RE: [ActiveDir] Seperate Administrator password policy

[joe]

That is what I am saying... You can't.   Once a password has been checked through the filters and the change notify sent out to the hooked functions, the password length/complexity/etc is gone. The clear text password is not kept. Certainly MSFT doesn't keep a tally on what length the password is for every user, what would be the point other than to help folks looking for info for brute force cracking attempts - yes don't worry testing passwords of length 8-256 characters, you only have to worry about 8 or 10 or 12 or 20. Certainly that doesn't make it guaranteed the hack will succeed for long passwords 15 and greater but if someone is already aware and specifically targeting someone that may be enough to help them narrow things down enough to get you.   There are two ways natively to authoritatively know password length of any new password: the first is to see it in the password filter function you implement, the second is in the password change notify function you implement. Both require DLLs that get hooked into LSASS on EVERY DC.     An alternative which is less scary to many people is to disallow password changing in the domains natively and then force folks through a web site with all of the policies[1]. The beauty there is that you can feed back good info to the users when they pick a bad password. However, this is not something you implement for admins (I mean people with forest/domain IDs with admin rights, this is fine for delegated "admins") of the forest. You just can't enforce it because anything one admin puts in place, another can circumvent. But then, the 3-5 people you have for your EA/DA positions in your company are highly trusted and would do the correct thing in that case and don't need a policy like that applied to them right?     joe       [1] The app that does this becomes critical when you do this, you better make sure you have security/stability/simplicity and a whole lot of redundancy here.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Friday, September 01, 2006 4:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Yeah thats what me and my coworkers have been debating, what method to use to check password length.  We are looking through perl modules to see if there are any that can actually do what we are talking about.  So far no luck with it, but the search continues.  Do you know of any module that does what we speak of?  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 31, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact?   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm Sent: Thursday, August 31, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za,   But adjust the script so that it automatically locks the account should it not be 15 characters long – then they have to change it.   Just and idea from a newbie.   Kat   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, 31 August 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy   Would it be easier just to ask them to use 15 characters?  Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm   jorge   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys.    We are going to implement a mandatory 15 character password policy for all of our administrator accounts.  The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain.  I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain.  Can anyone think of another method of doing this?     Thanks,   Nate Bahta   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.