Actually (for the most part) the client is aware as typically that same group policy also applies to the local SAM on the machine. Additionally, anyone who can do an LDAP bind (so any valid domain account) to a DC in the domain can read the password policy right off the domain NC head object.
When you use FGPPs in WS08+ then you're getting in to a whole different ballgame of computing this, though and all this doesn't apply. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, August 26, 2010 12:19 PM To: NT System Admin Issues Subject: Re: Minimum password length GPO The client is not the one that does password policy enforcement normally. It is the DC that does it, which is why it's done at the time the password is changed. Currently, the client is not even aware of what the policy is for passwords. This would be quite a bit of change, and not necessarily trivial. And I wouldn't want any of this processing to be moved client-side, as that would make it easy to determine what the password criteria is for an attacker. ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> WiseStamp<http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> On Thu, Aug 26, 2010 at 12:33 PM, Ben Scott <mailvor...@gmail.com<mailto:mailvor...@gmail.com>> wrote: On Thu, Aug 26, 2010 at 12:16 PM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: >>I'm just saying it might be useful to have an additional option for password >>policy, >> where the system would check an accepted password at logon and force a change >> if the password does not meet current policy. > > Unfortunately, this is not so simple to implement. You can use the 'store > passwords > using reversible encryption' option ... No, that's something else. That would enable auditing of complexity on an on-demand basis (at the cost of persistent storage of the cleartext, as you note), but I'm talking about at logon only. That is: When a user logs on, the client has the cleartext of the password. The client currently just hashes it and sends it to the DC for authentication. But the client could also check that cleartext against current password policy (assuming the DC validates the password, of course), and force a password change if the cleartext does not meet current policy. It would depend on the client for enforcement (the DC can't do anything), but I would think that would be pretty effective in many organizations. Or am I missing something? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
