Re: [ActiveDir] Enabling Password must meet complexity requiremen ts
On Wed, 23 Mar 2005 15:31:23 -, Ruston, Neil <[EMAIL PROTECTED]> wrote: > As Jorge stated, these 3rd party tools copy the pw hash and not the password > itself (for obvious reasons). The receiving DC is unable to determine if this > hash conforms to the pw policy or not and so the hash is always permitted > (even if corresponding to a blank pw). > > I have used the Quest/Aelita toolset and the above was certainly found to be > true. Interesting, I wonder how long the Quest tool as been doing that and I wonder if that's been available in the latest NetIQ tools and I just didn't know. I know for sure that it wasn't available in older versions and I haven't seen anything from NetIQ to say that had changed, but maybe it has. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enabling Password must meet complexity requiremen ts
As Jorge stated, these 3rd party tools copy the pw hash and not the password itself (for obvious reasons). The receiving DC is unable to determine if this hash conforms to the pw policy or not and so the hash is always permitted (even if corresponding to a blank pw). I have used the Quest/Aelita toolset and the above was certainly found to be true. neil MVP - dir services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 23 March 2005 15:18 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enabling Password must meet complexity requiremen ts On Wed, 23 Mar 2005 08:01:45 -0700, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > Our experience with ADMT v2 (beta) matched what Jorge said...source > passwords did not have to meet the target requirements when migrated, > but the next time the migrated user changed passwords the new ones did > have to meet the target requirements. I'm not sure if this has changed > in later versions of ADMT. Interesting that it works for ADMT but NetIQ and Quest haven't been able to build that into their products! Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Enabling Password must meet complexity requiremen ts
Hi Phil I believe the current Quest tool is the old Aelita tool. In the version before they were purchased by Quest passwords that were migrated completely ignored the password policy of the target domain, even allowing blank passwords to be migrated. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | Phil Renouf| | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/23/2005 09:51 AM EST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] Enabling Password must meet complexity requiremen ts | >--| On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > When password complexity is enabled: > * If you migrate a user from a source domain to the domain with password > complexity (length, complex, etc.) enabled the password does not need to > meet the password policy in the DDP GPO (when using ADMT, and also some > other third party products do this, the password hash is copied so that the > target DC cannot verify it the actual password meets the password policy.). > After the user has been migrated and if the option (which by default is > checked is you use ADMT) that the user must specify a new password at next > logon, that new password must meet the complexity requirements in de > password policy in the DDP GPO I don't know about ADMT and I'm still getting stuff running on my new laptop so I can't test it right now, but with NetIQ (and Quest too I believe, but it's been a while since I used it) the target domains password policy has to be equal to or more simple than the source domains password policy. If the targets policy is more complex the password copy will fail and a random complex password will be generated (depending on the options you chose when setting up the migration project). I would be surprised if ADMT was able to get around this, I would expect that when ADMT tried to enable the user it would get an error that the password didn't meet complexity. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Enabling Password must meet complexity requiremen ts
On Wed, 23 Mar 2005 08:01:45 -0700, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > Our experience with ADMT v2 (beta) matched what Jorge said...source > passwords did not have to meet the target requirements when migrated, > but the next time the migrated user changed passwords the new ones did > have to meet the target requirements. I'm not sure if this has changed > in later versions of ADMT. Interesting that it works for ADMT but NetIQ and Quest haven't been able to build that into their products! Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enabling Password must meet complexity requiremen ts
Our experience with ADMT v2 (beta) matched what Jorge said...source passwords did not have to meet the target requirements when migrated, but the next time the migrated user changed passwords the new ones did have to meet the target requirements. I'm not sure if this has changed in later versions of ADMT. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 7:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enabling Password must meet complexity requiremen ts On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > When password complexity is enabled: > * If you migrate a user from a source domain to the domain with > password complexity (length, complex, etc.) enabled the password does > not need to meet the password policy in the DDP GPO (when using ADMT, > and also some other third party products do this, the password hash is > copied so that the target DC cannot verify it the actual password meets the password policy.). > After the user has been migrated and if the option (which by default > is checked is you use ADMT) that the user must specify a new password > at next logon, that new password must meet the complexity requirements > in de password policy in the DDP GPO I don't know about ADMT and I'm still getting stuff running on my new laptop so I can't test it right now, but with NetIQ (and Quest too I believe, but it's been a while since I used it) the target domains password policy has to be equal to or more simple than the source domains password policy. If the targets policy is more complex the password copy will fail and a random complex password will be generated (depending on the options you chose when setting up the migration project). I would be surprised if ADMT was able to get around this, I would expect that when ADMT tried to enable the user it would get an error that the password didn't meet complexity. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Enabling Password must meet complexity requiremen ts
