Overview

Download a copy of the Specops Password Policy documentation »

Introduction

Specops Password Policy (for short SPP) is a password policy product built on the Group Policy engine in Active Directory. SPP works in conjunction with the existing password policy feature found in Active Directory.

This page contains a brief overview of SPP and its different modules.

Specops Password Policy

Group Policy based

SPP is a truly Group Policy based product, which means that it can be configured in any number of group policies in Active Directory. This has several advantages:

  • There can be more than one password policy in Active Directory affecting different users. For example a strong password policy for administrators and a more forgiving for normal users.
  • The password policy configuration can be delegated. In a large Active Directory environment administrators on different levels can configure the password policy without needing domain level permissions.
  • The Group Policy targeting mechanisms such as security group filtering, enforcing and blocking which should be familiar to Active Directory administrators will affect the password polices.
  • Configuring the password policies mimics the configuration of other security settings since most security settings are group policy based as well.
Note! In the end only one password policy will apply to a specific user. Password policies are not merged.

Extended password requirements

SPP adds many additional password requirements and features not found in the built-in password policy feature. Some of the additional requirements include:

  • Disallowing words from a specified dictionary
  • Disallowing incremental passwords, for example changing from password1 to password2 would be prohibited
  • E-mail notification when the password is about to expire. This is an important feature for users who do not normally log in interactively. For example via Outlook Web Access. From such applications the password cannot be changed.
  • The e-mail notification can be used to inform the users ahead of time that they need to change the password.
  • Maximum length requirement on passwords. This feature is useful for environments where the same password is used to access for example main frame systems where the maximum length may be limited.

These are just a few of the features in SPP. There are more than 20 different settings to choose from when configuring a password policy.

Here is a complete list of the password rules that can be configured in a password policy.

Components

SPP consists of a few different components. Below is a brief description of the different parts.

SPP overview

Sentinel

The Sentinel is the server part which must be installed on all domain controllers. The Sentinel is the component that validates new passwords against affecting password policy rules during password changes.

GPMC Snap-in

GPMC snap-inThe GPMC (Group Policy Management Console) snap-in is added to the Group Policy Object Editor. This is where the password policy for a certain Group Policy are configured.

This snap-in will appear in any Group Policy you open. Note that the snap-in is in the user part of the Group Policy, the password policies are configured for the users affected by the Group Policy, not the computers.

Domain Administration

Domain administrationFrom the Domain Administration console domain wide settings are made. This is a windows application that can be started from the Start menu after the installation. Before using SPP a license must be added from the Domain Administration console.

Some additional features of this console is, enabling/disabling SPP in the whole domain, managing password policy templates, and an overview of all configured password policies.

Active Directory Users and Computers extension

Active Directory Users and Computers extensionSPP adds an extension to the ADUC console. If you right-click a user object a new menu item called Specops Password Policy… will appear. Clicking this item will display a window with information about which, if any, password policy affects the user.

Client

A message that will be displayed to the end user when trying to change passwords The client is a small program that will display a message to the end users when the try to change passwords and fail. It informs them about what password policy requirements they are affected by and what requirements their attempted password meets and does not meet.

Scripting support

A Password Policy cmdlet in action SPP is fully scriptable. All administrative tasks can be done through the user interface or through .NET programming or PowerShell scripting. SPP includes a custom PowerShell cmdlet.

Page last modified on June 25, 2008, at 11:36 AM