OS X Server OD & Password Policy

Here's a question for someone that has experience with OD, network accounts and password policy.
All on 10.9 with the latest updates, there’s a Mac Mini OD Master offering DNS, File Sharing, Mail, Contacts, Calendar and another Mac Mini OD Replica. A total of 20 Macs binded to OD and using Network Accounts. Everything seems to be working fine but they have an OD Global Password Policy as follows:
- Passwords must:
  - differ from account name
  - contain at least one letter
  - contain both uppercase and lowercase letters
  - contain at least one numeric character
  - contain at least 8 characters
  - differ from last 3 passwords used
  - be reset every 45 days
Everything is relatively working fine except for the Password Policy because of the following:
  - Users are not getting any prompt about their password coming to expire
  - When the user’s password expires and since they are not getting any warning, users suddenly get no access to services
  - Some users are unable to successfully modify their password, they get prompted to change it and when entering the new password (when logging in through AFP), it shakes even though the new password complies with the Password Policy and the only way to get them logged in is by manually resetting the user’s password with the Server App.
Ideas and suggestions are greatly appreciated.

thx - solved.
Just keep »identification« empty! :-o

Similar Messages

  • How do I enable default failure audit and password policy checking?

    Hi,
    I am trying to install DPM 2012 R2, and on the requirements for SQL is : Use the following SQL Server settings:
    default failure audit, and enable password policy checking
    I have tried looking for them, but I can't find them.
    How do I apply these settings?
    Thanks .

    Hi,
    I am trying to install DPM 2012 R2, and on the requirements for SQL is : Use the following SQL Server settings:
    default failure audit, and enable password policy checking
    I have tried looking for them, but I can't find them.
    How do I apply these settings?
    Thanks .
    Simple way to enable login default failure audit is Right Click On SQL server instance in SQL Server management studio and select Properties then below page will occur. There are 2 options in Login auditing select appropriate one
    for enabling policy please refer below links
    Enforce windows password policy on SQL Server logins
    Password Policy FAQ
    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
    My TechNet Wiki Articles

  • Password Policy : PwdMustChange problem

    Hi,
    i'm facing some strange issues with the password policy under Oracle Directory Server v6.3.
    I modified the global policy to force user to change their password after administrative reset.
    In the policy i see PwdMustChange set on TRUE.
    The problem is that it has no effects on users.
    I use several administrative accounts (including directory manager) to change user password (made a reset) and it is still possible to log with their account.
    I don't get it, it's like the property PwdMustChange had no effect.
    Has anyone faced this problem??
    Thanks

    The "must change" state does not prevent a user from logging in. It only requires that the next LDAP operation that the user does on that open connection be a MOD where the user changes his own password. All subsequent operations other than the password reset will fail (most likely with err=53 - DSA Unwilling To Perform).
    However, many applications will not do anything subsequent as the user. In other words, the BIND will succeed and then the application will go on about its business servicing the user, because the way the application code is written, it doesn't need to do anything other than the BIND to authenticate the user, and the BIND has succeeded.
    When an LDAP-enabled application is going to integrate with the LDAP password policy model, it needs to consume LDAP controls properly. In this case, the BIND request and response should include a password policy control that indicates the user must reset his password. This is how, even in the case of an application that need not do anything except BIND, the password policy functionality can work.
    If you want to verify that the server's password policy is working, you can do it in a number of ways. If you have the audit log turned on, when the administrative reset occurs, you should see some server-side modifications to the user that set a "must reset" operational attribute. If you do ldapsearch as the user, you should get an informational message that the search has failed. Depending on which ldapsearch tool you use, you may get a fairly informative message about the user needing to reset his password and/or the server being unwilling to service the SRCH request. If your ldapsearch as the user succeeds immediately after the admin reset, then the server password policy is not set up correctly.

  • Sun Directory Server Password Policy Problems

    Hi,
    I am using Sun Directory Server and Sun AM (2005Q1).
    We are using SUN DS to configure the password policy to expire user passwords after 30 days.
    Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
    I do not understand what needs to be done to fix this. Any help would be appreciated.

    How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
    Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
    Regards,
    Ludovic

  • Any issue and/or advice with activation of global password policy (10.9 osx server) ?

