Fine-grained password policies are successfully applied when resetting a user's password from the ARS Web Interface:
- Fine Grained Password Policy: minimum password length = 5
- Default domain policy: minimum password length = 3
Introducing 3 characters will fail; however when introducing a 5 characters password or more it will be accepted and changed.
The Fine Grained Password Policy will take precedence over the "Domain Password Policy". The users profile when checking the Additional Account Info tab will display the Domain Password policy details instead of the Fine Grained Password Policy details.
Example using above values:
Active Roles generates passwords with 3 characters, i.e. the Fine Grained Policy settings are ignored.
The additional account information tab appears to calculate its data from Default Domain Policy which is incorrect
- When displaying Additional Account Information for a user account that falls in scope of a Fine Grained Password Policy, ActiveRoles uses the default domain policy to calculate the password expires date.
- The Account Lockout and Password Policies window displays password settings from the default domain policy instead of the RSOP password settings, instead of the combination of the default domain policy and any applicable password settings objects (PSO).
- Password generated by ARS does not meet the minimum password length rule defined by the Fine Grained Password Policy. The built-in script that generates password uses the Minimum password length defined by the default domain policy. (Note: The password generation script included with ARS 7.3.1 fixes this particular issue.)