On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > When password complexity is enabled: > * If you migrate a user from a source domain to the domain with password > complexity (length, complex, etc.) enabled the password does not need to > meet the password policy in the DDP GPO (when using ADMT, and also some > other third party products do this, the password hash is copied so that the > target DC cannot verify it the actual password meets the password policy.). > After the user has been migrated and if the option (which by default is > checked is you use ADMT) that the user must specify a new password at next > logon, that new password must meet the complexity requirements in de > password policy in the DDP GPO I don't know about ADMT and I'm still getting stuff running on my new laptop so I can't test it right now, but with NetIQ (and Quest too I believe, but it's been a while since I used it) the target domains password policy has to be equal to or more simple than the source domains password policy. If the targets policy is more complex the password copy will fail and a random complex password will be generated (depending on the options you chose when setting up the migration project). I would be surprised if ADMT was able to get around this, I would expect that when ADMT tried to enable the user it would get an error that the password didn't meet complexity. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enabling Password must meet complexity requiremen ts
Hi All Just to add to that. When you change your DDP GPO to specify a stronger password, the stronger password (complexity, password length of 42, whatever you choose) will take affect at the next password change, but will not affect those passwords already in the system. People with passwords set to never expire will never be forced to use complexity. If you want it to take affect immediately set the "Must change password at next logon" for all users when you do the GPO change Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | Jorge de Almeida Pinto | | | <[EMAIL PROTECTED]| | | icacmg.com>| | | Sent by: | | | [EMAIL PROTECTED]| | | dir.org| | | | | | | | | 03/23/2005 02:49 PM CET| | | Please respond to ActiveDir| |-+--> >--| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Enabling Password must meet complexity requiremen ts | >--| Hi, Password complexity is by default enabled on W2K3 domains and by default disabled on W2K domains. I don't know the exact configuration by head for each domain but I think you need to specify which occasion. When password complexity is enabled: * If you create a user account you need to define a password that meets the password policy in the DDP GPO. Ik you also specify that the user must specify a password at next logon, the user must also use a password that meets the password policy in the DDP GPO * If you migrate a user from a source domain to the domain with password complexity (length, complex, etc.) enabled the password does not need to meet the password policy in the DDP GPO (when using ADMT, and also some other third party products do this, the password hash is copied so that the target DC cannot verify it the actual password meets the password policy.). After the user has been migrated and if the option (which by default is checked is you use ADMT) that the user must specify a new password at next logon, that new password must meet the complexity requirements in de password policy in the DDP GPO As you see it depends Hope this helps Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Felzer Sent: woensdag 23 maart 2005 14:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enabling Password must meet complexity requirements Does anyone know if this setting is enabled at the default domain policy are my users going to get prompted to change their passwords immediately if their current password does not meet the complexity requirements? Or will they be forced to use a complex password when they change their passwords? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Windows Infrastructure and Security Team Leader Office of the CIO Medical University of South Carolina This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enabling Password must meet complexity requiremen ts
Hi, Password complexity is by default enabled on W2K3 domains and by default disabled on W2K domains. I don't know the exact configuration by head for each domain but I think you need to specify which occasion. When password complexity is enabled: * If you create a user account you need to define a password that meets the password policy in the DDP GPO. Ik you also specify that the user must specify a password at next logon, the user must also use a password that meets the password policy in the DDP GPO * If you migrate a user from a source domain to the domain with password complexity (length, complex, etc.) enabled the password does not need to meet the password policy in the DDP GPO (when using ADMT, and also some other third party products do this, the password hash is copied so that the target DC cannot verify it the actual password meets the password policy.). After the user has been migrated and if the option (which by default is checked is you use ADMT) that the user must specify a new password at next logon, that new password must meet the complexity requirements in de password policy in the DDP GPO As you see it depends Hope this helps Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg FelzerSent: woensdag 23 maart 2005 14:14To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enabling Password must meet complexity requirements Does anyone know if this setting is enabled at the default domain policy are my users going to get prompted to change their passwords immediately if their current password does not meet the complexity requirements? Or will they be forced to use a complex password when they change their passwords? Thanks Greg Greg FelzerMCSE NT4, MCSE 2000, CCA, CCNA, CNASenior Systems EngineerWindows Infrastructure and Security Team LeaderOffice of the CIO Medical University of South Carolina This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.