    Hi Pro,
    I have an OD domain (10.9.1 server) with 20 users mobile account (10.9.1 osx) authentification, I’d like to enable a global password policy, and I'm curious what actually happens when I add some policy in Server Admin > Open Directory > gear > edit global password policy?
    If I set a "reset every 45 days" option, is that from the time the policy is enabled, or from the time the user account was created?
    Any issue with Keychain ?
    If I set a "must have one letter" or "numeric character", etc...and the user doesn't currently have a password that matches this criteria, will they be forced to set a new password immediately, or the next time one is initiated, did the account will be disable?
    I just trying to prevent any bad experience for the users.
    Thanks

    Hi,
    The 45 days will start from the moment you enable that setting for all active users, and will start whenever you create a new OD user.
    There won't be any issues with Keychain, it will updated when a new password is set. On that specific day when they login or restart, they need to choose a new password. Keychain will update automatically.
    The new policy will start working after the 45 days have been set. After 45 days that policy will be enforced, not before, users can continue to work with a less secure password. About 10 days before that deadline or earlier they will get an option in their login screen to renew their password because it will inform them it will expire soon.
    You might want to notify all users of a new password policy when you set it and then inform them again about a week before it will expire. That will ensure a smooth transition...
    Goodluck!
    Jeffrey

  • Please help me to change the password policy in Sun Directory Server 6.0

    Hi,
    Please help me to change the password policy in Sun Directory Server 6.0

    What are you trying to accomplish? Have you at least read the manual?
    http://docs.oracle.com/cd/E19693-01/819-0995/fhkrj/index.html
    As reported in earlier threads on this forum, DSEE 6.0 IS NOT a release you should use in your production environment, specially if you're starting new projects; consider moving at least to the latest 6.x release which is 6.3.1.1.1
    thanks,
    Marco

  • Password Policy on Directory Server 11.1.1.7.2

    Hi,
    I'm trying to set up a password policy with DS 11.1.1.7.2 but it doesn't seem to be getting applied to the users. I went through the DSCC gui and created a new policy that is supposed to remember the last 3 passwords and also expire in a couple days just for test purposes. I then set the compatibility mode to Directory Server 6 and clicked on "Assign Policy" and selected ou=people,o=xxxxxx,o=isp where my test accounts are.
    I've then tried using ldapmodify using the credentials to the accounts who's passwords I'm changing and it allows me to reuse the same passwords. I saw something about using a virtual attribute for assigning users to a policy. Is that required also?
    dn: cn=TestPWpolicy1,o=xxxxxxx,o=isp
    cn: TestPWpolicy1
    objectclass: sunPwdPolicy
    objectclass: pwdPolicy
    objectclass: ldapsubentry
    objectclass: top
    passwordrootdnmaybypassmodschecks: on
    passwordstoragescheme: CRYPT
    pwdallowuserchange: true
    pwdattribute: userPassword
    pwdcheckquality: 2
    pwdexpirewarning: 86400
    pwdinhistory: 3
    pwdmaxage: 172800
    pwdminage: 0
    pwdminlength: 2
    pwdmustchange: false
    createtimestamp: 20150302195541Z
    creatorsname: cn=admin,cn=administrators,cn=dscc
    entrydn: cn=testpwpolicy1,o=xxxxxxxx,o=isp
    entryid: 28
    hassubordinates: FALSE
    modifiersname: cn=admin,cn=administrators,cn=dscc
    modifytimestamp: 20150302195541Z
    nsuniqueid: 0a0ca681-c11611e4-800799c3-4c540d75
    numsubordinates: 0
    parentid: 2
    subschemasubentry: cn=schema
    Thanks for any help.

