RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL I want to second this statement of Joe. IMHO to verify the password only the passflt.dll of the DCs needs to be exchanged. Issues here are: other modifications of passflt.dll such as using password synchronization of MIIS SP1 the stability since passflt is tight pretty much into the OS passflt needs to get the policies from somewhere, probably registry since its a GPO-extension If passflt is not able to retrieve its configuration and is not able to retrieve user properties such as belonging OU or Groups right in time, it might not handle this correctly and might put the DC into jeopardy. So its important to know how all those details are handled. Client side are probably only extensions of the password does not meet requirements-dialog box to correctly inform the user why his password requirements are. Before implementing any application like this in the environment I would ask for a supportability statement of Microsoft PSS this is a bit to deep into the OS to put your supportability at risk. There are more than one company offering a different passflt, and I do not state that they didnt take care of the issues mentioned above since I dont know that for sure, however those are the things Id check before implementing them into a production environment Im responsible for. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 2:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies Custom password filters can be extremely troublesome. I know ~Eric has mentioned having to deal with several issues that came down to custom filters after digging through debug dumps. They are tied in at a very tender spot of the DCs and the slightest problems in the code can result in instability and reduced security or outright security holes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, January 18, 2006 10:29 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Multiple Password Policies This company doesn't provide a large amount of documentation on how they are doing this password change but it seems like they are using the MS supported method. As for scripting password resets, I'm very concerned especially if this gets implemented I will need to see how it will function with test domains. I'm also not a big fan of putting an extra component on everyone's desktop (which you only have to do if you want the end-users to see an accurate password change error if one occurs). I guess the first question I should have asked is: Has anyone used a password filter dll to create a custom password rule? And if so, have you seen any issues with it? One thing that is interesting with this application, and something that I'm wary of, is that their GPO adm becomes a component of the Default Domain Policy (due the domain password policy). I'm not a real big fan of modifying that policy. Thanks for the input though, I would have overlooked the scripting testing component. Charlie From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies Ditto whjat Neil said. These are things you need to test very very very very very much. They are hooked into a very core part of your DCs. You want to really load a DC up and stress test the crap out of the tool it to see how it handles things and try to get as much technical detail as possible. Since it is sending rule info back to the clients something will have to be on the clients which bothers some people, this will be added software to clients as well as possibly servers. Also how does it handle if someone scripts a password change or uses something other than the standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Password Policies I have not used or assessed a product like this, but I would guess that a client side GPO extension is required. This may not be feasible in certain environments. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 18 January 2006 13:58 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Multiple Password Policies I was just asked to look at this application that was recently released: http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp It seems
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
I know these guys at Specopssoft and they have done some
cool stuff with GP, but its not clear to me how this could be accomplished with
just some CSEs. This seems like it would require some fiddling at the DCs as
well. Maybe one of them is on this list and can elucidate us?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
This company doesn't provide a large amount of
documentation on how they are doing this password change but it seems like they
are using the MS supported method.
As for scripting password resets, I'm very concerned
especially if this gets implemented I will need to see how it will function with
test domains.
I'm also not a big fan of putting an extra component on
everyone's desktop (which you only have to do if you want the end-users to see
an accurate password change error if one occurs).
I guess the first question I should have asked
is:
Has anyone used a password filter dll to create
a custom password rule? And if so, have you seen any issues with
it?
One thing that is interesting with this application, and
something that I'm wary of, is that their GPO adm becomes a component of the
Default Domain Policy (due the domain password policy). I'm not a real big
fan of modifying that policy.
Thanks for the input though, I would have overlooked the
scripting testing component.
Charlie
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 9:11 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Darren, you are
correct, as usual when it is anything related to GP :)
No, this is not
possible to perform using only CSEs, Specops Password Policy uses a Password
Filter as Joe implicitly stated in another post regarding this. Ill keep this
post as short as possible and keep sales stuff out, and also try to give some
behind the scenes info on how password polices are evaluated in AD. If anyone
wants more info, just contact me, but I am normally trying to not post product
info in new letters, since I know how annoyed I become when I see that
myself
What happens when a
user changes his/her password is that the Domain Controller that the user have a
session with (actually this is not always true it can be another DC sometimes,
but it does not really matter) evaluates the password by passing it though one
or more so called Password Filters, to ensure that it meets the requirement of
the Security Policy set by the organization. This is actually what happens when
using the out-of-the-box domain password policy for AD. You configure it using
GP and then this is evaluated using the Password Filter supplied by Microsoft.
So what Specops Password Policy adds is a new Password Filter that is evaluated
when a user changes the password in conjunction with the built-in filter, but
with for example the possibility to have more than one
rule.
The way password
filters works, it does not matter if the change is interactively, using a
script, OWA etc, all changes have to go through the DC, and all installed
Password Filters. So this means that there are no ways around the
filters.
For anyone of you that
wants toreally dig into password filters, here is all the info youll ever
need about them:
http://msdn.microsoft.com/library/default.asp?url="">
Best,
Thorbjörn
Sjövold
Special Operation
Software
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Wednesday, January 18, 2006 4:22 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
I know these guys at Specopssoft and they have done some
cool stuff with GP, but its not clear to me how this could be accomplished with
just some CSEs. This seems like it would require some fiddling at the DCs as
well. Maybe one of them is on this list and can elucidate us?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 6:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Multiple Password Policies
Title: Unresolved SIDs in ACL
Custom password filters can be extremely troublesome. I
know ~Eric has mentioned having to deal with several issues that came down to
custom filters after digging through debug dumps. They are tied in at a very
tender spot of the DCs and the slightest problems in the code can result in
instability and reduced security or outright security holes.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: Wednesday, January 18, 2006 10:29 AMTo:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Multiple
Password Policies
This company doesn't provide a large amount of
documentation on how they are doing this password change but it seems like they
are using the MS supported method.
As for scripting password resets, I'm very concerned
especially if this gets implemented I will need to see how it will function with
test domains.
I'm also not a big fan of putting an extra component on
everyone's desktop (which you only have to do if you want the end-users to see
an accurate password change error if one occurs).
I guess the first question I should have asked
is:
Has anyone used a password filter dll to create
a custom password rule? And if so, have you seen any issues with
it?
One thing that is interesting with this application, and
something that I'm wary of, is that their GPO adm becomes a component of the
Default Domain Policy (due the domain password policy). I'm not a real big
fan of modifying that policy.
Thanks for the input though, I would have overlooked the
scripting testing component.
Charlie
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 9:11 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple
Password Policies
Ditto whjat Neil said.
These are things you need to test very very very very very
much. They are hooked into a very core part of your DCs. You want to really load
a DC up and stress test the crap out of the tool it to see how it handles things
and try to get as much technical detail as possible. Since it is sending rule
info back to the clients something will have to be on the clients which bothers
some people, this will be added software to clients as well as possibly servers.
Also how does it handle if someone scripts a password change or uses something
other than the standard Windows GUI to change a password? Do you
care?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 9:11
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Multiple Password Policies
I have not used or assessed a product like this, but I
would guess that a client side GPO extension is required. This may not be
feasible in certain environments.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
CharlesSent: 18 January 2006 13:58To:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Multiple Password
Policies
I was
just asked to look at this application that was recently
released:
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp
It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs.
Has
anyone seen this application and what do you guys think about
it?
Thanks,
Charlie
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
