| Author | Messages | |
bwatson
Posts:39
 | | 01/25/2008 1:29 PM |
| Is there any way to customize the password complexity rules? For
instance, let's say I wanted to enforce password complexity in such a
manner that requires a lower case letter, upper case letter, and number
but not require a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| listmail
Posts:494
| | 01/25/2008 1:34 PM |
| You have to write a password filter. This is fully documented in MSDN. Note
that this is not a trivial thing though appears to be. It requires a good
c++ Windows coder or else you are likely to cause instability or insecurity.
Nothing in K8 to help with this though last MVP summit you can bet we were
pointing this out as a logical extension to the new PSO stuff.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For instance,
let's say I wanted to enforce password complexity in such a manner that
requires a lower case letter, upper case letter, and number but not require
a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| bwatson
Posts:39
| | 01/25/2008 1:44 PM |
| Gotcha, thanks for the response Joe.
We do have a good programmer in our IT department that is onboard to
handle these sorts of things. We'll definitely look into it.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 25, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
You have to write a password filter. This is fully documented in MSDN.
Note that this is not a trivial thing though appears to be. It requires
a good c++ Windows coder or else you are likely to cause instability or
insecurity.
Nothing in K8 to help with this though last MVP summit you can bet we
were pointing this out as a logical extension to the new PSO stuff.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For
instance, let's say I wanted to enforce password complexity in such a
manner that requires a lower case letter, upper case letter, and number
but not require a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| bdesmond
Posts:414
| | 01/25/2008 2:00 PM |
| One thing is you want a really good programmer to do this. These filters run in LSA and if you muck the wrong thing up you can easily start crashing all your DCs.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
Gotcha, thanks for the response Joe.
We do have a good programmer in our IT department that is onboard to handle these sorts of things. We'll definitely look into it.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 25, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
You have to write a password filter. This is fully documented in MSDN. Note that this is not a trivial thing though appears to be. It requires a good c++ Windows coder or else you are likely to cause instability or insecurity.
Nothing in K8 to help with this though last MVP summit you can bet we were pointing this out as a logical extension to the new PSO stuff.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For instance, let's say I wanted to enforce password complexity in such a manner that requires a lower case letter, upper case letter, and number but not require a special character.
Anything coming in Windows 2008 that might provide this functionality if 2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| listmail
Posts:494
| | 01/25/2008 2:55 PM |
| Yep exactly.
Oh and I didn't say it before, but it can't be .NET, this is real live
regular unmanaged c/c++. Whatever libraries you use etc you should be very
aware of because it is a horrible place to leak memory and have other
instabilities.
Also a key point is to follow KISS as closely as possible. The simpler, the
less chance you will hurt yourself.
Also test test test test. I have seen professional password filters cause
DCs to go belly up with BSD's at the drop of a hat and those are
"supposedly" written by professional systems coders.
For folks who fear to tread here, consider pushing all password changes
through a web interface and then just do the rules there, much less chance
for failure however you have to remove everyone's right to change their own
password.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, January 25, 2008 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
One thing is you want a really good programmer to do this. These filters run
in LSA and if you muck the wrong thing up you can easily start crashing all
your DCs.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
Gotcha, thanks for the response Joe.
We do have a good programmer in our IT department that is onboard to handle
these sorts of things. We'll definitely look into it.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 25, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
You have to write a password filter. This is fully documented in MSDN. Note
that this is not a trivial thing though appears to be. It requires a good
c++ Windows coder or else you are likely to cause instability or insecurity.
Nothing in K8 to help with this though last MVP summit you can bet we were
pointing this out as a logical extension to the new PSO stuff.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For instance,
let's say I wanted to enforce password complexity in such a manner that
requires a lower case letter, upper case letter, and number but not require
a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| FreddyHARTONO
Posts:19
| | 01/27/2008 11:23 AM |
| 3rd Party?
Avatier, Specopssoft etc..
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Saturday, January 26, 2008 2:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For
instance, let's say I wanted to enforce password complexity in such a
manner that requires a lower case letter, upper case letter, and number
but not require a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
| blucas
Posts:2
| | 01/27/2008 9:33 PM |
| Ben, take a look at www.anixis.com. We use it in a large 2003 domain.
Works great, small footprint, reasonable price, good support.
Bryan Lucas
Director of Technical Services
Texas Christian University
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
Gotcha, thanks for the response Joe.
We do have a good programmer in our IT department that is onboard to
handle these sorts of things. We'll definitely look into it.
Thanks,
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, January 25, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Custom Password Complexity
You have to write a password filter. This is fully documented in MSDN.
Note that this is not a trivial thing though appears to be. It requires
a good c++ Windows coder or else you are likely to cause instability or
insecurity.
Nothing in K8 to help with this though last MVP summit you can bet we
were pointing this out as a logical extension to the new PSO stuff.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Friday, January 25, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Custom Password Complexity
Is there any way to customize the password complexity rules? For
instance, let's say I wanted to enforce password complexity in such a
manner that requires a lower case letter, upper case letter, and number
but not require a special character.
Anything coming in Windows 2008 that might provide this functionality if
2003 R2 doesn't at all?
Thanks,
~Ben
| | | |
|
|