Freeware or password filter to enforce 4 chars type passwor etc

Local Windows security policy as well as GPO, when "password complexity" is enabled only
enforces 3 char types but we want 4 char types.

Without buying any 3rd party tools, I heard we can use Password Filter but upon reading MS sites,
the instructions are not clear.  Care to give a more step by step instructions?

Is there any freeware to do this that can give us good reporting of both local accounts as well
as AD accounts (both in our Prod & Developmt) that
 a) did not meet the 4 chars types
 b) did not expire every 60 days
 c) has been dormant (not logged in) for last 30 days
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
I don't currently have the time I need to research this, but I want to point out that implementing password policies that require greater complexity using multiple character types are not recommended at this point. The best practice recommendation is to use passwords that are longer, but with less complexity. Having a minimum character count of 12-14 characters without complexity will give passwords that are significantly more secure than a shorter password with special characters included.
1
Shaun VermaakTechnical Specialist IVCommented:
a) did not meet the 4 chars types
Use 12 characters as per CIS or nFront etc has 3rd party tools, but these are not free. I have seen and tested opensource ones but only recommend these if you have development skills
b) did not expire every 60 days
Simple PowerShell query
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Open in new window

https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/

c) has been dormant (not logged in) for last 30 days
My ADCleanup can get a list and/or automatically cleanup users and/or computer accoutns
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Sunhux, please consider: why would Microsoft not enable you to enforce all 4? Could there be a reason for it?
There is a reason: if an attacker knows this requirement, he could brute for the password more easily. Sounds odd, but it is true. The number of possible passwords (the "keyspace") that match all 4 categories is smaller than the number of passwords that match at least 3 out of 4.

Please take this as a reference: http://openwall.info/wiki/john/policy (read it closely).
So it wouldn't be a wise choice, at least not if you don't plan to require a length below 10 (that's my estimation - do the math for yourself).

I would rather advise you to establish a process that makes sure no dictionary words are being used, no keyboard patters are used and obvious things like 2018 or the company name are forbidden inside passwords. That however will very probably require a 3rd party software that can also fulfill any other requirement, like your special character requirement (if you still want it).

I recommend Anixis password policy enforcer - I think their prices are reasonable.
2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.