Passwords are the first line of defense in securing your resources and critical data. To enhance security, users are often forced to comply with password policies set by network administrators. While Microsoft’s Active Directory (AD) password policy remains unchanged over the last decade or so, hackers and cyberattacks have evolved by leaps and bounds.

AD’s password policy is considered weak because:

  1. The domain password policy is uniform throughout the domain, and cannot be customized for OUs or groups within the domain.

  2. Neither the use of common patterns (like asdf, 1234, and qwerty), nor the use of incremental passwords (like password1, password2, and password3), can be restricted.

  3. The use of dictionary words in passwords cannot be restricted.

To thwart hackers attempting to exploit these types of weak links within your organization, you need to enforce strict password policies that force users to set complex passwords.

But how do you do it? ADSelfService Plus’ Password Policy Enforcer. Here are some of this tool’s key features:

Set efficient password complexity rules

Force users to set passwords that contain a healthy mix of uppercase letters, lowercase letters, numerals, and special characters. You can also restrict users from using dictionary words, common password patterns, or a non-alphabetic character as the first character of the password. Additionally, you can set the number of complexity rules end users have to comply with.

Display password policy requirements on the password reset/change page

To make creating passwords easier for users, the password policy requirements are displayed on the password reset/change page of both ADSelfService Plus and Windows. If enabled, ADSelfService Plus’ password strength analyzer can also help users determine how strong their passwords are. If a user sets a new password that fails to meet the minimum complexity requirements according to the password policy, the password is rejected.

Universally enforce a password policy

Whether a password reset or change happens from the ADSelfService Plus mobile application, a user’s GINA screen, or Active Directory Users and Computers (ADUC), the password policy requirements must be met. This way, even when administrators are resetting passwords for locked out or expired accounts, they are forced to comply with password policies and won’t have a workaround for setting weak passwords.

Set granular password policies based on OUs and groups

You can set more stringent password policies for privileged users with access to sensitive information and less stringent ones for users who don’t have such access.

To check out the Password Policy Enforcer along with everything else ADSelfService Plus has to offer, download a free, 30-day trial now!

Thejas Sridhar
Product Consultant