Policy Configuration

Password policies can be configured from the Domain Administration Tool or in Group Policy Objects (if the Group Policy Snap-in has been installed). The procedure below describes the process starting from the Domain Administration Tool.

Configuring a password policy

This procedure describes the configuration of an entirely new password policy linked to a newly created GPO.

For creating a policy for an existing GPO, skip to step 7.

For editing existing policies, select the policy in the list, then click Edit, and skip to step 9.

    Domain Administration ToolPassword Policies

  1. In the Domain Adminstration tool, Password Policies click Create new Password Policy.
  2. Choose an existing GPO from the list and click OK (skip to step 8), or click New Group Policy object....
  3. Give the new GPO a name.
  4. Select the OU from the list on the left if the policy should apply only to users in a particular OU.
  5. If the policy needs to apply only to users within the selected OU who are also members of a particular security group, click Add in the right column. Enter the name of the security group and click OK. Select the Security group.
  6. Click OK.
  7. The correct GPO is selected in the list. Click OK.
  8. Choose from the list of templates (or choose Custom to start with a blank policy), then click Next.
  9. In the Start section, configure the policy to use password rules, passphrases, or both.
  10. Configure the General Settings.
  11. Configure when passwords are set to expire and what notifications should be sent under Password Expiration.
  12. Configure what rules passwords should adhere to (length, required characters, dictionaries etc.) under Password Rules.
  13. Click OK.
NOTE
For a more detailed description of all the settings available for policies, please refer to the Policy Settings section below.

Policy Settings

You can create or edit password policies in two ways:

From the Domain Administration Tool

    Domain Administration ToolPassword Policies

  1. Open the Domain Administration Tool
  2. In the left navigation, click Password policies
  3. Click Create new password policy, or select a GPO in the Password policy list, then click Edit Policy.

From the Group Policy Management Editor

    Policy Management Editor

    NOTE
    Although it is possible to access password policies via the Group Policy Management tool, it is recommended to access them via the Domain Administration Tool.
  1. Access the Policy Management Editor for the GPO you want to associate a policy with
  2. Expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
  3. Click Configure Password Policy, or Create New Password Policy (if the GPO does not yet have a policy associated with it).

Start

You can configure a password policy to use classic password rules, and/or passphrases. A passphrase is a special type of password based on a sentence, or a series of words. The requirements of a passphrase, by default, are that it needs to be long.

General Settings

Password history

NOTE
If you enable remember passwords, a leaf object is created to store the password history is stored. By default, the leaf object is locked down, and not accessible to the user. With "remembered passwords" enabled, each password is salted and hashed with bcrypt before storage.
Password history
Setting Description
Number of remembered passwords, including variations Specify how many past passwords, including variations, the system will remember. For example, setting this value to 4 means users cannot reuse any of their last four passwords, even with slight modifications, like adding a character at the beginning or end of the password or changing capitalization.
Minimum passwords age (days) Specify the number of days that must elapse before the user is allowed to change their password.
Disallow incremental passwords (deprecated) Prevent users from selecting new passwords that only differ from the old password by the last character.
Note! Starting with Specops Password Policy 7.14, this rule is deprecated, and its functionality is integrated into the "Number of remembered passwords, including variations" rule.
Minimum number of changed characters Specify the number of characters that must be changed in a password.
Disallow reusing part of the current password Specify the number of consecutive characters from the old password that are not allowed in the new password.
Note: After enabling this setting, you will need to reboot your PDC emulator DC to allow the setting to take effect.

Account lockout settings

Account lockout settings
Setting Description
Disable account lockout Prevent accounts from being locked out from Active Directory. This setting is commonly used for windows accounts running critical services.

Password reset options

Password reset options
Setting Description
Ignore this policy on password reset Ignore policy settings when the password is being reset.
Note: Do not enable this setting if the user can reset passwords through a self-service solution such as Specops Password Reset.
Require user to change password on next logon Require the user to change their password on the next logon after the password has been reset.
Unlock locked accounts automatically on reset Automatically unlock user accounts when their passwords are reset.

Client message

This setting is used to control the contents of the message sent to the users when they fail to meet their password rules:

Client message
Setting Description
Client message language Specify the language localization to use in the message.
User feedback on failed attempt Display the policy rules, failed rules, or a custom message after a failed attempt.
Additional information to end users at password change Specify any additional information you want to give the end users when they change their passwords.

User defaults

In this section you can set the language and the default country code for mobile numbers.

User language

This setting will determine in which language the Placeholder texts will be presented to the user. Note that if this is set to (Default), the default language for the user's computer will be used. In case the compute's default language is not included in the language files, English will be used as a fallback.

Default mobile number country code

In case the mobile number in Active Directory (whether that is stored in the mobile attribute or another attribute referenced through the Custom User Attributes in the Domain Administration tool) does not start with a + (plus), the system automatically adds the Default country code if this option is checked. Thus, 070 123 4567 with a Default mobile number country code setting of +46, will be converted into +46 70 123 4567.

