Announcement

Collapse
No announcement yet.

Question about GP Complex Password option

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about GP Complex Password option

    We're implementing Group Policies in our Win2k Active Directory domain. We'd like to implement the forced password complexity policy, but, how does Windows 2000 Server define a "complex" password? I can't find details about this.

    Microsoft's support page suggests enabling the policy. The policy is an "On / Off" setting without an option to set what our agency can define as Complex.

    So my question is: If I enable this policy, what is the server going to require of a password to consider it complex? Letters, Numbers and a Symbol? Capitals, Lower case, Numbers and Symbols? Letters and numbers only? (I've even thumbed through some of our paper reference guides without any explanation.)

    Thanks for your assistance, folks!

  • #2
    Re: Question about GP Complex Password option

    Check out this link:
    http://msdn.microsoft.com/library/de...-us/gp/504.asp

    "The default password filter (passfilt.dll) included with Windows 2000 requires that a password:

    * Does not contain all or part of the user's account name
    * Is at least six characters in length
    * Contains characters from three of the following four categories:
    o English upper case characters (A..Z)
    o English lower case characters (a..z)
    o Base 10 digits (0..9)
    o Nonalphanumeric (For example, !,$#,%)

    Complexity requirements are enforced upon password change or creation."

    msdn.microsoft.com

    Hope that helps

    Cheers
    Backspace
    Hindsight is 20/20 foresight is what matters

    Comment


    • #3
      Re: Question about GP Complex Password option

      Hi braytonak,
      The simple way to remember about complexity of password is that your password should be equal or greater than 7 characters. It should composed of three combinations out of four described below
      1- Small aphabats
      2- Capital Alphabats
      3- numerals
      4- special charaters

      so your password should be of 7 characters or more than 7 and it should be combination of 3 out of 4
      Regards

      Comment


      • #4
        Re: Question about GP Complex Password option

        Originally posted by backspace View Post
        Check out this link:
        http://msdn.microsoft.com/library/de...-us/gp/504.asp

        "The default password filter (passfilt.dll) included with Windows 2000 requires that a password:

        * Does not contain all or part of the user's account name
        * Is at least six characters in length
        * Contains characters from three of the following four categories:
        o English upper case characters (A..Z)
        o English lower case characters (a..z)
        o Base 10 digits (0..9)
        o Nonalphanumeric (For example, !,$#,%)

        Complexity requirements are enforced upon password change or creation."

        msdn.microsoft.com

        Hope that helps

        Cheers
        Backspace
        Helps very much. I'll explain it to my director so we can have some whiz-bang fun pissing off our users.

        Comment


        • #5
          Re: Question about GP Complex Password option

          Originally posted by braytonak View Post
          Helps very much. I'll explain it to my director so we can have some whiz-bang fun pissing off our users.
          Remember that nothing will be enforced until they change their passwords.

          Have fun
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Question about GP Complex Password option

            Why not try it after hours and see what is demanded?

            Living the adventure is far more satisfying than reading about someone else's adventure.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Question about GP Complex Password option

              Originally posted by JeremyW View Post
              Remember that nothing will be enforced until they change their passwords.

              Have fun
              Which is exactly what we want. I can only imagine how fast our entire department would be hung in a public viewing if everyone were immediately forced to update their passwords. Ha!

              Comment


              • #8
                Re: Question about GP Complex Password option

                Originally posted by rvalstar View Post
                Why not try it after hours and see what is demanded?

                Living the adventure is far more satisfying than reading about someone else's adventure.
                Because it's easier to ask the nice people here.

                We're actually using a test OU so we can verify that the policies actually work before deploying them.

                Comment


                • #9
                  Re: Question about GP Complex Password option

                  Originally posted by braytonak View Post
                  Because it's easier to ask the nice people here.

                  We're actually using a test OU so we can verify that the policies actually work before deploying them.
                  We may be nice ('cept Biggles77 -- unless "you" are a "ewe") but we're not a substitute for reality. If we were, you would gladly enter your MC, Visa, American Express number at logon.

                  Do let us know what your testing reveals.
                  Cheers,

                  Rick

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                  Comment


                  • #10
                    Re: Question about GP Complex Password option

                    Originally posted by braytonak View Post
                    We're actually using a test OU so we can verify that the policies actually work before deploying them.
                    Sorry but that won't work. It's an all or none setting for a domain and the GPO must be linked to the domain level. Otherwise you're just affecting the local SAM on workstations and member servers, not domain accounts.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Question about GP Complex Password option

                      Originally posted by rvalstar View Post
                      We may be nice ('cept Biggles77 -- unless "you" are a "ewe").
                      Thank you Rick, Rep Points for the nice words.

                      Again a good pickup Jeremy. Passwords are affected Domain wide and can not be isolated to an OU.
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: Question about GP Complex Password option

                        If a little sheepish disrespect gets me rep pts, I'll have to consider it more often.
                        Cheers,

                        Rick

                        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                        Comment


                        • #13
                          Re: Question about GP Complex Password option

                          Originally posted by JeremyW View Post
                          Sorry but that won't work. It's an all or none setting for a domain and the GPO must be linked to the domain level. Otherwise you're just affecting the local SAM on workstations and member servers, not domain accounts.
                          Ah! Thanks for pointing that out. I guess we'll just have to apply it. Enforcing this policy is something I wanted to do and it doesn't appear to be harmful to do it all at once. (We just need to forewarn the users.) My director is the one who wanted to actually do it "in batches". Since it doesn't bother the users until they change their password, it could take up to 45 days for someone to comply. No mass hysteria.

                          Again, thanks for your input.

                          Comment


                          • #14
                            Re: Question about GP Complex Password option

                            Originally posted by braytonak View Post
                            Ah! Thanks for pointing that out. I guess we'll just have to apply it. Enforcing this policy is something I wanted to do and it doesn't appear to be harmful to do it all at once. (We just need to forewarn the users.) My director is the one who wanted to actually do it "in batches". Since it doesn't bother the users until they change their password, it could take up to 45 days for someone to comply. No mass hysteria.

                            Again, thanks for your input.
                            No it won't.

                            You can get ADModify and set everyone to changes there passwords at next logon.

                            Job done.

                            Its going to happen at some ppoint so take the hit for it all at once.

                            Rememebr the big tub of vaseline for when the MD's needs changed though

                            Comment

                            Working...
                            X