-
Titolo
Enforce Password History -
Descrizione
The number of passwords ‘enforced’ by Password Manager is lower than the number of passwords configured in the domain password policy rule, ‘Enforce Password History’.
If the Domain Password Policy is configured in Group Policy to remember 8 unique passwords then a user who resets their password 4 times in Password Manager can reuse Password 1 as their 5th password.
The “Reset password in Active Directory” activity is part of the “Forgot My Password” workflow and “Change password in Active Directory” activity is part of the “Manage My Passwords” workflow. This effects the “Reset password in Active Directory” activity only.
-
Causa
This is by design.
-
Risoluzione
When resetting a password, Password Manager sets an intermediate password before asking the user to enter a new password. This is then counted as two password changes. So if there are 8 passwords in the “Enforce Password History” policy rule the following scenario is played out.
Password 1 - Is the forgotten password
Password 2 - Is the intermediate password set by Password Manager
Password 3 - Is the new password entered by the user (But as far as the user is concerned this should be password 2)
If the user now forgets password 3
Password 4 - Is the intermediate password set by Password Manager
Password 5 - Is the new password entered by the user (But as far as the user is concerned this should be password 3)
If the user now forgets password 5
Password 6 - Is the intermediate password set by Password Manager
Password 7 - Is the new password entered by the user (But as far as the user is concerned this should be password 4)
If the user now forgets password 7
Password 8 - Is the intermediate password set by Password Manager
Password 9 - Is the new password entered by the user. But the user can now reuse Password 1 since there have been 8 unique password changes done in Active Directory – 4 by the user and 4 by Password Manager.Workaround.
Double the number of passwords enforced by password history.
So in the example above, if the number of passwords in the "Enforce Password History" rule is increased to 16, then from a users’ perspective they will be able to reuse passwords after 8 attempts when using the “Forgot My Password” workflow and after 16 attempts if using the “Manage My Passwords” workflow.
An enhancement request has been created to allow for the configuration of the rules presented to the user to reflect the actual number of passwords remembered. VSTS84856
-
Richiesta di modifica
VSTS84856