RE: [ActiveDir] Seperate Administrator password policy
Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply
RE: [ActiveDir] Seperate Administrator password policy
Is this a serious question? I have no idea. If I knew, not only would I do this, but Id run out and buy a lotto ticket immediately. g This isnt about NDA or not. We cant see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level youre asking for. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, September 02, 2006 2:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO
RE: [ActiveDir] Seperate Administrator password policy
;-) thanks for the feedback anyways Eric it gives us an idea that we shouldnt build our hopes too high for the multiple-password-policies feature at this stage in the LH development phase. But Ill keep hoping anyways. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Is this a serious question? I have no idea. If I knew, not only would I do this, but Id run out and buy a lotto ticket immediately. g This isnt about NDA or not. We cant see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level youre asking for. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, September 02, 2006 2:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite
Re: [ActiveDir] Seperate Administrator password policy
...you know a few Longhorn bugs filed on this might help (hint hint) Grillenmeier, Guido wrote: ;-) thanks for the feedback anyways Eric – it gives us an idea that we shouldn’t build our hopes too high for the multiple-password-policies feature at this stage in the LH development phase. But I’ll keep hoping anyways. /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Is this a serious question? I have no idea. If I knew, not only would I do this, but I’d run out and buy a lotto ticket immediately. g This isn’t about NDA or not. We can’t see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level you’re asking for. ~Eric *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, September 02, 2006 2:15 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:32 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order… I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sure…it doesn’t take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choice…in fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationship…that is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way that these password policies could be applied to users within containers and even specific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that we’ve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the fly mechanism here /efleis snip of the rest of the paragraph, but I’m commenting on it all/ The reality is that I don’t think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, I’m still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, I’m not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason I’m for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the “regional admins” scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groups…we don’t want to push an OU model here. I’m typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, that’s why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, I’m not sure). If that’s the case, I can’t say I’m a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
RE: [ActiveDir] Seperate Administrator password policy
With this one, it wouldn't. This is one of the most commonly requested things in AD history. No one needs to be reminded, it's all about schedule now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, September 02, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy ...you know a few Longhorn bugs filed on this might help (hint hint) Grillenmeier, Guido wrote: ;-) thanks for the feedback anyways Eric - it gives us an idea that we shouldn't build our hopes too high for the multiple-password-policies feature at this stage in the LH development phase. But I'll keep hoping anyways. /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Is this a serious question? I have no idea. If I knew, not only would I do this, but I'd run out and buy a lotto ticket immediately. g This isn't about NDA or not. We can't see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level you're asking for. ~Eric *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, September 02, 2006 2:15 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:32 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order... I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sure...it doesn't take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choice...in fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationship...that is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way that these password policies could be applied to users within containers and even specific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that we've been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the fly mechanism here /efleis snip of the rest of the paragraph, but I'm commenting on it all/ The reality is that I don't think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, I'm still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, I'm not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason I'm for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groups...we don't want to push an OU model here. I'm typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC
RE: [ActiveDir] Seperate Administrator password policy
Plus you can't really bug request a new feature I don't think. How do you phrase the bug. My password policy isn't set by the OU or Group or User when I try to do it. If you get anything but a by design response back I need to change how I communicate with MSFT. