You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy settings are stored in Group Policy objects (GPOs). A GPO is applied by linking the GPOs to a target container defined in Active Directory, such an organizational unit or a group.
Group Policy objects from parent containers are inherited by default. When multiple Group Policy objects are applied, the policy settings are aggregated.
For information on how to apply a password policy and change policy link order, see Managing Password Policy Scope.
Password Policy Manager (PPM) is an independently deployed component of Password Manager. Password Policy Manager is necessary to enforce password policies configured in Password Manager in such cases, when users change their passwords using tools other than Password Manager. To enforce password policies that you define with Password Manager, you must deploy Password Policy Manager on all domain controllers in a managed domain.
When a user changes password in Password Manager, new password is checked right away, and if it complies with password policies configured in Password Manager, the new password is accepted.
But when a user changes password by pressing CTRL+ALT+DELETE for example, the new password will not be checked immediately by Password Manager. The password's compliance with password policy rules will be checked on a domain controller, that is why PPM must be installed on all domain controllers in a managed domain. If PPM is not installed, in this case when the user changes password not in Password Manager, password policies configured in Password Manager will be ignored.
Password Policy Manager extends the default password policy settings and allows configuring policy scopes for each policy, so that only specified organizational units and groups are affected by the policy.
Password policy settings are stored as Group Policy Objects. PPM creates new GPOs, and it does not change any existing GPOs.
Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of Password Policy Manager must be installed. The procedure for installing PPM is outlined in Installing Password Policy Manager.
Password Manager uses a set of powerful and flexible rules to define requirements for domain passwords. Each password policy has rules that are configured independently of the rules in other policies.
The following rules duplicate and extend system password policy rules: Password Age rule, Length rule, Complexity rule, and User Properties rule.
For information on how to create and configure a password policy, see Creating and Configuring a Password Policy.
To display the properties of a password policy
This section describes the steps for deploying Password Policy Manager in a managed domain.
Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO), or use an existing one, to assign the installation package with Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:
The installation packages are located in the \Password Manager\Setup\Password Policy Manager\ folder on the installation CD.
|NOTE: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed.|
To install Password Policy Manager on a single domain controller
To deploy Password Policy Manager on multiple domain controllers