IdM Password Policy Options

Similar Messages

• Query on Password Policy Options in a Account policy

  Hi,
  The "Password Policy Options" section of Account policy has inputs "Password Provided by" whose options are generated and User.
  What is the meaning of these options? Does it mean the when the "generated" option is selected then the user does not have to type in the password for a new user? Because, I selected the option "generated" but still get the "password" fields in the new user creation form? shouldn't the password be automatically generated?
  Thanks!

  Any solution found for this? I have the same issue.

• Sun Idm  Secondary Authentication Policy Options

  Hi,
  I need some inputs on the below,
  1. We have a situation where we need to configure 10 security questions in the policy.
  2. Force the user to select minimum 5 questions during their first login.
  3. Later on, whenever the user's tries to access password reset from Forgot password - they need to answer only 2 questions in order to reset their password.
  The "Default Identity Manager Account Policy" policy has a security questions section to setup the questions. And there is an option to enter "Minimum Number of Questions User is Required to Answer " -
  if i configure it as 5, it would work on the initial setup page, but when comes to password reset, it asks for 5 questions answered. Any inputs on this is highly appreciated.
  Thanks,
  Navatha

  Navatha,
  To force user to select minimum of 5 questions and allow user to login by answering any 2 of them you can follow these steps:
  1) Default Identity Manager Account Policy can be modified by adding following entries in 'Secondary Authentication Policy Options ' section:
  a) For Login interface: select 'User Interface' from the drop down.
  b) Tick 'Enforce Answer policy at login'
  c) slect Any from Authentication Question policy drop down.
  d) Enter 2 as the minimum number of questions to be answered.
  e) add all the quetions need to answered.
  Now since i dont recommend the out of box 'Login Change User Answers Form' form modification, so copy the content in another form. Lets name it as 'Modified Login Change User Answers Form'. Modify the text in 'questionPrompt' label.
              <eq>
                <ref>waveset.loginInterfaces[<ref>selectedLoginInterface</ref>].questionPolicy</ref>
                <s>Any</s>
              </eq>
              <message name='UI_AUTH_QUESTION_PROMPT_2'>
                <i>5</i>  ---->  This has been hardcode. Original value would be two as per your configuration.
              </message>Also Add validation in the form button at bootom:
  <block>
    <set name='questions'>
      <null/>
    </set>
    <cond>
      <neq>
        <length>
          <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE]</ref>
        </length>
        <i>0</i>
      </neq>
      <dolist name='nmr'>
        <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE].name</ref>
        <cond>
          <notnull>
            <ref><expand>
    <concat>
      <s>waveset.questions[</s>
      <ref>nmr</ref>
      <s>].answer</s>
    </concat>
  </expand></ref>
          </notnull>
          <set name='questions'>
            <add>
              <ref>questions</ref>
              <i>1</i>
            </add>
          </set>
        </cond>
      </dolist>
    </cond>
    <cond>
      <lt>
        <ref>questions</ref>
        <i>5</i>
      </lt>
      <s>please answer all five questions</s>  ---> Custom message to be displayed.
    </cond>
  </block>Import the form and change the form mapping of 'loginChangeAnswers' with 'Modified Login Change User Answers Form'.
  I guess this matches your requirement.

• Options in edit global password policy grayed out

  I'm trying to edit the global password policy (under users) to "be reset at first user login" but that option and several others are grayed out.

  I guess you have uninstalled an older version of PS lately?
  Check this Adobe TechNote for solutions (thanks Adobe, for putting it back online).
  Beat Gossweiler
  Switzerland

• Questions on Password Policy

  Hi All,
  I have couple of questions on password policy behavior upon OAM-EBS integration.
  Currently "Applications SSO Auto Link User" options is set to "Disable" in my env.
  Please confirm if following is the right understanding.
  1.     Upon OAM-EBS integration, user whose EBS account is linked with OID cannot change their password from EBS console. EBS password policy (Password expiry etc) will be overridden by OID policy.
  2.     EBS user`s whose account is not linked with OID can change the password and EBS password policy will be applicable for that user.
  3.     To have the user use EBS password policy he must be unlinked by setting up USER_GUID attribute to null in FND_USER table.
  Thanks in advance.
  -Sam