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy With this one, it wouldn't. This is one of the most commonly requested things in AD history. No one needs to be reminded, it's all about schedule now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, September 02, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy ...you know a few Longhorn bugs filed on this might help (hint hint) Grillenmeier, Guido wrote: ;-) thanks for the feedback anyways Eric - it gives us an idea that we shouldn't build our hopes too high for the multiple-password-policies feature at this stage in the LH development phase. But I'll keep hoping anyways. /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Is this a serious question? I have no idea. If I knew, not only would I do this, but I'd run out and buy a lotto ticket immediately. g This isn't about NDA or not. We can't see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level you're asking for. ~Eric *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, September 02, 2006 2:15 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:32 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order... I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sure...it doesn't take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choice...in fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationship...that is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way that these password policies could be applied to users within containers and even specific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that we've been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the fly mechanism here /efleis snip of the rest of the paragraph, but I'm commenting on it all/ The reality is that I don't think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, I'm still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, I'm not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason I'm for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really
RE: [ActiveDir] Seperate Administrator password policy
Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Seperate Administrator password policy
Come on.. You mean searching for a _vbscript_ to check password length yields nothing on Google.com? Here is a start: == Dim User Dim UserName Dim UserDomain UserDomain = "DomainToManage" UserName = "UserName" Set User = GetObject("WinNT://" UserDomain "/" UserName ",user") Response.Write user.PasswordMinimumLength == Perhaps username can be changed to domain admins and use GPO to apply to the admin group? Anyway, I am sure some can finish the rest. -Z.V. NOTE: Make sure you have the latest scripting engines on the workstation you run this script from. Download the latest scripting engines here: Microsoft Scripting Home Page Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, August 31, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Katrin Wilhelm Sent: Thursday, August 31, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za Vue Sent: Thursday, 31 August 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
What does that have to do with reading how many characters someones password is? I know how to find out the minimum password lengths value, but that is not what we are concerned with. We are concerned with how long the actual password is. Be it 15 or 20 or 8 characters, that is what we are looking for. If I wanted to read AD attributes this would be fairly elementary, hardly worth a google search. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Friday, September 01, 2006 6:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Come on.. You mean searching for a _vbscript_ to check password length yields nothing on Google.com?Here is a start:==Dim UserDim UserNameDim UserDomainUserDomain = "DomainToManage"UserName = "UserName"Set User = GetObject("WinNT://" UserDomain "/" UserName ",user")Response.Write user.PasswordMinimumLength==Perhaps username can be changed to domain admins and use GPO to apply to the admin group? Anyway, I am sure some can finish the rest.-Z.V.NOTE: Make sure you have the latest scripting engines on the workstation you run this script from. Download the latest scripting engines here: Microsoft Scripting Home PageBahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
doesn't this return the minimum password length configuredin the password policy for the domain, and not the password length of the actual password for that targeted user account jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Friday, September 01, 2006 12:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Come on.. You mean searching for a _vbscript_ to check password length yields nothing on Google.com?Here is a start:==Dim UserDim UserNameDim UserDomainUserDomain = "DomainToManage"UserName = "UserName"Set User = GetObject("WinNT://" UserDomain "/" UserName ",user")Response.Write user.PasswordMinimumLength==Perhaps username can be changed to domain admins and use GPO to apply to the admin group? Anyway, I am sure some can finish the rest.-Z.V.NOTE: Make sure you have the latest scripting engines on the workstation you run this script from. Download the latest scripting engines here: Microsoft Scripting Home PageBahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
As a side note to the other discussions, you do not need to set minPwdLength *and* uASCompat. minPwdLength is for a Win2K3 domain, and uASCompat is for a Windows 2000 domain. In Windows 2000, you can also just directly edit the GP template (.adm). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta
RE: [ActiveDir] Seperate Administrator password policy
That is what I am saying... You can't. Once a password has been checked through the filters and the change notifysent out to the hooked functions, the password length/complexity/etc is gone. The clear text password is not kept. Certainly MSFT doesn't keep a tally on what length the password is for every user, what would be the point other than to helpfolks looking for info for brute force cracking attempts - yes don't worry testing passwords of length 8-256 characters, you only have to worry about 8 or 10 or 12 or 20. Certainly that doesn't make it guaranteed the hack will succeed for long passwords 15 and greater but if someone is already aware and specifically targeting someone that may be enough to help them narrow things down enough to get you. There are two ways natively to authoritatively know password length of any new password: the first is to see it in the password filter function you implement, the second is in the password change notify function you implement. Both require DLLs that get hooked into LSASS on EVERYDC. An alternative which is less scary to many people is to disallow password changing in the domains natively and then force folks through a web site with all of the policies[1]. The beauty there is that you can feed back good info to the users when they pick a bad password. However, this is not something you implement for admins (I mean people with forest/domain IDs with admin rights, this is fine for delegated "admins") of the forest. You just can't enforce it because anything one admin puts in place, another can circumvent. But then, the 3-5 people you have for your EA/DA positions in your company are highly trusted and would do the correct thing in that case and don't need a policy like that applied to them right? joe [1] The app that does thisbecomes critical when you do this, you better make sure you have security/stability/simplicity and a whole lot of redundancy here. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Friday, September 01, 2006 4:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, August 31, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to
