AD 2003 Password Complexity and French Keyboard drivers

TheMSsForum.com: The Microsoft Software Forum

Hello, figured I'd throw this around here before buying an answer. I've got
an international client who are having trouble with password complexity,
particularly in non-english countries (France, Italy) using their countries
Windows kb drivers and keyboards.

AD Default Domain Policy has the password complexity set to Disabled. The
servers are using Microsoft's passflt.dll to enforce complexity. Passwords
be 6 in length, 1 day in age. HD personnel sets a French user's password to
"Monde7" with password change required. The user logs in and is prompted for
a change, but won't accept any passwords that match the standard complexity
rules (tried many things like Friends1, !Friends^, ILtheBA!!, but all to no
avail).

1. Just what really are the hard, true password rules from Microsoft on
complexity - their published information is incorrect.
2. Is anyone having problems with password complexity simply because of
different national keyboard drivers and layouts?

The two unusual things here are that I'm not experienced with using
complexity, except for on my NT4 or older servers, being controlled by
anything except AD policy, and I've not had any great depth supporting world
wide users with Microsoft products. Thanks in advance for your input!
Top

RE: AD 2003 Password Complexity and French Keyboard drivers by Ian

Ian
Tue May 22 04:33:02 CDT 2007

Never used European keyboards, but my feelings are that a password-lockout
policy (which for some strange reason is omitted from the default policy)
will go much further toward securing the computers, and without the
user-aggro.

Basically, if a hacker has only three or five tries then even a simple
password is reasonably secure. No password is secure if the hacker has an
infinite number of tries.


Top

RE: AD 2003 Password Complexity and French Keyboard drivers by Ian

Ian
Tue May 22 04:51:00 CDT 2007

Might also add that I recall in one instance having difficulty clearing this
Password Complexity policy on 2003 Server. I think your problem might be
down-to it not having cleared properly, rather than a keyboard issue. Suggest
trying the policy-change again, and possibly restart the server and clients
before testing, to make sure the change 'sticks.'

In light of that experience I tend to remove this policy rightaway, before
any clients get to log-on.


Top

Re: AD 2003 Password Complexity and French Keyboard drivers by S

S
Tue May 22 05:55:08 CDT 2007

G'day:

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:9BAA5EF4-C55D-413A-9597-

> Basically, if a hacker has only three or five tries then even a simple
> password is reasonably secure. No password is secure if the hacker has an
> infinite number of tries.

I like 200. No human will do that many retries - will clearly signal either
attack or malfunctioning software. The account lockout event in the event
log will be more valuable for monitoring then.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


Top

RE: AD 2003 Password Complexity and French Keyboard drivers by RonMM3

RonMM3
Wed May 30 10:57:00 CDT 2007

Thank you for your replies, they did help as did some documentation from a
parent company about their custom password filter file! Got to love it as
the various pieces come to light. Most of the problem was in the logic of
the dll, and they like it so I'll leave it be. :)

"NHDiverAdmin" wrote:

> Hello, figured I'd throw this around here before buying an answer. I've got
> an international client who are having trouble with password complexity,
> particularly in non-english countries (France, Italy) using their countries
> Windows kb drivers and keyboards.
>
> AD Default Domain Policy has the password complexity set to Disabled. The
> servers are using Microsoft's passflt.dll to enforce complexity. Passwords
> be 6 in length, 1 day in age. HD personnel sets a French user's password to
> "Monde7" with password change required. The user logs in and is prompted for
> a change, but won't accept any passwords that match the standard complexity
> rules (tried many things like Friends1, !Friends^, ILtheBA!!, but all to no
> avail).
>
> 1. Just what really are the hard, true password rules from Microsoft on
> complexity - their published information is incorrect.
> 2. Is anyone having problems with password complexity simply because of
> different national keyboard drivers and layouts?
>
> The two unusual things here are that I'm not experienced with using
> complexity, except for on my NT4 or older servers, being controlled by
> anything except AD policy, and I've not had any great depth supporting world
> wide users with Microsoft products. Thanks in advance for your input!
Top