NOTE
Note that in case the international phone format in AD is written with an international prefix, e.g. 00, the conversion will not work properly. For example, if the phone number in the above example was input as 00 46 70 123 4567, and the default country code option was checked with a setting of +46, the resulting number would be +46 0 46 70 123 4567, which would be incorrect.

    Policy Management EditorGeneral SettingsUser Defaults

  1. Check the Default mobile number country code checkbox
  2. Enter the country code you would like to use as the default

Password expiration

Password expiration
Setting Description
Maximum password age (days) Specify the time (in days) that can elapse before a password expires.
Length based password aging Toggle length based password aging on or off. Length based password aging rewards users who use longer passwords with a later password expiration. More information on this topic can be found on the Password Expiration page.
Number of expiration levels Sets the number of expiration levels. More levels allow for more differentiation and different expiration rewards.
Characters per level Value representing password length range for each expiration level.
Extra days per level Extra days rewarded beyond default expiration for every level the user attains in their password length.
Disable expiration for the last level Disables expiration for users who have met the criteria for the highest level set.

Password expiration notifications (See Also: Notifications

Password expiration notifications
Setting Description
Notify at login (days before expiration) When this option is enabled, users will be notified when their password is about to expire when they log in to Windows
Send email notification (days before expiration) Specifies whether the user receives an email notification that their password is aout to expire. Users will receive an email once a day until they change their password. Number value determines number of days before expiration when the users should start getting emails.
From email Sender email address. Set in Domain Settings in Domain Administration Tool.
From name Email sender name.
To email Recipient's email adddress. %UserEmail% placeholder should be used.
CC Optional CC email addresses, comma-separated.
Subject Email subject line. Placeholders can be used.
Body Email body text. Placeholders can be used.
NOTE
For more detailed information about how to manage password expiration settings, including length-based password aging, visit the Password Expiration page.

Password Rules

Password length requirements

Password length requirements
Setting Description
Minimum password length Specify the minimum number of characters in a password.
Maximum password length Specify the maximum number of characters in a password.

Character group requirements

Character group requirements
Setting Description
Number of required character groups Specify the number of character groups (upper case, lower case, digits, special characters, and Unicode characters) that the password must have characters from.
Required alpha characters Specify the minimum number of alpha characters (A-Z) in a password.
Required upper case characters Specify the minimum number of upper case alpha characters in a password.
Required lower case characters Specify the minimum number of lower case alpha characters in a password.
Required non alpha characters Specify the minimum number of non-alpha characters (digits, special characters, Unicode characters) in a password.
Required digits Specify the minimum number of digits (0-9) in a password.
Required special characters Specify the minimum of special characters in a password.
Required Unicode characters Specify the minimum number of Unicode characters that must be present in the password.
Note: Enable this feature only if the user has the ability to enter Unicode characters directly from their keyboards.

Dictionaries

Dictionary
Setting Description
Use custom dictionaries Using a custom dictionary allows you to add, configure, and remove password lists and password hash lists. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
Use online dictionaries
Show failed dictionary word to user When dictionaries are used and configure to use partial match, this setting will display the part of the password found in a dictionary following a failed password change attempt.
NOTE
For more information about dictionaries, see Configure custom and online dictionaries.

Password content restrictions

nPassword content restrictions
Setting Description
Disallow username in password Prevent the use of the username in the password.
Disallow full username in password Prevent the use of full account name (first name, last name, display name) in the password.
Disallow part of username in password Prevent the use of parts (three or more consecutive characters) of the account name (first name, last name, display name) in the password.
Disallow digit as first character in a password Prevent the use of a digit as the first character in a password.
Disallow digit as last character in a password Prevent the use of a digit as the last character in a password.
Disallow consecutive identical characters Specify the number of identical consecutive characters that can be used in a password.

Regular expressions

Regular expressions
Setting Description
Use regular expressions Allows the use of Regular Expression (RegEX) string matching against password.

Entropy bar

The entropy bar is shown on the left side of the Password rules tab. It changes according to the settings input in this part of the tool. It is a graphical representation of the relative complexity of the policy in a mathematical sense. The height of the bar corresponds to the combinatorial complexity of the weakest possible password that the policy would accept.

This is not an absolute measure of the policy strength and should mostly be used to compare how different settings in the password rules affect the complexity.

Passphrase

Passphrase requirements

Passphrase requirements
Setting Description
Minimum passphrase length The minimum number of characters in the passphrase.
Require one or more lower case characters One or more lower case characters in the passphrase.
Require one or more upper case characters One or more upper case characters in the passphrase.
Require one or more digits One or more digits in the passphrase.
Require one or more special characters One or more special characters in the passphrase.
Passphrase message A description of the policy that will be displayed to end users when changing their password. The message should explain the policy requirements the passphrase should meet.

Custom requirements

Custom requirements
Setting Description
Custom Regular Expressions Create the regular expressions that will be used to validate passphrases.
Sample passphrase Type a sample passphrase to test against the regular expression.

Breached Password Protection (add-on)

You can enable Breached Password Protection validation during a password reset, and/or password change.

For more information about the Breached Password Protection settings, click here.