RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL I want to second this statement of Joe. IMHO to verify the password only the passflt.dll of the DCs needs to be exchanged. Issues here are: other modifications of passflt.dll such as using password synchronization of MIIS SP1 the stability since passflt is tight pretty much into the OS passflt needs to get the policies from somewhere, probably registry since its a GPO-extension If passflt is not able to retrieve its configuration and is not able to retrieve user properties such as belonging OU or Groups right in time, it might not handle this correctly and might put the DC into jeopardy. So its important to know how all those details are handled. Client side are probably only extensions of the password does not meet requirements-dialog box to correctly inform the user why his password requirements are. Before implementing any application like this in the environment I would ask for a supportability statement of Microsoft PSS this is a bit to deep into the OS to put your supportability at risk. There are more than one company offering a different passflt, and I do not state that they didnt take care of the issues mentioned above since I dont know that for sure, however those are the things Id check before implementing them into a production environment Im responsible for. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 2:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies Custom password filters can be extremely troublesome. I know ~Eric has mentioned having to deal with several issues that came down to custom filters after digging through debug dumps. They are tied in at a very tender spot of the DCs and the slightest problems in the code can result in instability and reduced security or outright security holes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, January 18, 2006 10:29 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Multiple Password Policies This company doesn't provide a large amount of documentation on how they are doing this password change but it seems like they are using the MS supported method. As for scripting password resets, I'm very concerned especially if this gets implemented I will need to see how it will function with test domains. I'm also not a big fan of putting an extra component on everyone's desktop (which you only have to do if you want the end-users to see an accurate password change error if one occurs). I guess the first question I should have asked is: Has anyone used a password filter dll to create a custom password rule? And if so, have you seen any issues with it? One thing that is interesting with this application, and something that I'm wary of, is that their GPO adm becomes a component of the Default Domain Policy (due the domain password policy). I'm not a real big fan of modifying that policy. Thanks for the input though, I would have overlooked the scripting testing component. Charlie From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies Ditto whjat Neil said. These are things you need to test very very very very very much. They are hooked into a very core part of your DCs. You want to really load a DC up and stress test the crap out of the tool it to see how it handles things and try to get as much technical detail as possible. Since it is sending rule info back to the clients something will have to be on the clients which bothers some people, this will be added software to clients as well as possibly servers. Also how does it handle if someone scripts a password change or uses something other than the standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 18 January 2006 13:58 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL Ditto whjat Neil said. These are things you need to test very very very very very much. They are hooked into a very core part of your DCs. You want to really load a DC up and stress test the crap out of the tool it to see how it handles things and try to get as much technical detail as possible. Since it is sending rule info back to the clients something will have to be on the clients which bothers some people, this will be added software to clients as well as possibly servers. Also how does it handle if someone scripts a password change or uses something other than the standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL I know these guys at Specopssoft and they have done some cool stuff with GP, but its not clear to me how this could be accomplished with just some CSEs. This seems like it would require some fiddling at the DCs as well. Maybe one of them is on this list and can elucidate us? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL This company doesn't provide a large amount of documentation on how they are doing this password change but it seems like they are using the MS supported method. As for scripting password resets, I'm very concerned especially if this gets implemented I will need to see how it will function with test domains. I'm also not a big fan of putting an extra component on everyone's desktop (which you only have to do if you want the end-users to see an accurate password change error if one occurs). I guess the first question I should have asked is: Has anyone used a password filter dll to create a custom password rule? And if so, have you seen any issues with it? One thing that is interesting with this application, and something that I'm wary of, is that their GPO adm becomes a component of the Default Domain Policy (due the domain password policy). I'm not a real big fan of modifying that policy. Thanks for the input though, I would have overlooked the scripting testing component. Charlie From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies Ditto whjat Neil said. These are things you need to test very very very very very much. They are hooked into a very core part of your DCs. You want to really load a DC up and stress test the crap out of the tool it to see how it handles things and try to get as much technical detail as possible. Since it is sending rule info back to the clients something will have to be on the clients which bothers some people, this will be added software to clients as well as possibly servers. Also how does it handle if someone scripts a password change or uses something other than the standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL Darren, you are correct, as usual when it is anything related to GP :) No, this is not possible to perform using only CSEs, Specops Password Policy uses a Password Filter as Joe implicitly stated in another post regarding this. Ill keep this post as short as possible and keep sales stuff out, and also try to give some behind the scenes info on how password polices are evaluated in AD. If anyone wants more info, just contact me, but I am normally trying to not post product info in new letters, since I know how annoyed I become when I see that myself What happens when a user changes his/her password is that the Domain Controller that the user have a session with (actually this is not always true it can be another DC sometimes, but it does not really matter) evaluates the password by passing it though one or more so called Password Filters, to ensure that it meets the requirement of the Security Policy set by the organization. This is actually what happens when using the out-of-the-box domain password policy for AD. You configure it using GP and then this is evaluated using the Password Filter supplied by Microsoft. So what Specops Password Policy adds is a new Password Filter that is evaluated when a user changes the password in conjunction with the built-in filter, but with for example the possibility to have more than one rule. The way password filters works, it does not matter if the change is interactively, using a script, OWA etc, all changes have to go through the DC, and all installed Password Filters. So this means that there are no ways around the filters. For anyone of you that wants toreally dig into password filters, here is all the info youll ever need about them: http://msdn.microsoft.com/library/default.asp?url=""> Best, Thorbjörn Sjövold Special Operation Software From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, January 18, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I know these guys at Specopssoft and they have done some cool stuff with GP, but its not clear to me how this could be accomplished with just some CSEs. This seems like it would require some fiddling at the DCs as well. Maybe one of them is on this list and can elucidate us? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL Custom password filters can be extremely troublesome. I know ~Eric has mentioned having to deal with several issues that came down to custom filters after digging through debug dumps. They are tied in at a very tender spot of the DCs and the slightest problems in the code can result in instability and reduced security or outright security holes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: Wednesday, January 18, 2006 10:29 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Multiple Password Policies This company doesn't provide a large amount of documentation on how they are doing this password change but it seems like they are using the MS supported method. As for scripting password resets, I'm very concerned especially if this gets implemented I will need to see how it will function with test domains. I'm also not a big fan of putting an extra component on everyone's desktop (which you only have to do if you want the end-users to see an accurate password change error if one occurs). I guess the first question I should have asked is: Has anyone used a password filter dll to create a custom password rule? And if so, have you seen any issues with it? One thing that is interesting with this application, and something that I'm wary of, is that their GPO adm becomes a component of the Default Domain Policy (due the domain password policy). I'm not a real big fan of modifying that policy. Thanks for the input though, I would have overlooked the scripting testing component. Charlie From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies Ditto whjat Neil said. These are things you need to test very very very very very much. They are hooked into a very core part of your DCs. You want to really load a DC up and stress test the crap out of the tool it to see how it handles things and try to get as much technical detail as possible. Since it is sending rule info back to the clients something will have to be on the clients which bothers some people, this will be added software to clients as well as possibly servers. Also how does it handle if someone scripts a password change or uses something other than the standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 18 January 2006 13:58To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems like someone did some good programming around the password filter dll concept and then tied it into security groups and GPOs. Has anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.