Passwords are the first line of defense against cyberattacks, which highlights the importance of having a strong password. Some hackers find that cracking passwords is the easiest way to gain access to a user account in Windows Active Directory. This doesn't come as a surprise when considering the password controls and password policy requirements in Active Directory haven't been changed in over a decade. Hackers can use age-old hacking strategies like brute-force attacks, dictionary attacks, and rainbow table attacks to acquire these passwords.
Microsoft allows you to apply password policies to your Active Directory users with a combination of password policies that are based on Group Policy Objects (GPOs) and fine-grained password policies (FGPPs). One major difference between the two methods is that with FGPPs, there can be more than one password policy in the same domain. It's important to remember that regardless of what you choose, the provided password controls are the same.
The best way to enhance security is by implementing a solution that protects your Active Directory passwords and works well with the both GPO-based policies and FGPP-based policies.This solution should allow additional control over password policies without requiring a complete redesign of your current AD environment.
With the Password Policy Enforcer in ADSelfService Plus, you get exactly that.
The following chart compares the password policy settings of ManageEngine's ADSelfService Plus with those in Windows Active Directory.
| Features | ADSelfService Plus’ Password Policy Enforcer | Group Policy Object password policy | Fine-grained password policies |
| Key features | |||
| Password must not be a dictionary word |  |
 |
|
| Password must not include specific patterns | |
|
|
| Password must not be a palindrome | |
|
|
| Password must contain at least one Unicode character | |
|
|
| Password history enforcement during password resets by admins through ADUC | |
|
|
| Password cannot repeat a character more than two times in a row | |
|
|
| Password cannot contain five consecutive characters from an old password | |
|
|
| Password must begin with a letter | |
|
|
| Allow users to bypass complexity requirements when password length exceeds a predefined limit (say, 20 characters) | |
|
|
| Maximum password length | |
|
|
| Minimum password length | |
|
|
| Password cannot contain five consecutive characters that are in the username | |
|
|
| Other features | |||
| Password policies can be enforced granularly based on OUs and groups | |
|
|
| Password policy enforcement during a password change from the Windows logon screen | |
|
|
| Password policy enforcement during password resets by admins from ADUC | |
|
|
| The exact password complexity requirements is displayed to end users in the Windows logon screen during change password operations | |
|
|
Option to force any or all of the below character group requirements:
|
(All four can be enforced.) |
(Only three are enforced.) |
(Only three are enforced.) |
| Option to force Unicode characters | |
|
|
Microsoft has not improved the security of their password policy controls in terms of protecting your Active Directory users' passwords. Though FGPPs allow you to have more than one password policy for a domain, the password controls are the same as with GPO-based password policies and the deployment is only through group membership, not through OUs.
ADSelfService Plus' Password Policy Enforcer provides a complete solution that protects your Active Directory domain users' passwords. The ability to have multiple password policies in a single domain distributed though user group memberships or OUs is beneficial for most Active Directory installations. The ability to protect passwords against dictionary and password pattern attacks is important for mitigating cyberattacks that utilize these techniques. In a nutshell, ADSelfService Plus is a secure password solution for any Active Directory domain.
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
