Discussion:
Password Policy
(too old to reply)
James Robertson
2010-03-03 23:28:01 UTC
Permalink
I have complex password requirements enabled on the AD. The issue is that is
if a user for example has a password of "Password1" with Microsoft AD all
they have to in their next forced password change is change the password to
"Password2" and that is good enough for Microsoft. Can I force AD to make
sure that it will require a completely different password instead of a
variation of the prevoius one?
Florian Frommherz [MVP]
2010-03-04 07:19:10 UTC
Permalink
Howdie!
Post by James Robertson
I have complex password requirements enabled on the AD. The issue is that is
if a user for example has a password of "Password1" with Microsoft AD all
they have to in their next forced password change is change the password to
"Password2" and that is good enough for Microsoft. Can I force AD to make
sure that it will require a completely different password instead of a
variation of the prevoius one?
Sorry, you can't. You'll have to rely on a third party product that does
that. You can just define password complexity, length and min/max ages
-- but AD does not keep track of passwords nor does it compare the old
password with the new one (which would be kind of troublesome, as the
actual plain text password isn't stored in AD anyway.)

Cheers,
Florian
James Robertson
2010-03-04 21:30:02 UTC
Permalink
Thanks for the reply. Do you have any recommendations to facilitate that
method?
Post by Florian Frommherz [MVP]
Howdie!
Post by James Robertson
I have complex password requirements enabled on the AD. The issue is that is
if a user for example has a password of "Password1" with Microsoft AD all
they have to in their next forced password change is change the password to
"Password2" and that is good enough for Microsoft. Can I force AD to make
sure that it will require a completely different password instead of a
variation of the prevoius one?
Sorry, you can't. You'll have to rely on a third party product that does
that. You can just define password complexity, length and min/max ages
-- but AD does not keep track of passwords nor does it compare the old
password with the new one (which would be kind of troublesome, as the
actual plain text password isn't stored in AD anyway.)
Cheers,
Florian
.
Florian Frommherz [MVP]
2010-03-05 06:28:26 UTC
Permalink
Howdie!
Post by James Robertson
Thanks for the reply. Do you have any recommendations to facilitate that
method?
You basically create a new Group Policy on domain level and make your
changes there. Password Complexity, Maximum Password Age, ... . Then,
looking at the GPMC, you need to make sure the new policy is listed at
the top (as #1).

Cheers,
Florian

Loading...