RE: [ActiveDir] Multiple Password Policies

[Thorbjörn Sjövold]

Title: Unresolved SIDs in ACL

Darren, you are correct, as usual when it is anything related to GP :)

 

No, this is not possible to perform using only CSEs, Specops Password Policy uses a Password Filter as Joe implicitly stated in another post regarding this. I’ll keep this post as short as possible and keep sales stuff out, and also try to give some behind the scenes info on how password polices are evaluated in AD. If anyone wants more info, just contact me, but I am normally trying to not post product info in new letters, since I know how annoyed I become when I see that myself…

 

What happens when a user changes his/her password is that the Domain Controller that the user have a session with (actually this is not always true it can be another DC sometimes, but it does not really matter) evaluates the password by passing it though one or more so called Password Filters, to ensure that it meets the requirement of the Security Policy set by the organization. This is actually what happens when using the out-of-the-box domain password policy for AD. You configure it using GP and then this is evaluated using the Password Filter supplied by Microsoft. So what Specops Password Policy adds is a new Password Filter that is evaluated when a user changes the password in conjunction with the built-in filter, but with for example the possibility to have more than one rule.

 

The way password filters works, it does not matter if the change is interactively, using a script, OWA etc, all changes have to go through the DC, and all installed Password Filters. So this means that there are no ways around the filters.

 

For anyone of you that wants to really dig into password filters, here is all the info you’ll ever need about them:

http://msdn.microsoft.com/library/default.asp?url="">

 

Best,

Thorbjörn Sjövold

Special Operation Software

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, January 18, 2006 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multiple Password Policies

I know these guys at Specopssoft and they have done some cool stuff with GP, but its not clear to me how this could be accomplished with just some CSEs. This seems like it would require some fiddling at the DCs as well. Maybe one of them is on this list and can elucidate us?

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 6:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multiple Password Policies

I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments.

 

neil

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 18 January 2006 13:58
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Multiple Password Policies

I was just asked to look at this application that was recently released:

    http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp

 

It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. 

 

Has anyone seen this application and what do you guys think about it?

 

Thanks,

 

Charlie

 

 

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.