RE: [ActiveDir] Seperate Administrator password policy

[joe]

If you are up to writing a change notify function, why not just write a pasword filter and look up the account and reject the change? Actually if you follow good processes and have a second ID for the administrator accounts you can pick some prefix character and any ID that comes through with that prefix can be forced to 15 characters and you don't have to look anything up.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I thought about that, but that does not prohibit you from setting a password less than 15 characters.  I thought about setting it up to run on a changenotify event and then if the length was less than 15, disable the account, but I think that is a bit harsh.  I dont know of a way of stopping the setting of a password less than 15 characters without a actual subdomain.  That PPE looks like it would do the trick, but I dont think we are being given third party tools to implement this security measure.   Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters?  Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm   jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys.    We are going to implement a mandatory 15 character password policy for all of our administrator accounts.  The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain.  I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain.  Can anyone think of another method of doing this?     Thanks,   Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.