I know we can set password policy for how users can define their passwords.
But is it possible to define the required complexity when an admin resets the password via 'AD users and computers' reset password feature?
2 Answers
But of course. "Fine-Grained Password policy" to the rescue ... You will find many instructions how to do it with ADAC but EF me if I know how to follow them. I prefer ADSI editor. https://blog.thesysadmins.co.uk/active-directory-fine-grained-passwords-with-adsi-edit.html
This is my setup:
Administrators Password and Account Lockout Policy
msDS-PasswordSettingsPrecedence ... 101
msDS-PasswordReversibleEncryptionEnabled ... FALSE
msDS-PasswordHistoryLength ... 24
msDS-PasswordComplexityEnabled ... TRUE
msDS-MinimumPasswordLength ... 15
msDS-MinimumPasswordAge ... 00:00:00:00 OR (none)
msDS-MaximumPasswordAge ... 91:00:00:00
msDS-LockoutThreshold ... 5
msDS-LockoutObservationWindow ... 00:01:00:00
msDS-LockoutDuration ... 00:01:00:00
And very important: "00:00:00:00" OR "(none)" is the same thing, but when you want to specify NEVER then you MUST specify "(never)" ... so if specifying for password to never expire the value is "(never)" and not "00:00:00:00".
msDS-MaximumPasswordAge ... (never)
But is it possible to define the required complexity when an admin resets the password via 'AD users and computers' reset password feature?
I don't understand. An administrator changing/resetting a user password in ADUC is bound by the same password policy as a user changing/resetting their own password.
- I did some testing and it seems you are right. ADUC ignores password history so I assumed it was the case for the other requirements as well. I tested before making this post but must have forgotten about the pw 24h timeout for setting a new password from a users computer, so tests were wrong. Thanks!robliv– robliv2019-05-14 13:54:36 +00:00Commented May 14, 2019 at 13:54
- Resetting a password (via ADUC or other means) specifically bypasses the password history check history because blocking a password during a reset by an administrator would actually disclose a current or previous password to the administrator, which is a no-no.Semicolon– Semicolon2019-05-14 14:07:19 +00:00Commented May 14, 2019 at 14:07
- The OP seemed to be addressing the password complexity requirement, which is what I addressed in my answer. I should have been more specific.joeqwerty– joeqwerty2019-05-14 15:07:48 +00:00Commented May 14, 2019 at 15:07