    Hello,
    A user entry references a custom password policy through the value of the operational attribute pwdPolicySubentry. When referenced by a user entry, a custom password policy overrides the default password policy for the instance.
    It is unclear to me whether you want to assign the new password policy to an individual account or to every user in ou=people,o=xxxx,o=isp.
    To assign a password policy to an individual account, just ddd the password policy DN to the values of the pwdPolicySubentry attribute of the user entry e.g.
    $ cat pwp.ldif
    dn: uid=dmiller,ou=people,o=xxxxxxx,o=isp
    changetype: modify
    add: pwdPolicySubentry
    pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
    $ ldapmodify -D cn=directory\ manager -w - -f pwp.ldif
    Enter bind password:
    modifying entry uid=dmiller,ou=people,o=xxxxxxx,o=isp
    $ ldapsearch -D cn=directory\ manager -w - -b dc=xxxxxxx,o=isp \
    "(uid=dmiller)" pwdPolicySubentry
    Enter bind password:
    version: 1
    dn: uid=dmiller, ou=People, o=xxxxxxx,o=isp
    pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
    $
    See Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
    You can also assign a password policy to a set of users using cos/roles virtual attributes as described in section 8.3.4 at Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
    -Sylvain
    Please mark the response as helpful or correct when appropriate to make it easier for others to find it

  • OAM : Which identity server is used by Password Policy?

    Hi,
    The OAM setup has two identity servers (ois1, ois2), two webpass (wp1, wp2) on two web servers. wp1 is pointing to ois1 only and wp2 is pointing to ois2.
    We have two sets of Policy manager, Access server and WebGate. wg1 is pointing to aaa1 and wg2 is pointing to aaa2.
    Now, when a user tries to access a OAM webgate protected page and the password policy gets applied, do the identity server comes into picture? if yes, which identity server is used here, ois1 or ois2?
    I want to use ois1 for all the requests coming to webserver with wg1. How do I do it?
    Thanks in advance.

    Hi Colin,
    Thanks for your reply.
    The reason I put this question was - in a scenario when I dont have Access Server (any access component), then also Password Polices work. So, I understand identity server is used here. When we have access side components, what makes OAM not to use identity server at all. Or is it the feature of OAM - when the accessed resource is ptotected by WebGate the Password policies are taken care of by Access Server, otherwise by identity server or is it because of the 'obReadPasswdMode' and 'obWritePasswdMode' in the authentication scheme?
    I stopped my identity server and I saw the password policy working - so I know the behavior; still asking the above question for my better understanding of OAM.
    Thanks for your help!

  • How do you apply the same password policy to every PDF document you create with inDesign?

    All,
    Adobe peeps!,
    I don't know if this is really supported with inDesign 5.5, but here is my my use case:
    I constantly create more than 10 PDFs a day using inDesign
    On  all PDF's I create, i want to apply password security to protect them
    But in order to do so, within inDesign, I am   always forced to go to the "security dialogue" pane to set up the same permission  and passwords over and over again
    This gets tiring :/
    So what I am hoping to do is  the following:
    Like acrobat, I want to create a password policy within inDesign
    I want all PDFs created to have such a password policy  be automatically applied
    I know acrobat supports something like this (http://help.adobe.com/en_US/acrobat/pro/using/WS58a04a822e3e50102bd615109794195ff-7d68.w.h tml), but, unless I may have missed something, the Acrobat feature is limited. That is, the help link  does not tell me how to automatically do this with Acrobat either (the link does not explain to me how to "automatically apply the same password security policy to every PDF document I save within the application). I think the only way to do so is via "Adobe LiveCycle Rights Management ES", but for non server users, I am hoping there is another way.
    So my questions are:
    Is it possible to create password security policies in inDesign?
    Is it possible to apply the same password security policy to every PDF i create in inDesign?
    If not, can I change default settings within Acrobat ProX to automatically apply a password security policy everytime I save a PDF?
    If all fails, do you guys know of any extensions that can support this?
    Any help would be great. Thanks!

    Steve,
    Thanks for your notes. To follow up on your response.
    Bummer. I kinda had a hunch at this inDesign limitation.
    I have been aware of the method for setting up of a security policy within Acrobat. While this feature does cut down some of the work involved in creating and applying password policies to pdfs, what I am looking for with Acrobat is to apply the same password policy to every document I save from the app. Automatically. Without having to manualy select a policy.
    I think my solution will have to lie in me creating some sort of script to help support this need. I don't think Acrobat Pro X has the capabilities to allow me to tinker with, say, creating a save PDF preset that will allow me to automatically apply a password policy.
    PS. I am using acrobat pro x.

