Password complexity

[Mark S]

Hello: I have an enterprise with multiple domains. The domains have Windows

NT, Windows 2000 and Windows 2003.

The Windows servers have software applications running as services. Most

services have a local account and a few services have a domain account.

I have a project to strengthen passwords. My goal is to implement a password

complexity policy on the local and domain accounts. Is there a third-party

product that can do this task?

Thanks, Mark

 

[Daniel Petri]

Using GPO and Local Policies will only have effect on Post-Windows 2000

machines. Question is do you need specific password complexity requirements,

or is an X number of characters enough? If you do need specific conplexity

that is not provided out of the box, you will need to either buy, obtain, or

create your own password filter. Google a bit about it. In the meantime look

at Password Policy Enforcer at http://anixis.com/products/ppe.

Daniel Petri

www.petri.co.il

"Mark S" <MarkS@discussions.microsoft.com> wrote in message

news:2A568C0C-1828-4F78-A2DB-3985FE468C8F@microsoft.com...<span style="color:blue">

> Hello: I have an enterprise with multiple domains. The domains have

> Windows

> NT, Windows 2000 and Windows 2003.

>

> The Windows servers have software applications running as services. Most

> services have a local account and a few services have a domain account.

>

> I have a project to strengthen passwords. My goal is to implement a

> password

> complexity policy on the local and domain accounts. Is there a third-party

> product that can do this task?

>

> Thanks, Mark </span>

 

[Roger Abell [MVP]]

"Mark S" <MarkS@discussions.microsoft.com> wrote in message

news:2A568C0C-1828-4F78-A2DB-3985FE468C8F@microsoft.com...<span style="color:blue">

> Hello: I have an enterprise with multiple domains. The domains have

> Windows

> NT, Windows 2000 and Windows 2003.

>

> The Windows servers have software applications running as services. Most

> services have a local account and a few services have a domain account.

>

> I have a project to strengthen passwords. My goal is to implement a

> password

> complexity policy on the local and domain accounts. Is there a third-party

> product that can do this task?

>

> Thanks, Mark</span>

It seems that you have two parts here: getting the policy in place,

and, changing passwords to meet the policy.

You only asked about the first of these.

If the complexity rules defined in Windows are sufficient, then

you can set the rules via GPO for both domain and for machine

local accounts on domain joined machines. If account policies

are set in a domain linked GPO they impact domain accounts,

while if linked to other than the domain object (i.e. an OU)

they impact the machine local accounts on computers in scope

of the GPOs application.

Now, changing the passwords is another thing, as for services

you also need to change the cached passwords the the service

control manager knows to use at service startup, so password

change needs to be coordinated.