I know we've provided support for multiple password policies for different users of the same domain for at least one customer with our P-Synch product.
Our customer in this case was doing more or less the same thing as you are asking about -- stronger password complexity rules for admin users, without needing a separate domain. I think they had more requirements than just password length, but that's really a minor detail. Joe mentioned using a password filter DLL to do this, which is precisely where we are hooking in. That said, maybe you should first consider what the underlying business problem is that you're trying to address? If it's more controlled and secure access to admin passwords, perhaps you should look at totally different approaches to managing administrator access, other than simply longer, but still static passwords. Also, does the underlying business driver pertain just to AD, or should you be thinking about other systems in your environment? One method is to periodically (frequently) randomize each and every admin password, and have admins go through a central choke point (e.g., web app) to access the admin passwords if and when they need them, as opposed to having a bunch of well-known admin passwords out there. There are products to do this (and yes, we make one too). Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com On Thu, 31 Aug 2006, Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote:
Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
