On Thu, Aug 26, 2010 at 12:16 PM, Ken Schaefer <k...@adopenstatic.com> wrote: >>I'm just saying it might be useful to have an additional option for password >>policy, >> where the system would check an accepted password at logon and force a change >> if the password does not meet current policy. > > Unfortunately, this is not so simple to implement. You can use the 'store > passwords > using reversible encryption' option ...
No, that's something else. That would enable auditing of complexity on an on-demand basis (at the cost of persistent storage of the cleartext, as you note), but I'm talking about at logon only. That is: When a user logs on, the client has the cleartext of the password. The client currently just hashes it and sends it to the DC for authentication. But the client could also check that cleartext against current password policy (assuming the DC validates the password, of course), and force a password change if the cleartext does not meet current policy. It would depend on the client for enforcement (the DC can't do anything), but I would think that would be pretty effective in many organizations. Or am I missing something? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
