You and Brian are correct about the client's knowledge of the policy, but the client is only responsible for enforcing the policy for the repository it maintains.
Client manages local SAM, DC manages AD repository. I wouldn't want to see that get confused. Also, the local client hashes the password and sends it off to be evaluated by the DC. It doesn't know if it's good or not when it receives it from the user. Sure, it could always evaluate against local policy any password that the DC approved and then force a password change request for the user account, but even that process is not straightforward at that point. What you've suggested does sound nice, but is non-trivial, and the benefits can be realized in other ways that are more controllable (IMO). *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * Signature powered by <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> WiseStamp<http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> On Thu, Aug 26, 2010 at 1:30 PM, Ben Scott <[email protected]> wrote: > On Thu, Aug 26, 2010 at 1:19 PM, Andrew S. Baker <[email protected]> > wrote: > > The client is not the one that does password policy enforcement normally. > > It is the DC that does it, which is why it's done at the time the > password is changed. > > Currently, the client is not even aware of what the policy is for > passwords. > > This would be quite a bit of change, and not necessarily trivial. > > I'm pretty sure you're at least partly incorrect on this. Domain > members are aware of domain password policy. It's published via Group > Policy -- often the "Default Domain Policy" which applies to all > computers. More significantly, when a domain password policy is > applied, then even machine-local accounts on domain members are > required to meet password policy when changing the password. So > domain members can and do enforce domain password policy currently. > > Whether or not DCs also check new passwords against policy (in case > the client does not for whatever reason), I don't know. > > (Technically speaking, I think it might be theoretically possible > that the DC does not even need to ever see the cleartext password. > The domain member might hash it and then send the hash to the DC. But > given the option to store cleartext passwords on the DC, I would guess > the client always sends the cleartext (otherwise, it would need to be > a negotiated protocol option, which seems unlikely). But I digress.) > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
