The following attributes are read from the AD and processed by Airlock IAM in order to apply the password policy. The attributes names are as specified in a msDS-PasswordSettings object. The names in "( )" brackets are the equivalent attributes used on the default domain policy (see below for an explanation of the default domain policy).
Attribute | Description |
msDS-MinimumPasswordAge (minPwdAge) | The minimum amount of time to pass before a password can be changed again. |
msDS-MaximumPasswordAge (maxPwdAge) | The maximum amount of time a password is valid before it is enforced to be changed. |
msDS-MinimumPasswordLength (minPwdLength) | The minimum required characters a password to be set must have. |
msDS-PasswordComplexityEnabled (pwdProperties) | If enabled, a password must meet three out of the following four requirements:
|
msDS-PasswordSettingsPrecedence | Resolves ties (order) if multiple policies match for a user (lower values mean higher priority). |
msDS-PSOAppliesTo | DN (distinguished name) to specify to whom the policy applies, e.g. a group of users. |
Default domain policy
The default domain policy is the password policy that is applied to all users who do not have a specific policy. A specific policy is an msDS-PasswordSettings object contained in the msDS-PasswordSettingsContainer. The default domain policy is configured on the structural root domain DN of the AD. There is always a default domain policy and the attributes cannot be deleted. If not configured on the user, default values are applied.
Password settings container
Specific password policies are stored as msDS-PasswordSettings objects under the DN of the password settings container. Each specific policy contains one or more msDS-PSOAppliesTo attributes that define DN's, e.g. of a user's group. If a user belongs to such a DN, the policy is applied. If multiple msDS-PasswordSettings refer to a single user, the mandatory msDS-PasswordSettingsPrecedence attribute is used to resolve these ties.