Hello,I was wondering how to implement Active directory password policy well. Actually, if I'm not mistaken, LPPE relies on three values it thinks can be found in user record but :
- password last modification time attribute is pwdLastSet, found in user
record, ok,
- expiration warning days, I've no idea where this attribute can be found !
- password maximum age is maxPwdAge AD attribute found in domain record, not it user
record !
attributes can be found in either user record or domain record, and even worse with AD 2008 if fine grained password policy is used, one have to lookup a special computed attribute (msDS-ResultantPSO) then search this value in a special container (CN=Password Settings Container,CN=System,dc=mydomain,dc=com) which contains all policies (except default domain policy).
So LPPE can give me erroneous information, and my question is : what should I do to achieve a good implementation of these policies ? Only a new implementation of PasswordPolicyEnforcer ?
Rgds. -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: Signature cryptographique S/MIME