  • How to force password policy requirements on password resets for user accounts reset by the Administrator?

    OS: Windows Server 2008 R2 Enterprise
    Domain Level: 2008
    Forest Level: 2000
    We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
    and can reset a password for a user account to be blank. 
    Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

    Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
    Regards~Biswajit
    Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
    MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    MY BLOG
    Domain Controllers inventory-Quest Powershell
    Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
    Generate a Report for installed Hotfix for Bulk Servers

  • Password Policy not functioning correctly

    Here's my situation, and I hope it is something obviously easy that I missed.
    Mac Mini Server with 10.9.3 running Server 3.1.2
    I have set up Open Directory, and Enabled File sharing in the inital steps to setting up this server. It will be used in a small school environment.
    The staff/teacher's passwords I have already set, and then for students, we set a generic password, and have it set that the student will change their password to whatever they want the first time the try to access the server for file sharing.
    I have set up a number of local network users already, and I am testing the student password reset function.
    My Issue:
    Every time I try to change the password at the first time prompt, I am told "Your password does not meet the policy enforced by the server "10.0.0.87". Please try again. "
    I have the global password policy set with only the "differ from account name" check box enabled, and none others. Even so, every single password I try to use is denied.
    Any help is appreciated.

    Users are using Adobe Reader to open the PDF form
    With Best Regards
    George Flowers

  • Password policy not used by WebGate after upgrade (6.1 - 10g)

    Hello,
    Recently, we upgrade our environment from Oblix Netpoint 6.1 to Oracle Access Manager 10g (10.1.4.0.1)
    Together with this update we also upgraded the WebGates that are running on the machines that have OAM 10g installed. We did not perform an upgrade on the WebGates that are running on other web servers. These are still running with the old version.
    The problem we have now is that it seems that our upgraded WebGates don't respect our Password policy. The earlier versions of our WebGate still respect our policy.
    Machine A has OAM 10g installed with an upgraded WebGate (WebGate A). This machine also runs an IIS web server (web server A) which is connected to the WebGate on that machine. The WebGate is configured with OAM 10g on that same machine.
    On web server A, there is a protected website.
    Our password policy is defined as follow:
    -number of login tries allowed: 5
    -lockout duration: 20000000 hours
    -login tries reset: 200 days
    I now try to access my protected website on web server A with User1. Every time I enter a wrong password.
    When I verify this in our Active Directory, I can see that the value of oblogintrycount for User1 increments until 5. When oblogintrycount equals 5, the attribute oblockouttime is added to the profile of User1.
    My user is now supposed to be locked but when I try to login one more time, the value of oblogintrycount is 1 again and the attribute oblockouttime is gone. My user is unlocked again.
    I repeat the same test on web server B that is installed on a different machine. This machine has an earlier version of WebGate installed. This WebGate B is configured with the same OAM 10g as WebGate A.
    I can see in the Active Directory that the value of oblogintrycount for User1 is incremented until it equals 5. At this point, the oblockouttime attribute is added to the profile of User1.
    I see now in my browser a message that my user is locked. When I try to login one more time, my user stays locked.
    Has anyone an idea how this problem can be solved or how this can happen?
    Kind regards,
    Lennaart

    This is just a trial and error suggestion may not actually solve the problem.
    Can you check configuration changes that one has to make with upgraded web gates. That configuration may not be correct and hence you might be getting this problem.
    -Kiran Thakkar

  • Server 2012 Password issue on new domain

    We recently setup a new domain controller running Server 2012 R2 standard 64 bit. All user profiles were setup in Active Directory. The default password we set users was Welcome1 and we chose all the defaults for the password policy. We set each account
    to force the user to change their password when they first login.
    The issue we see is that when a user logs in and tries to change their password, it will not let them change their password the way it should be. For example, the account "testuser" was set to Welcome1. When I tried to change it to
    Atlanta@2 or Georgia8 or Nexeo+=7 or Kentucky9 it said "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements
    of the domain"
    I then tried to change it to Welcome2 and it accepted it.
    I then went on the server and reset it logged in as administrator and see no issues (I can change it to whatever I want). So the issue is on the user end. I also turned OFF complexity requirements.
    I logged back into the account and tried to change the password to Kentucky7 and it worked. I then did a CTRL ALT DEL and tried to change it to Kentuky9 and it gave the same error.
    I'm not sure what is going on. Maybe there are time intervals on how often a user is allowed to change their password in Server 2012? Any ideas as to what is going on?

