Active Directory password change: Re-Allow current password

active-directoryblacklistpasswordpassword-management

My question is that simple:

Can I configure an active directory in a way that when a user wants/needs to change his password, his current one isn't forbidden (if it's in compliance with the current password policy)?

Here is some background:

We recently implemented a blacklist approach against known publicly available passwords (see Troy Hunt's service Pwned Passwords). Now we have some users whose passwords don't expire and there is a chance that they still use a password which is on the blacklist but will never be checked when the user doesn't change his password, since this is the only opportunity to check his password.

Now my idea is to force the user to "change" his password but allow his current one if it's not on the blacklist.

I know that there exists Enforce password history which can be set to 0 but it seems to me that the current one is still not accepted.

Best Answer

force the user to "change" his password but allow his current one if it's not on the blacklist. You either have a requirement to change the password (good) or you don't (bad). Not changing a password because it isn't on some list is a security risk because attackers can compromise and use accounts without the password, by stealing and using the password hash. If the password is not regularly changed, the password hash is not changed, which is poor security hygiene.

there is a chance that they still use a password which is on the blacklist but will never be checked when the user doesn't change his password, since this is the only opportunity to check his password.

Actually it isn't the only opportunity. There are free tools to scan for weak passwords:

https://www.dsinternals.com/en/auditing-active-directory-password-quality/
https://thycotic.com/solutions/free-it-tools/weak-password-finder/

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

How to Change Current User’s Domain Password Without Being Domain Admin

Try this, i dont know if this will work fot you. its VB script

Dim UserName
Dim UserDomain
UserDomain = InputBox("Enter the user's login domain name")
UserName = InputBox("Enter the user's login name")
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)


Dim NewPassword
NewPassword = InputBox("Enter new password")
Call User.SetPassword(NewPassword)

If err.number = 0 Then
        Wscript.Echo "The password change was successful."
Else
        Wscript.Echo "The password change failed!"
End if

check this http://technet.microsoft.com/en-us/library/cc780332%28WS.10%29.aspx! domain logon

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

How to Change Current User’s Domain Password Without Being Domain Admin

Related Topic