On Thu, Aug 26, 2010 at 1:19 PM, Andrew S. Baker <[email protected]> wrote: > The client is not the one that does password policy enforcement normally. > It is the DC that does it, which is why it's done at the time the password is > changed. > Currently, the client is not even aware of what the policy is for passwords. > This would be quite a bit of change, and not necessarily trivial.
I'm pretty sure you're at least partly incorrect on this. Domain members are aware of domain password policy. It's published via Group Policy -- often the "Default Domain Policy" which applies to all computers. More significantly, when a domain password policy is applied, then even machine-local accounts on domain members are required to meet password policy when changing the password. So domain members can and do enforce domain password policy currently. Whether or not DCs also check new passwords against policy (in case the client does not for whatever reason), I don't know. (Technically speaking, I think it might be theoretically possible that the DC does not even need to ever see the cleartext password. The domain member might hash it and then send the hash to the DC. But given the option to store cleartext passwords on the DC, I would guess the client always sends the cleartext (otherwise, it would need to be a negotiated protocol option, which seems unlikely). But I digress.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