    I logged back into the account and tried to change the password to Kentucky7 and it worked. I then did a CTRL ALT DEL and tried to change it to Kentuky9 and it gave the same error.
    I'm not sure what is going on. Maybe there are time intervals on how often a user is allowed to change their password in Server 2012? Any ideas as to what is going on?
    You must set minimum password age.
    What is this:
    Minimum password age

  • Configure a Password Policy

    Hi All,
    i want to have a password policy for the database. As I found, there's a default table called dba_profiles where we can set password properties for the default database profile in 11g. Actual requirement is to change the sys user's password in every one month time. can i do that using this dba_profiles table?
    And there's another problem. we have another 10, 12 dba users with different passwords. so if i do some change to the default profile will it affect whole the dba users..??? because i cant change other db users passwords since the application totally depends on that passwords..... :S
    Can anybody give me a hand to do this please...... if i'm wrong..plss correct me. And if you have any other systematic way to configure a password policy, please let me know....
    Thanks in Advance,
    Max

    Max wrote:
    Hi All,
    i want to have a password policy for the database. As I found, there's a default table called dba_profiles where we can set password properties for the default database profile in 11g. Actual requirement is to change the sys user's password in every one month time. can i do that using this dba_profiles table?
    DBA_PROFILES is just data dictionary view.But there is a term PROFILES which you can manage user`s passwords and other resources(like max_idle_time).Of course you can use profiles.
    And there's another problem. we have another 10, 12 dba users with different passwords. so if i do some change to the default profile will it affect whole the dba users..??? Yes it will effect other users which assign default profile(default profile is a default for all users you can see that after user creating dba_users.profile column).I suggest you do not change DEFAULT PROFILE settings.So create new your own profile using CREATE PROFILE LIMIT ... clause and assign this to users.
    because i cant change other db users passwords since the application totally depends on that passwords..... :S
    Can anybody give me a hand to do this please...... if i'm wrong..plss correct me. And if you have any other systematic way to configure a password policy, please let me know....
    If you want implement different password policy for different users then create two or more profiles and use these.
    Remember that to implementing profiles setting the RESOURCE_LIMIT initialization parameter must be TRUE.
    http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_6010.htm

  • Fine-Grained Password Policy problem

    Hi All,
    I'm testing a Fine-Grained Password Policy for a group of users.
    I created a test PSO using ASDI Edit and applied the PSO to a global security group.
    Test user has been added to this group.
    The PSO settings include "Enforce password history: 5"
    The user has changed the password.
    After 24h when I logged in as the user and changed the password - for example: Password1.
    After another 24 hours I changed the password to Password2.
    One day later I've been asked to change the password again.
    In theory I shouldn't be able to use any of the 5 previous passwords (password history = 5) but when I entered Password1 it was accepted.
    Do you know where can be the problem ?
    System info: Windows Server 2008 R2 (forest/domain level is also 2008)
    Regards,
    Marcin

    This is very interesting. I don't have any lab to repro though... So I can't look at it closer.
    From an LDAP perspective, when you change your password on AD, you have to comply with the password history policy. This requirement is send by the server to the client thanks to the supported control: LDAP_SERVER_POLICY_HINTS_OID that you can see just by
    looking at the RootDSE of one of your DC (http://msdn.microsoft.com/en-us/library/cc223320.aspx Used with an LDAP operation to enforce password history policies during password set). I am
    aware of issues with AD-LDS not honoring it, but not AD... I am not sure if the situation described with FIM here matches your issue:
    http://support.microsoft.com/kb/2443871 in this article:
    "The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computer."
    But it would mean that it also affects users not having a FGGP (because this isn't specific to FGGP), ad the minimum password age as well. If you have a chance to try this in a lab, let us now... In the mean time, if you can share logs or code from your
    app? Like the section that does the password change?
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Maybe you are looking for