  Sam,
  Your understanding is correct -- Please see these docs.
  Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [ID 261914.1]
  USE: EBS Technology Stack OID and SSO [ID 1461466.2]
  How To Temporarily Stop User Synchronization From OID To FND User [ID 1120413.1]
  Troubleshooting Oracle Access Manager and Oracle E-Business Suite AccessGate [ID 1077460.1]
  Integrating Oracle E-Business Suite with Oracle Access Manager 10g using Oracle E-Business Suite AccessGate [ID 975182.1]
  Thanks,
  Hussein

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK

• 802.1x, IP Phones, MAB and AD password policy

  I am currently working on an 802.1x pilot. I have successfully deployed certificates for PCs and users and I'm able to assign VLAN etc in a reliable fashion.
  I would like to enable MAC Authentication Bypass on the voice VLAN for IP phones. The problem is, when I create a user with the phones MAC address as a user name, or AD Domain policy does not allow the password to also be the mac address. Disabling this policy temporarily for adding these users is not a credible solution for us. I'd rather not use third party software that allows for diversity in AD password policy.
  I've seen it implied that the switch (3560 in my case) can be configured to send the Radius secret rather than the device MAC address as the device's password, is this true? If so, how?
  Thanks!

  With MAC-Auth-Bypass, the end station (phone in your case) doesn't interact with the auth method at all. The switch authenticates the MAC after being learned by the switch on behalf of the end-station.
  This is a limitation in Windows Server today. This can be controlled through a GPO in Server 2008. Another option(s) is to store the "phone user accounts" directly on the AAA server or another database that allows the ability for this.
  Also, to authenticate a phone at all, and to support PCs, you need to configure Multi-Domain-Authentication (MDA) on the 3560. See here:
  <http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>
  Hope this helps,

• What is the Best way to apply granular password policy

  I am trying to apply Fine Grain Password Policy in small groups to my users, I have set the password expiry to 10 days
  for testing. But the moment I apply the policy, users start getting password change notifications immediately, Outlook or
  Lync start asking for a new password.
  Should it not wait for 5 days to start poping-up on the clients that they have 5 days left to change there passwords.
  What is the best I can do not to disturb the users, I cannot do this at night because most users have mobile devices. Windows 2012

  Hi Petro,
  In addition to Mihai's answer, also consider checking/changing the 'Interactive logon: Prompt user to change password before expiration' which by default is 14 days. I think there is a default notice period of 5 days but for Windows 7 or 2008 R2
  servers that don't have a Group policy overriding the local policy (not domain joined). I am not sure how that applies to 2012. So if you haven't changed that to 5 days, it might be the cause of the problem.
  On a PSO object I don't think you can set the password change notification.
  The settings can be found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration.
  References:
  http://technet.microsoft.com/en-us/library/jj852243.aspx- Interactive logon: Prompt user to change password before expiration
  http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx - PSO Step Guide
  http://mariusene.wordpress.com/

• Best way to force password policy on users within 1-2 weeks?

  We have a Server 2008 R2 domain.
  I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
  If so, that's not very flexible and will make things trickier for us.  
  And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
  must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
  webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
  age?
  spnewbie

  To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
  Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
  If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
  As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
  Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
  Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
  the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
  The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
  Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
  policies for the domain in any other GPO.
  The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
  box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
  their passwords by using reversible encryption.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Any issue and/or advice with activation of global password policy (10.9 osx server) ?

  Hi Pro,
  I have an OD domain (10.9.1 server) with 20 users mobile account (10.9.1 osx) authentification, I’d like to enable a global password policy, and I'm curious what actually happens when I add some policy in Server Admin > Open Directory > gear > edit global password policy?
  If I set a "reset every 45 days" option, is that from the time the policy is enabled, or from the time the user account was created?
  Any issue with Keychain ?
  If I set a "must have one letter" or "numeric character", etc...and the user doesn't currently have a password that matches this criteria, will they be forced to set a new password immediately, or the next time one is initiated, did the account will be disable?
  I just trying to prevent any bad experience for the users.
  Thanks

