How to solve active directory password complexity issue
Password policies in Active Directory help administrators enable password complexity requirements like Minimum password length and Password must meet complexity requirements that force users to create secure passwords. Active Directory password policies can be implemented using two methods:
- Group Policy Objects (GPOs)
- Fine-grained Password Policy (FGPPs)
With GPOs, a password policy is applied only if it is configured in a group policy that is linked to a domain. A group policy with a password policy configured can be linked to an Organizational Unit (OU), but the password policy will not apply for users under that OU. In short, a GPO password policy can only be applied to all the users in a domain and not to users in OUs. If multiple password policies are required, multiple domains need to be be created for the policies.
FGPPs, as the name suggests, can be used to create multiple, fine-grained password policies within a domain. Here, password settings are configured in a Password Settings Container that can be applied to users and groups in the domain. Once again, FGPPs cannot be applied for OUs.
Along with these limitations, there are other disadvantages to creating password policies in Active Directory:
Disadvantages of Active Directory password policies:
- The complexity requirements under the Password must meet the complexity requirements option are predetermined and non-customizable.
- Specific patterns and words cannot be restricted from use.
- Password history cannot be enforced for password resets by administrators using the Active Directory Users and Computers console.
- Character repetitions cannot be restricted.
ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers the Password Policy Enforcer feature. This feature offers password complexity requirements that overcome the disadvantages described above and introduce many other rules to enforce the creation of strong and complex domain passwords that are immune to hacks.
Some of the major advantages offered by ADSelfService Plus's Password Policy Enforcer are:
- Creation of multiple password policies that can be applied to the domains, groups, and OUs of the organization's choice.
- A display of the password complexity requirements during password changes or resets.
- Rules to force the usage of a minimum number of characters belonging to any or all these types: uppercase alphabets, lowercase alphabets, special characters, numeric characters, and Unicode characters
- Rules to restrict the use of specific patterns and words, and palindromes.
- Rules to restrict the use of consecutive characters from username or old passwords.
Apart from the Password Policy Enforcer, ADSelfService Plus also offers features like:
- Self-service password reset and account unlock for Active Directory accounts.
- Enterprise single-sign on and password synchronization.
- Multi-factor authentication during self-service actions, and Windows, macOS, and Linux logins.
- Password and account expiration notifications.
Learn more about ADSelfService Plus and Password Policy Enforcer
Create stringent policies to enforce secure passwords.
Self-service password management and single sign-on solution
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.
- Related Products