-
Titel
What needs to be done on the client machine after changing the Active Directory password policy? -
Beschreibung
What needs to be done on the client machine after changing the windows password policy? Changing the password policy to include a larger amount of characters in the minimum length of password.
-
Lösung
The AD password policy is by default updated every 6 hours. This can be controlled through the following vas.conf option.
password-policy-sync-interval = <integer (minutes)>
Default value: 360vasd maintains a cache of Active Directory password policy information in order to provide /etc/shadow information through the getsp* family of functions. This
information includes the minimum and maximum password ages as well as other password policy related settings that are typically configured locally on Unix systems. This
option controls how often this cache is updated and defaults to 6 hours. If this option is set to 0, then no update for the password policy information will occur.The support for multiple password policies per domain was introduced in Windows 2008. QAS supports providing this information from the shadow interface beginning with
QAS 3.3.2; however, the password sync process cannot read the password settings container where the additional password policies are stored with the default Active
Directory ACLs. The default ACLs restrict read rights to these settings to administrative users. The password sync process searches for policy information using the
credentials of the host identity; therefore, up to date password policy settings cannot be guaranteed unless ACLs are modified in such a way that Unix host objects can
read the password settings container. An alternative option is to regularly flush password policies using the vastool flush pwdpolicies command while specifying
administrative credentials.NOTE: This value is read once during vasd start-up. Any changes to this value require you to restart vasd before changes take effect. The following example shows how to
set the password sync interval to 24 hours.[vasd]
password-policy-sync-interval = 1440 -
Weitere Informationen
To see the current AD policy in effect run
# /opt/quest/bin/vastool -u host/ info adsecurity
Default Domain Password Policy
________________________________________________________________________________
Enforce password history : 24 passwords remembered
Maximum password age : 1d:0h:0m:0s
Minimum password age : 0d:0h:0m:0s
Minimum password length : 7 characters
Password must meet complexity requirements : FALSE
Store password using reversible encryption : FALSEAccount Lockout Policy:
Account lockout duration : 0d:0h:30m:0s
Account lockout threshold : 3 invalid logon attempts
Reset account lockout counter after : 0d:0h:30m:0s
________________________________________________________________________________