-
Title
Which Password Policy Takes Precedence -
Description
This document details, in the case where multiple password policies apply to a user, which password policy(s) take precedence. -
Cause
By design. -
Resolution
Typically there are three types of password policy
- Default Domain Password Policies (DDPP)
- Windows Fine-Grained Password Policies (WFGPP)
- One Identity Password Policies. (OIPP)
These can be used in the following scenario’s
Scenario 1. - Users are scoped to DDPP & OIPP
Password Manager will look at each of the individual policy rules and apply the most restrictive ones.
Scenario 2. - Users are scoped to DDPP & OIPP & WFGPP
Password Manager will ignore DDPP.
Password Manager will look at each of the individual OIPP and WFGPP rules and apply the most restrictive ones.
Scenario 3. - Users are scoped to OIPP & WFGPP
Password Manager will look at each of the individual policy rules and apply the most restrictive ones.
Scenario 4. - Users are scoped to DDPP & WFGPP
Password Manager will ignore DDPP and apply the policy settings from the WFGPP.
Scenario 5. – Users are scoped to several WFGPP’s
The applicable policy is selected automatically in Active Directory.
Scenario 6. - Users are scoped to several OIPP’s
The policy with the highest priority is applied to the user. Note, that priority can be changed for policies with the same scope.
Notes:
- Password Policy Manager is an independently deployed component of Password Manager.
- Password Policy Manager is necessary to enforce password policies configured in Password Manager in such cases when users change their passwords using means other than Password Manager.
For example: When a user changes a password on the Self-Service site, a new password is checked against password policy rules immediately, and if it complies with password policies configured in Password Manager, the new password is accepted. But when the user changes the password by pressing CTRL+ALT+DELETE for example, the password’s compliance with password policies cannot be checked by Password Manager, unless Password Policy Manager is deployed on all domain controllers in a managed domain. Password Policy Manager installs the dictionary file in SYSVOL folder to set dictionary rules for new passwords. If the dictionary file already exists in SYSVOL folder, the Password Policy Manager setup will not replace the file while installing.
- If Password Policy Manager is not installed on all domain controllers in the domain, password policies configured in Password Manager will be ignored when users change passwords by means other than Password Manager.