none
Password complexity GPO

    Question

  • Hello all,

    My client  want me to modify the password complexity GPO on a windows 2003 domain.

    I know this is not possible. You can either activate or deactivate it. but you cant modify the default settings since it's defined by microsoft.

    Is there a third party sotfware that can modify this settings ???

    Thursday, August 04, 2011 8:14 AM

Answers

  • Howdie!
     
    Am 04.08.2011 10:54, schrieb TonQ:
    > I want to modify the "Passwords must contain characters from three of
    > the following five categories"
    >
    > We want to modify to "Passwords must contain characters from the
    > following five categories". Not 3 out of the five. We want it all ! (:
     
    There are third party products that can do that - but all of them (I
    know!) have licencing so they aren't free for use. You'll have to buy them.
     
    An alternative for you, if you have smart dev folks, is to write your
    own password filter for usage. but to be honest, this isn't an easy task
    and customers have been struggling with that in the past. So I'd look
    into either sticking with what Windows gives you or looking into another
    product that can enforce those.
     
    Florian
     
     

    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer.
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 9:41 AM
  • Hi,

    How to setup Default and Fine Grain Password Policy by Alan Burchill

    http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

    Try using custom password filter

    http://msdn.microsoft.com/en-us/library/ms721884(VS.85).aspx

     

    §                     Applying fine-grained password policies: Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. They cannot be applied to Computer objects.

    §                     Password filters : Fine-grained password policies do not interfere with custom password filters that you might use in the same domain. Organizations that have deployed custom password filters to domain controllers running Windows 2000 or Windows Server 2003 can continue to use those password filters to enforce additional restrictions for passwords.

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

     


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 1:38 PM
  • Hi,

    Have a look at nFront Password Filter.

    http://nfrontsecurity.com/products/nfront-password-filter/


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by iamrafic Friday, August 05, 2011 1:34 AM
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 4:09 PM
  • LOL I litteraly wrote this blog post about password policies a few days ago.... I think it would be relevant to your question http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

    Hope it helps

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    • Proposed as answer by Alan BurchillMVP Thursday, August 04, 2011 10:55 PM
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 10:55 PM

All replies

  • What exactly you want to modify on Password Complexity? You can modify the password policies requirements according to you organizational needs.

    The security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

     

    Here is where you can make the changes to the password policy.

    •  Enforce Password History - 0 to 24 Passwords - This setting determines the number of old passwords to remember before a user can re-use a password. This policy allows an administrator to ensure that old passwords are not reused continually. The default is 24.
    • Maximum Password Age - 0 to 998 days - This setting determines the number of days that a password can be used before the user is required to change it. The default is 42 but anywhere from 30 to 60 days is a recommended setting.
    • Minimum Password Age - 0 to 998 days - This security determines the number of days that a password must be used before the user is allowed to change it. This must be less than the Maximum Password Age. A setting of 1 less than the maximum password age is recommeded. This combined with Enforce Password History will prevent users from chaning back to their old password the next day.
    • Mimimum Password Length - 1 to 14 characters - This setting determines the least number of characters that a user password must use. 7 or higher is recommended.
    • Password Must Meet Complexity Requirements - This setting, when enabled, determines whether passwords must meet complexity requirements. Enabling this is highly recommended. Complexity Requirements are as follows: -Cannot contain all or part of the username -Must be at least 6 characters long -Contain 3 of the 4 following character groups      - A to Z      - a to z      - 0 to 9      - Special Characters i.e. ! ^ $ *
    • Store Passwords Using Reversible Encryption - This setting, when enabled, determines whether the operating system stores passwords using reversible encryption. If passwords are stored using reversible encryption is virtually the same as storing them in plain text as the encryption can be removed. It is NOT recommended to enable this except in extreme instances where it is absolutley required.

     

    More info on how to modify password settings:

    Apply or modify password policy

    http://technet.microsoft.com/en-us/library/cc781633%28WS.10%29.aspx

    Passwords must meet complexity requirements

    http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx

    Password Policy

    http://technet.microsoft.com/en-us/library/cc783512%28WS.10%29.aspx


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    • Proposed as answer by iamrafic Friday, August 05, 2011 1:34 AM
    Thursday, August 04, 2011 8:47 AM
  • I want to modify the "Passwords must contain characters from three of the following five categories"

    We want to modify to "Passwords must contain characters from the following five categories". Not 3 out of the five. We want it all ! (:

    Thursday, August 04, 2011 8:54 AM
  • Sorry, it is not possible. The password complexity requirement can only be turned on or off.
    Thursday, August 04, 2011 9:21 AM
  • Howdie!
     
    Am 04.08.2011 10:54, schrieb TonQ:
    > I want to modify the "Passwords must contain characters from three of
    > the following five categories"
    >
    > We want to modify to "Passwords must contain characters from the
    > following five categories". Not 3 out of the five. We want it all ! (:
     
    There are third party products that can do that - but all of them (I
    know!) have licencing so they aren't free for use. You'll have to buy them.
     
    An alternative for you, if you have smart dev folks, is to write your
    own password filter for usage. but to be honest, this isn't an easy task
    and customers have been struggling with that in the past. So I'd look
    into either sticking with what Windows gives you or looking into another
    product that can enforce those.
     
    Florian
     
     

    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer.
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 9:41 AM
  • No its is not possible with windows group policy. You have to look for 3rd party password filters.
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by iamrafic Friday, August 05, 2011 1:34 AM
    Thursday, August 04, 2011 9:41 AM
  • Thanks guys,

    as anyone some name for a good 3rd party password filter ?

    Thursday, August 04, 2011 9:54 AM
  • Hi,

    How to setup Default and Fine Grain Password Policy by Alan Burchill

    http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

    Try using custom password filter

    http://msdn.microsoft.com/en-us/library/ms721884(VS.85).aspx

     

    §                     Applying fine-grained password policies: Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. They cannot be applied to Computer objects.

    §                     Password filters : Fine-grained password policies do not interfere with custom password filters that you might use in the same domain. Organizations that have deployed custom password filters to domain controllers running Windows 2000 or Windows Server 2003 can continue to use those password filters to enforce additional restrictions for passwords.

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

     


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 1:38 PM
  • Fine grained password policies (PSOs) are great, but they can not change the complexity requirements.

    Here is some info on password filters: http://msdn.microsoft.com/en-us/library/ms721882(v=VS.85).aspx

    Thursday, August 04, 2011 3:53 PM
  • Hi,

    Have a look at nFront Password Filter.

    http://nfrontsecurity.com/products/nfront-password-filter/


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by iamrafic Friday, August 05, 2011 1:34 AM
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 4:09 PM
  • LOL I litteraly wrote this blog post about password policies a few days ago.... I think it would be relevant to your question http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

    Hope it helps

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    • Proposed as answer by Alan BurchillMVP Thursday, August 04, 2011 10:55 PM
    • Marked as answer by TonQ Friday, August 05, 2011 7:46 AM
    Thursday, August 04, 2011 10:55 PM
  • Hi,

     

    Well not trying to be biased or anything but Specops Password Policy is one of the best out there as it leverages Group Policy to allow you to create policies and link them to an OU, filter them to a security group, or even an individual user.

    The control you have with the complexity is more than any other product out there as it goes as far as being able to add a dictionary list which would contain words, or characters you would not want the user to have in their password.  It even allows you to create regular expressions to get that much granular in the complexity requirements.  Also provides you email notifications prior to the user's password expiring.

     

    Good luck

    Harj Singh

    SpecopsSoftware

    Friday, August 05, 2011 1:35 PM