> As such, the worst-case mode of failure is not too bad >(users can't change passwords until you figure out what's up).
If they are expired, they are S.O.L. That is my concern. The alternative is to allow changes to go through in the event that contact can't be made which means rules aren't enforced so you are in an unknown state with the passwords and need to do additional work to make sure things are what they should be. I think a possible method would be to have a central server but have enough info and logic on the DC agents to allow them to operate independently for short periods of time and then when they can call home, let home know what happened when they were out of touch; it also makes the whole system more scaleable as you don't call back for every request. Definitely makes things heavier and I wouldn't put it into the LSASS plugin personally; I would add a local service agent that the LSASS agent chatted with. Of course then if you can't get to that because someone stopped it, you have another issue you have to figure out the correct answer for. :o) Trouble around every bend... BTW, if you want to use that local agent idea I will send you an address for you to mail the royalty checks... Of course you could just put me on some sort of retainer as well. I can come in occasionally and throw off the wall ideas around the room and people can stare at me like I am really strange and then a couple of years later say, hey didn't joe say something like that a couple of years ago. ;o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 1:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password filters for AD 2003 (v2) Hi guys, Joe - thanks for the P-Synch plug. :-) There are good reasons for our password filter DLL to connect into a central server, or cluster of servers: * It makes it possible to enforce infinite password history (which we do). * It makes it easy for an administrator to control policy centrally, with built-in rules, regular expressions, plugins, etc., without having to revisit the DCs. A central point of failure is definitely an issue you should think about when doing this. That said, keep in mind: this potential point of failure only applies to password changes, not to the AD authentication process. As such, the worst-case mode of failure is not too bad (users can't change passwords until you figure out what's up). As a vendor, we're pretty nervous about causing trouble on our customers' DCs, as you can imagine. There is one customer I can think of off-hand that has our DLL installed on 400+ DCs globally. Others may be larger. If there was a problem with the architecture, you can bet I'd be hearing about it. To minimize the potential negative impact of all these DCs going to one central server to validate password quality, we: * Cluster the P-Synch server, behind a load balancer. * Code the password filter DLL to be fail-safe. e.g., it has short timeouts on connections, and reasonable behaviour, such as "let the password change go through" in the event of a failure to connect to the central P-Synch server cluster. Note that P-Synch is licensed per user. $1500/DC would be nasty with 400+ DCs. I know that our customer with 400 DCs paid less than that, and got much more functionality than just AD password quality control. Anyways, enough commercial chatter. Your points are all valid: it's doable, there are commercial products to do it, and it should not be undertaken lightly, since a minor screwup will cause DCs to die. Cheers, -- Idan On Tue, 25 Nov 2003, Joe wrote: > There are third party products that do this stuff. The last one that I > saw that was decent and standalone ran around $1500 per domain > controller though. It is touchy high security stuff and you need to be > careful. I think one of MS's reasons for hesitation for putting > something comprehensive out is because the feedback mechanism for bad > password choices is horrendous and the next thing people would ask for is for that to be corrected. > > MTEC's PSYNCH has the capability to do some serious password filtering > as well but when I last looked I did not like how it was implemented > as it required coming back to a central PSYNCH server which is a > horrible way to handle this. > > Compared to my usual Exchange 2000 issues, I am thrilled with my > capabilities with the OS in regards to this specific issue since it is > actually heavily documented and the documentation is right so someone > CAN actually do something. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Oliver > Marshall > Sent: Tuesday, November 25, 2003 8:30 AM > To: [EMAIL PROTECTED] > > Nice to know that MS allow us "manager" types to tailor our password > setup with ease !!! > > Cheers:) > > -----Original Message----- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: 25 November 2003 13:17 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Password filters for AD 2003 (v2) > > It isn't something I recommend to programmers who don't regularly code > in c/c++. You are injecting code into LSASS which is touchy at best. > If you have any memory leaks or other obscure code issues you could > really hurt yourself. When I initially started playing with them I was > really good with the Win32 API and the various pointer based data > structures and had been coding in c/c++ for years and was blue > screening servers left and right initially. You could get lucky and > hit one right off that works well, on the other hand you could > introduce some real hokey issues that take forever to troubleshoot or you could just completely blow your machines up. > > > joe > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Oliver > Marshall > Sent: Tuesday, November 25, 2003 7:50 AM > To: [EMAIL PROTECTED] > > > Anyone had any experience creating password complexity filters for use > with the Password Policies in AD 2003 ? I'm thinking of creating one > here that is more complex than "more than 6 characters" but not so > complex as "Must have either A) B) c) or D)" as users keep phoning me > up and cant be bothered to adhere to them. Is it something a non VC++ guru can do ? > > Olly > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