  Hi,
  The 45 days will start from the moment you enable that setting for all active users, and will start whenever you create a new OD user.
  There won't be any issues with Keychain, it will updated when a new password is set. On that specific day when they login or restart, they need to choose a new password. Keychain will update automatically.
  The new policy will start working after the 45 days have been set. After 45 days that policy will be enforced, not before, users can continue to work with a less secure password. About 10 days before that deadline or earlier they will get an option in their login screen to renew their password because it will inform them it will expire soon.
  You might want to notify all users of a new password policy when you set it and then inform them again about a week before it will expire. That will ensure a smooth transition...
  Goodluck!
  Jeffrey

• Why 2 PwdPolicyEntry under Password Policy Managerment in ODM

  Hi Gurus,
  I am not sure which one I should update to set the password policies. I see 2 PwdPolicyEntry under Password Policy Management when I login to Oracle Directory Manager. Please post a reply if you have some info about the 2 PwdPolicyEntry options.
  Thanks
  Raj
  -----------

  One seems to be for the top level dit, the other for the orgasation subtree (i.e. the cn=your,dc=company, dc=co,dc=uk bit of the dit)

• New users with Global Password Policy requiring password "reset on first user login" are still prompted to reset password after entering incorrect password

  The setup:
  We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
  What I've observed and tested:
  When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
  The question:
  Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
  -- Steve

  Some follow up questions:
  - How did you migrate (dsmig ldif or binary import)
  - Did the accounts in .x have any custom password policies set?
  For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
  (search as directory manager and fetch the attribute)

• How to disable password policy for App ID's

  Hello there,
  We have Sun ONE Directory 5.2 Patch2 version running on Solaris 8 as Master on 2 servers. I have somany application id which is created under separate branch of the tree. I want to by-pass the password policy for all the id's under specific branch.
  Can someone please help me how to get this done. I appreciate anyone respnse.
  Thanks
  SS

  *Click the (empty) input field on the web page to open the drop down list
  *Highlight an entry in the drop down list
  *Press the Delete key (on Mac: Shift+Delete) to remove it.
  *http://kb.mozillazine.org/Deleting_autocomplete_entries
  * Tools > Options > Security: Passwords: "Saved Passwords" > "Show Passwords"
  * Tools > Options > Privacy > History: "Remember search and form history"
  * https://support.mozilla.com/kb/Remembering+passwords
  * https://support.mozilla.com/kb/Form+autocomplete

• Custom Password Policy Settings

  Hello Friends,
  I am doing the server practical in virtual environment and wish to set a normal password for the test user "Robert Garcia"  so I disabled the password policy requirement in the gpmc.msc under "Default Domain Policy" and then did a gpupdate
  so that I can set a password as garcia for the user robert but it did not work. I did a system reboot then also it did not work.
  I did the same thing for the Default Domains Controller Policy option and still it is not working .
  What should be the correct method to disable this as I am in a test environment and simply want to keep simple passwords. Is there any requirement for system reboot or gpupdate should work and what could be the reason here that it is not working in either of
  the case??
  Thanks
  I noticed that I can't set a number as a password say 65789867 but when I disable the things in default domain policy then I can set the password  but still not the simple text garcia so what I need to edit and where now.
  Also if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy
  I can set a normal text as password but not the user's last name as password where I can change this customization. I understand that in production environment its not suggested but just in case where to do the customization??
  Thanks
  Regards

  Hi,
  In my testing environment, gpupdate is enough to make the policy changes taking effects.
  Here are a few suggestions for you:
  Please make sure that the Default Domain Policy is
  link enabled.
  Other than the Password must meet complexity requirements setting, please also disable other ones like Enforce password history, Minimum password length.
  If there is any password policy setting set as
  Not Defined in Default Domain Policy, please check password policy from
  Local Security Policy, in which settings could override the Not Defined ones.
  >if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy
  You may need to develop scripts to achieve this goal.
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Best Regards,
  Amy

• AD and using the password policy of the AD

  Hi,
  We are using the 8.1.1.p5 and gateways (not connector based) adapter based AD
  Today, when you reset a password, the domain account used in the gateway overrides the password policy and lets you set any password
  is there a way to implement the AD (or other resource) password policy when resetting passwords from IdM?
  i.e. basically we dont want the user to be able to reuse the N latest passwords

  Hi,
  You are correct. This will not work if password is changed in AD. If the password policy is set in AD to not take n passwords, then it will give exception in IDM when you try to give the same password again.
  Another alternative is to check the exception that is comingi and check if it is for password in history, then you can ask the user to set the password again.
  Regards
  Arjun