Re: [ActiveDir] Seperate Administrator password policy
I know we've provided support for multiple password policies for different users of the same domain for at least one customer with our P-Synch product. Our customer in this case was doing more or less the same thing as you are asking about -- stronger password complexity rules for admin users, without needing a separate domain. I think they had more requirements than just password length, but that's really a minor detail. Joe mentioned using a password filter DLL to do this, which is precisely where we are hooking in. That said, maybe you should first consider what the underlying business problem is that you're trying to address? If it's more controlled and secure access to admin passwords, perhaps you should look at totally different approaches to managing administrator access, other than simply longer, but still static passwords. Also, does the underlying business driver pertain just to AD, or should you be thinking about other systems in your environment? One method is to periodically (frequently) randomize each and every admin password, and have admins go through a central choke point (e.g., web app) to access the admin passwords if and when they need them, as opposed to having a bunch of well-known admin passwords out there. There are products to do this (and yes, we make one too). Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com On Thu, 31 Aug 2006, Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Seperate Administrator password policy
of plans to allow setting password policies at the OU level What would be the direction theyd go to implement this? Since the setting is in the computer section of the GPO, it seems to offer all the functionality one should expect. And in fact, it is applicable at the OU level and it applies to computers [1]. It seems that the major reason people want to be able to set the policy at the OU level is so that it applies to users. The issue is that its a computer setting, not a user setting. IMHO, the only way to allow different password policies for different users, is to move the settings to the user section of the GPO. [1] It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 31, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Agree, a separate domain is certainly a very high price to pay itll cause ongoing headaches with very little benefit. Other companies add requirements for smartcard logons for Admins or also solve it via organizational rules as mentioned by ZV. Ive heard of plans to allow setting password policies at the OU level for Longhorn AD, which is due out mid next year. This could be wishful thinking (has been a request for quite some time), but I hope they make it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply different passwordpolicies to different domain controllers. I would like this executed for all domain/domain controller security settings in general actually. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here. >From a perf standpoint I don't think youwant to be having to do the logic to combine multiple password policies into one policy for every password change (which would be the case if you go to the user granularity level) and instead would just have an override mechanism. You can do this with regular GPOs because the clients individually are processing them, not the DCs. So for this, you would want to use the closest policy to the user as the one applied. The alternative here is if there was a builtin inheritance flowdown model like there is for ACLing where you can simply look at the one object and know exactly what the password policy iswhether the settings were higher up or directly on the object just like you can with ACLs. Either way, you need to be able to do a very simple query and very simply processing and get the decision for what the policy should be for the user. This isn't a good place in the code to be just hanging out trying to figure out what to do for a while. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? Whatever ends up getting done forpassword policy would be nice to see on kerberos and lockout policy as well. You shouldn't hopefully need to do it much with the former but there are times where I wish I had it available because the only other option was to open the policy for the entire domain regardless of the stupidity of the idea from a security standpoint. This has been a discussion point inside of MSFT for quite a long time now and I can assure you that anything that gets implemented/released went through considerable discussion by the developers inside of MSFT and to people outside outside of MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Friday, September 01, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy of plans to allow setting password policies at the OU level What would be the direction theyd go to implement this? Since the setting is in the computer section of the GPO, it seems to offer all the functionality one should expect. And in fact, it is applicable at the OU level and it applies to computers [1]. It seems that the major reason people want to be able to set the policy at the OU level is so that it applies to users. The issue is that its a computer setting, not a user setting. IMHO, the only way to allow different password policies for different users, is to move the settings to the user section of the GPO. [1] It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, August 31, 2006 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy Agree, a separate domain is certainly a very high price to pay itll cause ongo
RE: [ActiveDir] Seperate Administrator password policy
A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply different passwordpolicies to different domain controllers. I would like this executed for all domain/domain controller security settings in general actually. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here. From a perf standpoint I don't think youwant to be having to do the logic to combine multiple
RE: [ActiveDir] Seperate Administrator password policy
third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Seperate Administrator password policy
Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
We are still testing PassFiltPro software (http://www.altusnet.com/products/) which supposedly has the ability with one of its versions (MPE) to enforce different password policies based on global groups. This is mentioned only for information, not endorsement, at this time. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta
RE: [ActiveDir] Seperate Administrator password policy
