filter to enforce 4 chars type passwor etc

Local Windows security policy as well as GPO, when "password complexity" is enabled only
enforces 3 char types but we want 4 char types.

Without buying any 3rd party tools, I heard we can use Password Filter but upon reading MS sites,
the instructions are not clear.  Care to give a more step by step instructions?

Is there any freeware to do this that can give us good reporting of both local accounts as well
as AD accounts (both in our Prod & Developmt) that
 a) did not meet the 4 chars types
 b) did not expire every 60 days
 c) has been dormant (not logged in) for last 30 days
sunhuxAsked:
Who is Participating?
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
a) did not meet the 4 chars types
Use 12 characters as per CIS or nFront etc has 3rd party tools, but these are not free. I have seen and tested opensource ones but only recommend these if you have development skills
b) did not expire every 60 days
Simple PowerShell query
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Open in new window

https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/

c) has been dormant (not logged in) for last 30 days
My ADCleanup can get a list and/or automatically cleanup users and/or computer accoutns
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
1
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
I don't currently have the time I need to research this, but I want to point out that implementing password policies that require greater complexity using multiple character types are not recommended at this point. The best practice recommendation is to use passwords that are longer, but with less complexity. Having a minimum character count of 12-14 characters without complexity will give passwords that are significantly more secure than a shorter password with special characters included.
1
 
McKnifeConnect With a Mentor Commented:
Sunhux, please consider: why would Microsoft not enable you to enforce all 4? Could there be a reason for it?
There is a reason: if an attacker knows this requirement, he could brute for the password more easily. Sounds odd, but it is true. The number of possible passwords (the "keyspace") that match all 4 categories is smaller than the number of passwords that match at least 3 out of 4.

Please take this as a reference: http://openwall.info/wiki/john/policy (read it closely).
So it wouldn't be a wise choice, at least not if you don't plan to require a length below 10 (that's my estimation - do the math for yourself).

I would rather advise you to establish a process that makes sure no dictionary words are being used, no keyboard patters are used and obvious things like 2018 or the company name are forbidden inside passwords. That however will very probably require a 3rd party software that can also fulfill any other requirement, like your special character requirement (if you still want it).

I recommend Anixis password policy enforcer - I think their prices are reasonable.
2
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.