3.2.5.1 Password Policies

  • Article

Password policies are set by doing the following:

  1. If the setting value for the settings key is outside the range of valid values specified in the corresponding Explanation column in the table in section 2.2.1.1, the client SHOULD quit processing Password Policies and log an error.

  2. Performing the external behavior consistent with locally invoking SamrQueryInformationDomain ([MS-SAMR] section 3.1.5.5.2) to obtain the existing domain password information.

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainPasswordInformation.

    • The PSAMPR_DOMAIN_INFO_BUFFER MUST be a pointer to a PSAMPR_DOMAIN_INFO_BUFFER containing allocated memory sufficient to contain a DOMAIN_PASSWORD_INFORMATION structure.

  3. Calling SamrSetInformationDomain ([MS-SAMR] section 3.1.5.6.1).

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainPasswordInformation.

    • The DomainInformation MUST be a PSAMPR_DOMAIN_INFO_BUFFER containing a DOMAIN_PASSWORD_INFORMATION structure. The client-side plug-in MUST set each of the password policy values specified in the GPO inf file to a DOMAIN_PASSWORD_INFORMATION structure member according to the mapping in the following rules.

For the MinimumPasswordLength, PasswordComplexity, ClearTextPassword, and PasswordHistorySize settings, the client-side snap-in MUST map the setting name in the GPO inf file to one of the values in the left-hand column of the following table, and set the value of the DOMAIN_PASSWORD_INFORMATION structure member identified in the corresponding right-hand column to the setting value. For the PasswordComplexity and ClearTextPassword settings, if the setting in the GPO inf file has a value of "true", then the client-side plug-in MUST set the value of the DOMAIN_PASSWORD_INFORMATION structure member identified in the right-hand column to the value provide in the right-hand column.

Group Policy: Security Protocol Extension

DOMAIN_PASSWORD_INFORMATION member

MinimumPasswordLength

MinPasswordLength

PasswordComplexity

PasswordProperties bit DOMAIN_PASSWORD_COMPLEX (0x00000001)

ClearTextPassword

PasswordProperties bit DOMAIN_PASSWORD_STORE_CLEARTEXT (0x00000010)

PasswordHistorySize

PasswordHistoryLength

For the MaximumPasswordAge setting, the client-side snap-in MUST map the setting value in the GPO inf file to one of the values in the left-hand column of the following table, and set the DOMAIN_PASSWORD_INFORMATION structure MaxPasswordAge member to the value resulting from the transformation specified in the corresponding right-hand column in the following table.

MaximumPasswordAge value

DOMAIN_PASSWORD_INFORMATION MaxPasswordAge member value

-1

0x8000000000000000

X (any value 1 to 999)

-1*X*24*3600 * 10000000

For the MinimumPasswordAge setting, the client-side snap-in MUST set the DOMAIN_PASSWORD_INFORMATION structure MinPasswordAge member to the value resulting from the transformation specified in the right-hand column in the following table.

MinimumPasswordAge value

DOMAIN_PASSWORD_INFORMATION MinPasswordAge member value

X (any value 0 to 999)

-1*X*24*3600 * 10000000