I thought about that, but that does not prohibit you from setting a password less than 15 characters. I thought about setting it up to run on a changenotify event and then if the length was less than 15, disable the account, but I think that is a bit harsh. I dont know of a way of stopping the setting of a password less than 15 characters without a actual subdomain. That PPE looks like it would do the trick, but I dont think we are being given third party tools to implement this security measure. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, August 31, 2006 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Seperate Administrator password policy
Make everyone use 15 character passwords? Mark -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 31 Aug 2006 08:15:13 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate [EMAIL PROTECTED])
RE: [ActiveDir] Seperate Administrator password policy
Agree, a separate domain is certainly a very high price to pay itll cause ongoing headaches with very little benefit. Other companies add requirements for smartcard logons for Admins or also solve it via organizational rules as mentioned by ZV. Ive heard of plans to allow setting password policies at the OU level for Longhorn AD, which is due out mid next year. This could be wishful thinking (has been a request for quite some time), but I hope they make it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
Dont think that auto disabling them when they dont follow your organizational rules is too harsh. They will be certain to follow the rule in the future. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 2:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I thought about that, but that does not prohibit you from setting a password less than 15 characters. I thought about setting it up to run on a changenotify event and then if the length was less than 15, disable the account, but I think that is a bit harsh. I dont know of a way of stopping the setting of a password less than 15 characters without a actual subdomain. That PPE looks like it would do the trick, but I dont think we are being given third party tools to implement this security measure. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
No, just administrator accounts. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, August 31, 2006 8:57 AM To: ActiveDir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Make everyone use 15 character passwords? Mark -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 31 Aug 2006 08:15:13 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate [EMAIL PROTECTED])
RE: [ActiveDir] Seperate Administrator password policy
Especially if you have a Premier account be sure to ask your TAM or MS contact to provide some business justification to this DCR so it gets as much traction as possible. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, August 31, 2006 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy Agree, a separate domain is certainly a very high price to pay itll cause ongoing headaches with very little benefit. Other companies add requirements for smartcard logons for Admins or also solve it via organizational rules as mentioned by ZV. Ive heard of plans to allow setting password policies at the OU level for Longhorn AD, which is due out mid next year. This could be wishful thinking (has been a request for quite some time), but I hope they make it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, August 31, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
but I dont think we are being given third party tools to implement this security measure if you are talking the money the third party tool cost (don't know its price) but implementing a child domain isn't free also, you would at least need 2 DCs and you need to manage them, like backups, patching and all that other stuff jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I thought about that, but that does not prohibit you from setting a password less than 15 characters. I thought about setting it up to run on a changenotify event and then if the length was less than 15, disable the account, but I think that is a bit harsh. I dont know of a way of stopping the setting of a password less than 15 characters without a actual subdomain. That PPE looks like it would do the trick, but I dont think we are being given third party tools to implement this security measure. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, August 31, 2006 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
If you are up to writing a change notify function, why not just write a paswordfilter and look up the account and reject the change? Actually if you follow good processes and have a second ID for the administrator accounts you can pick some prefix character and any ID that comes through with that prefix can be forced to 15 characters and you don't have to look anything up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 8:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I thought about that, but that does not prohibit you from setting a password less than 15 characters. I thought about setting it up to run on a changenotify event and then if the length was less than 15, disable the account, but I think that is a bit harsh. I dont know of a way of stopping the setting of a password less than 15 characters without a actual subdomain. That PPE looks like it would do the trick, but I dont think we are being given third party tools to implement this security measure. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, August 31, 2006 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Seperate Administrator password policy
No that's what I meant - make them all 15 character passwords. -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 31 Aug 2006 09:31:08 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy No, just administrator accounts. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, August 31, 2006 8:57 AM To: ActiveDir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Make everyone use 15 character passwords? Mark -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 31 Aug 2006 08:15:13 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate [EMAIL PROTECTED]) [EMAIL PROTECTED])
RE: [ActiveDir] Seperate Administrator password policy
I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, 31 August 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperate Administrator password policy
How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Thursday, August 31, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, 31 August 2006 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again.-Z.V.Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Thursday, August 31, 2006 14:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.