RE: [ActiveDir] Password Complexity

[Roger Seielstad]

Title: Message

Cathy is indeed correct.

 

During 2 separate migrations I saw this specific issue, but I believe it was limited to downlevel clients.

 

At some point after go live date, we switched on the password complexity requirement for the domain. At the next password expiry interval, any user attempting to change their password from a downlevel client (definitely 9x, and I believe also NT4, neither with the AD client installed) starting with a non-complex password would receive an Invalid Password response when attempting to change their password. The only way the users were able to actually change their password from a downlevel machine was for an admin to reset their password to one meeting the complexity requirements.

 

This was either AD running on either SP1 or SP2 boxes (I want to say SP2).

 

Roger

--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

-----Original Message-----
From: O'Brien, Cathy [mailto:[EMAIL PROTECTED]
Sent: Monday, June 30, 2003 5:42 PM
To: [EMAIL PROTECTED]
Cc: Roger Seielstad
Subject: RE: [ActiveDir] Password Complexity

<picking thru cluttered brain>

It seems like Roger Seielstad has given warnings about this issue. Roger?

-----Original Message-----
From: Tony Murray [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 30, 2003 3:32 AM
To: [EMAIL PROTECTED]

I've not heard of an issue like this.  In fact I've seen situations where user accounts have been migrated along with weaks passwords from Windows NT 4.0 domains to an AD domain with password complexity enabled.  When the users subsequently change the password in the AD domain there is no issue.

It could be an over simplification, but I think this has to do with the password itself not being stored - just the hash.  From the hash information the system is unable to determine whether old password meets the password complexity (or indeed other password policies) or not.  Because of this there should never be a problem with the old password not meeting the new password policy requirements.

There were some fixes for certain password issues included in SP3, so it would be good to make sure you are not running SP2 or earlier.

Tony
  _____ 

Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQ
Sent: Freitag, 27. Juni 2003 19:32
To: [EMAIL PROTECTED]

In July we are going to enable password complexity. I know I've seen issues with this on the list but am unable to connect to the archives. I believe the issue was that if your old pw didn't meet the requirements then you were unable to change your pw. Is this correct and has anyone experienced this issue? I have also searched for a KB on this issue but don't seem to be able to find one.

(if a KB is there it won't be the first time I couldn't find one...) TIA
 
********************************************************************
 
Paul Simpsen
Windows Server Administrator
Enterprise Systems, IT
University of Oklahoma HSC
405.271.2262 ext 50230
Fax: 405.271.2126
 
********************************************************************
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.

 
 
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/