You can create or edit password policies in two ways:
From the Domain Administration Tool
- Open the Domain Administration Tool
- In the left navigation, click Password policies
- Click Create new password policy, or select a GPO in the Password policy list, then click Edit Policy.
From the Group Policy Management Editor
- Access the Policy Management Editor for the GPO you want to associate a policy with
- Expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
- Click Configure Password Policy, or Create New Password Policy (if the GPO does not yet have a policy associated with it).
You can configure a password policy to use classic password rules, and/or passphrases. A passphrase is a special type of password based on a sentence, or a series of words. The requirements of a passphrase, by default, are that it needs to be long.
If you enable remember passwords, we create a leaf object where the password history is stored. By default, the leaf object is locked down, and subordinate to the user.
|Number of remembered passwords
|Specify the number of passwords the system will remember. Users will be prevented from reusing the stored passwords.
|Minimum passwords age (days)
|Specify the number of days that must elapse before the user is allowed to change their password.
|Disallow incremental passwords
|Prevent users from selecting new passwords that only differ from the old password by the last character.
|Minimum number of changed characters
|Specify the number of characters that must be changed in a password.
|Disallow reusing part of the current password
|Specify the number of consecutive characters from the old password that are not allowed in the new password.
Note: After enabling this setting, you will need to reboot your PDC emulator DC to allow the setting to take effect.
Account lockout settings
Account lockout settings
|Disable account lockout
|revent accounts from being locked out from Active Directory. This setting is commonly used for windows accounts running critical services.a
Password reset options
Password reset options
|Ignore this policy on password reset
|Ignore policy settings when the password is being reset.
Note: Do not enable this setting if the user can reset passwords through a self-service solution such as Specops Password Reset.
|Require user to change password on next logon
|Require the user to change their password on the next logon after the password has been reset.
|Unlock locked accounts automatically on reset
|Automatically unlock user accounts when their passwords are reset.
This setting is used to control the contents of the message sent to the users when they fail to meet their password rules:
|Client message language
|Specify the language localization to use in the message.
|User feedback on failed attempt
|Display the policy rules, failed rules, or a custom message after a failed attempt.
|Additional information to end users at password change
|Specify any additional information you want to give the end users when they change their passwords.
In this section you can set the language and the default country code for mobile numbers.
This setting will determine in which language the Placeholder texts will be presented to the user. Note that if this is set to (Default), the default language for the user's computer will be used. In case the compute's default language is not included in the language files, English will be used as a fallback.
Default mobile number country code
In case the mobile number in Active Directory (whether that is stored in the mobile attribute or another attribute referenced through the Custom User Attributes in the Domain Administration tool) does not start with a + (plus), the system automatically adds the Default country code if this option is checked. Thus, 070 123 4567 with a Default mobile number country code setting of +46, will be converted into +46 70 123 4567.
Note that in case the international phone format in AD is written with an international prefix, e.g. 00, the conversion will not work properly. For example, if the phone number in the above example was input as 00 46 70 123 4567, and the default country code option was checked with a setting of +46, the resulting number would be +46 0 46 70 123 4567, which would be incorrect.
- Check the Default mobile number country code checkbox
- Enter the country code you would like to use as the default
|Maximum password age (days)
|Specify the time (in days) that can elapse before a password expires.
|Length based password aging
|Toggle length based password aging on or off. Length based password aging rewards users who use longer passwords with a later password expiration. More information on this topic can be found on the Password Expiration page.
|Number of expiration levels
|Sets the number of expiration levels. More levels allow for more differentiation and different expiration rewards.
|Characters per level
|Value representing password length range for each expiration level.
|Extra days per level
|Extra days rewarded beyond default expiration for every level the user attains in their password length.
|Disable expiration for the last level
|Disables expiration for users who have met the criteria for the highest level set.
Password expiration notifications (See Also: Notifications
Password expiration notifications
|Notify at login (days before expiration)
|When this option is enabled, users will be notified when their password is about to expire when they log in to Windows
|Send email notification (days before expiration)
|Specifies whether the user receives an email notification that their password is aout to expire. Users will receive an email once a day until they change their password. Number value determines number of days before expiration when the users should start getting emails.
|Sender email address. Set in Domain Settings in Domain Administration Tool.
|Email sender name.
|Recipient's email adddress. %UserEmail% placeholder should be used.
|Optional CC email addresses, comma-separated.
|Email subject line. Placeholders can be used.
|Email body text. Placeholders can be used.
For more detailed information about how to manage password expiration settings, including length-based password aging, visit the Password Expiration page
Password length requirements
Password length requirements
|Minimum password length
|Specify the minimum number of characters in a password.
|Maximum password length
|Specify the maximum number of characters in a password.
Character group requirements
Character group requirements
|Number of required character groups
|Specify the number of character groups (upper case, lower case, digits, special characters, and Unicode characters) that the password must have characters from.
|Required alpha characters
|Specify the minimum number of alpha characters (A-Z) in a password.
|Required upper case characters
|Specify the minimum number of upper case alpha characters in a password.
|Required lower case characters
|Specify the minimum number of lower case alpha characters in a password.
|Required non alpha characters
|Specify the minimum number of non-alpha characters (digits, special characters, Unicode characters) in a password.
|Specify the minimum number of digits (0-9) in a password.
|Required special characters
|Specify the minimum of special characters in a password.
|Required Unicode characters
|Specify the minimum number of Unicode characters that must be present in the password.
Note: Enable this feature only if the user has the ability to enter Unicode characters directly from their keyboards.
|Use custom dictionaries
|Using a custom dictionary allows you to add, configure, and remove password lists and password hash lists. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
|Use online dictionaries
|Show failed dictionary word to user
|When dictionaries are used and configure to use partial match, this setting will display the part of the password found in a dictionary following a failed password change attempt.
Password content restrictions
nPassword content restrictions
|Disallow username in password
|Prevent the use of the username in the password.
|Disallow full username in password
|Prevent the use of full account name (first name, last name, display name) in the password.
|Disallow part of username in password
|Prevent the use of parts (three or more consecutive characters) of the account name (first name, last name, display name) in the password.
|Disallow digit as first character in a password
|Prevent the use of a digit as the first character in a password.
|Disallow digit as last character in a password
|Prevent the use of a digit as the last character in a password.
|Disallow consecutive identical characters
|Specify the number of identical consecutive characters that can be used in a password.
|Use regular expressions
|Allows the use of Regular Expression (RegEX) string matching against password.
The entropy bar is shown on the left side of the Password rules tab. It changes according to the settings input in this part of the tool. It is a graphical representation of the relative complexity of the policy in a mathematical sense. The height of the bar corresponds to the combinatorial complexity of the weakest possible password that the policy would accept.
This is not an absolute measure of the policy strength and should mostly be used to compare how different settings in the password rules affect the complexity.
|Minimum passphrase length
|The minimum number of characters in the passphrase.
|Require one or more lower case characters
|One or more lower case characters in the passphrase.
|Require one or more upper case characters
|One or more upper case characters in the passphrase.
|Require one or more digits
|One or more digits in the passphrase.
|Require one or more special characters
|One or more special characters in the passphrase.
|A description of the policy that will be displayed to end users when changing their password. The message should explain the policy requirements the passphrase should meet.
|Custom Regular Expressions
|Create the regular expressions that will be used to validate passphrases.
|Type a sample passphrase to test against the regular expression.
Breached Password Protection (add-on)
You can enable Breached Password Protection validation during a password reset, and/or password change.
For more information about the Breached Password Protection settings, click here.