search

lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
496 stars 52 forks source link

length-based complexity rules doesn't follow GPO configuration #67

Closed dom6770 closed 3 years ago

dom6770 commented 3 years ago

I'm trying to configure the "Enable length-based complexity rules" but so far it doesn't seem to work like I want.

I've configured three thresholds. < 13 with 3 character sets > 13 with 2 character sets > 20 with 1 character set

and at each threshold I ticked "number or symbol". So a password with 12 characters should have 3 symbols or numbers, and a password with 15 2 symbols or numbers.

Now, trying this out with Get-PasswordFilterResult I'm getting this output

Get-PasswordFilterResult -Username test.user -Fullname test -Password "fkir4aho43" ComplexityThresholdNotMet

Password is 10 characters long, so it should be in the first threshold, with 3 character sets (number OR symbol), but yet it's "ComplexityThresholdNotMet". When I change one of the lower-case letters to an upper-case letter, it changes to "Approved", but that's now how I configured it?

Or am I missing something? Maybe I'm just blind or misunderstood something.

ryannewington commented 3 years ago

Can you screen shot the policy settings for me please?

dom6770 commented 3 years ago

115_vmconnect_LaW 116_vmconnect_ClP

Since I've checked "symbols or numbers" I tried now the same thing with a password only with symbols

Get-PasswordFilterResult -Username test.user -Fullname test -Password "fkir$aho$$"
Approved

seems strange.

ryannewington commented 3 years ago

The settings are mutually exclusive. If you set a number value for "character sets required" then it will look for that many diverse character sets. So setting "3" on your first value means the password must have 3 out of numbers, symbols, upper and lower. It doesn't matter which ones, as long a there are three types. The tick boxes are ignored when you do this.

If you want to set the specific character sets that can be used, the leave the number field blank and use the check boxes. Then you can say passwords under 10 chars must have lower, upper and "number or symbol"

dom6770 commented 3 years ago

Alright, thank you, that clarifies that. I thought I could set a number of required characters, for example, every password under 12 characters should have 3 numbers or letters.