none
Any way to require a minimum 4 character change in AD password settings?

    Question

  • We are being asked if there is a way to require users to change a minimum of 4 characters in their passwords upon expiration.  So if we have a password of PassWORD999, we would force a change to something like PassTIME999. This requirement is above and beyond just the GP enforce password history.

    We would like to accomplish this via AD group policy, but are open to a third party solution if necessary.

    Thanks

    Tuesday, March 10, 2015 4:18 PM

Answers

  • Maybe check out SpecOps - http://www.specopssoft.com/products/specops-password-policy it has pretty good password granularity setup.

    • Proposed as answer by Daveben007 Tuesday, March 10, 2015 4:20 PM
    • Marked as answer by khanfu Thursday, March 12, 2015 7:53 PM
    Tuesday, March 10, 2015 4:20 PM
  • There's no solution to this available in-box with Windows.
    It requires a custom password filter DLL to perform the password inspection against your custom criteria, and MSFT don't offer alternative password filter DLLs, so you'll either need to create it yourself (and I'm told that it's not a trivial exercise), or buy a 3rd party solution.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, March 12, 2015 8:11 PM

All replies

  • Maybe check out SpecOps - http://www.specopssoft.com/products/specops-password-policy it has pretty good password granularity setup.

    • Proposed as answer by Daveben007 Tuesday, March 10, 2015 4:20 PM
    • Marked as answer by khanfu Thursday, March 12, 2015 7:53 PM
    Tuesday, March 10, 2015 4:20 PM
  • Thanks for the info Daveben007.  Specops definitely can fill this hole for us.  We're a very small company and their pricing is a little out of our range, so I'm going to continue searching.  They have a great product set though, so if I can show value for all of the other pieces, I might be able to justify the expense.  Thanks!
    Thursday, March 12, 2015 8:02 PM
  • There's no solution to this available in-box with Windows.
    It requires a custom password filter DLL to perform the password inspection against your custom criteria, and MSFT don't offer alternative password filter DLLs, so you'll either need to create it yourself (and I'm told that it's not a trivial exercise), or buy a 3rd party solution.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, March 12, 2015 8:11 PM