Return
-
Title
How to check Active Directory domain password rules with vastool command? -
Description
Does QAS/VAS enable control of password expiration, complexity, history, etc? How is this achieved?
-
Resolution
All authentication and password changes for Active Directory users are done directly against Active Directory Domain Controllers using standard Kerberos protocols.
The Domain Controllers enforce account lockout, password complexity and history, and password expiration. The QAS client simply passes this information back to the users.
To display the rules from the domain from the QAS client you can use the vastool info adsecurity command.
Here is an example of the command and the output:
$ /opt/quest/bin/vastool -u sysadm info adsecurityPassword for sysadm@LAB.IDM2.INT:Password policies for domain lab.idm2.intDefault Domain Password Policy________________________________________________________________________________Enforce password history : 24 passwords rememberedMaximum password age : 42d:0h:0m:0sMinimum password age : 1d:0h:0m:0sMinimum password length : 7 charactersPassword must meet complexity requirements : TRUEStore password using reversible encryption : FALSEAccount Lockout Policy:Account lockout duration : 0d:0h:30m:0sAccount lockout threshold : 0 invalid logon attemptsReset account lockout counter after : 0d:0h:30m:0s________________________________________________________________________________To see the password policy for an individual user you can use the same with the -u switch, for example:
# /opt/quest/bin/vastool -u administrator info adsecurity -u <username>