• State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 8613 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Policy Manager

wwalker
over 7 years ago

We have installed the Password Policy Manager on one DC in our organization for testing the Dictionary Rule.  We only want to use that option in the Policy Rules and only to look at the Dictionary after it looks against our AD policies.  The problem I am having is, if I put a password in the dictionary I want to test it will take the password.  I choose a password I know will get past our AD rules but we want it to be stopped when it hits the dictionary.  But, its not.

 

For the Password Policy Manger to work do we need it installed on all DCs?  The reason I ask is because we have 6 more DCs that do not have the Policy Manager installed on. 

 

Thank you,

Wade

  • 0 over 7 years ago
    Password Manager feature for advanced Password Complexity Policy does create AD GPO and overwrites native AD GPO Password Complexity Policy. The feature introduces dependency and change control against all DCs: the PM module msi must be installed on all DCs (to update core ad password module according to MSFT technology). I always recommend my customers to consider the deployment of the feature keeping in mind the dependency, while you may deploy Password manager without the feature. In general “external” legal compliance requirements might dictate the deployment of the feature.
  • 0 over 7 years ago
    Thanks for the reply. I was given this project second hand and just starting my new role as Jr. Sys Admin and I am not sure if I am following you correctly. Please correct me if I am off on the below.

    So if I read this right when we decide to use Quest's Password Policy it will overwrite what we set in AD?

    Complexity Policy do you mean the Password Policy as a whole or just that option in the Policy properties?

    We want to keep our current AD Policy but use the Dictionary Rule of Quest and that is it. None of the other rules do we want to use since we have those already set in AD.

    So what we want from this software is the Self-Service option to unclock from login screen which is kind of working now. And we also want to use dictionary rule alone for Password related information. Can this be done with out messing up AD set Policies.

    Again sorry to sound ignorant but what they were told when they were sold on it does nto seem to be the case other than the ability to unlock your own account from the login screen.
  • 0 over 7 years ago
    Unfortunately, I cannot comment on all your questions for complexity of subject cannot fit in the “narrow” format of the forum and recommend you to engage PSO.
    Password Manager got major features:
    (a) Forgot Password via Secured Q/A Authentication (Server side)
    (b) Change Password via current AD password Authentication (Server side)
    (c) Unlock via Secured Q/A Authentication (Server side)
    (d) (ex-GINA) Windows logon screen button to (a) (PC client side, deployed via AD GPO)
    (e) Reset Cashed Password Credentials (PC client side, deployed via AD GPO)
    (f) Password Granular Complexity Policy (segregation per OU, AD\group) (AD side – GPO, msi installed on all DCs)
    (g) Notifications (email: enroll, password will expire in X days etc…)
    (h) Reporting / Audit (SSRS)
    (i) Custom scripting on top of Password manager Engine
  • 0 over 7 years ago
    It was very helpful, I was talking to my Director and we may just move over to PM to take care of all password requirements. What we have set in AD can all be set in PM anyways. The only thing I am worried of is we want to test this and I am not sure how to do that with messing with all users. I am guess that is what the Allowed groups and OUs are for. I hope I don't want to break anything because they will not be happy and I will be in a bad spot. Thank you for your help.