ADSelfService Plus' password policy enforcer vs. Microsoft AD password policies
Passwords are the first line of defense against cyberattacks, which highlights the importance of having a strong password. Some hackers find that cracking passwords is the easiest way to gain access to a user account in Windows Active Directory. This doesn't come as a surprise when considering the password controls and password policy requirements in Active Directory haven't been changed in over a decade. Hackers can use age-old hacking strategies like brute-force attacks, dictionary attacks, and rainbow table attacks to acquire these passwords.
How good is the Microsoft password policy?
Microsoft allows you to apply password policies to your Active Directory users with a combination of password policies that are based on Group Policy Objects (GPOs) and fine-grained password policies (FGPPs). One major difference between the two methods is that with FGPPs, there can be more than one password policy in the same domain. It's important to remember that regardless of what you choose, the provided password controls are the same.
Enhanced password security with ADSelfService Plus
The best way to enhance security is by implementing a solution that protects your Active Directory passwords and works well with the both GPO-based policies and FGPP-based policies.This solution should allow additional control over password policies without requiring a complete redesign of your current AD environment.
With the Password Policy Enforcer in ADSelfService Plus, you get exactly that.
The ADSelfService Plus advantage
- Enable multiple password policies in a single Active Directory domain that can be assigned to users based on OUs and groups.
- Enhance your password policy with ADSelfService Plus' password policy settings, and safeguard users’ passwords from various password attacks.
- Enforce your enhanced password policy settings when users change their password through the Ctrl+Alt+Del screen as well as when admins reset passwords through Active Directory Users and Computers (ADUC).
- Display your chosen password requirements to end users during password change on the Ctrl+Alt+Del screen.
The following chart compares the password policy settings of ManageEngine's ADSelfService Plus with those in Windows Active Directory.
| Features | ADSelfService Plus’ Password Policy Enforcer | Group Policy Object password policy | Fine-grained password policies |
| Key features | |||
| Password must not be a dictionary word |  |  | |
| Password must not include specific patterns | | | |
| Password must not be a palindrome | | | |
| Password must contain at least one Unicode character | | | |
| Password history enforcement during password resets by admins through ADUC | | | |
| Password cannot repeat a character more than two times in a row | | | |
| Password cannot contain five consecutive characters from an old password | | | |
| Password must begin with a letter | | | |
| Allow users to bypass complexity requirements when password length exceeds a predefined limit (say, 20 characters) | | | |
| Maximum password length | | | |
| Minimum password length | | | |
| Password cannot contain five consecutive characters that are in the username | | | |
| Other features | |||
| Password policies can be enforced granularly based on OUs and groups | | | |
| Password policy enforcement during a password change from the Windows logon screen | | | |
| Password policy enforcement during password resets by admins from ADUC | | | |
| The exact password complexity requirements is displayed to end users in the Windows logon screen during change password operations | | | |
Option to force any or all of the below character group requirements:
| (All four can be enforced.) | (Only three are enforced.) | (Only three are enforced.) |
| Option to force Unicode characters | | | |
Effective password policy enforcement
Microsoft has not improved the security of their password policy controls in terms of protecting your Active Directory users' passwords. Though FGPPs allow you to have more than one password policy for a domain, the password controls are the same as with GPO-based password policies and the deployment is only through group membership, not through OUs.
ADSelfService Plus' Password Policy Enforcer provides a complete solution that protects your Active Directory domain users' passwords. The ability to have multiple password policies in a single domain distributed though user group memberships or OUs is beneficial for most Active Directory installations. The ability to protect passwords against dictionary and password pattern attacks is important for mitigating cyberattacks that utilize these techniques. In a nutshell, ADSelfService Plus is a secure password solution for any Active Directory domain.
Fortify your existing AD password policy with advanced rules like banned dictionary words and patterns
Thanks!
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Password self-service
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
One identity with Single sign-on
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Password/Account Expiry Notification
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Password Synchronizer
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Password Policy Enforcer
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Directory Self-Update & Corporate Search
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
