This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fine Grained Password Policies

I'm disappointed to see that in ARS 7.2, still, the Generate Password function does not take into account Fine Grained Password Policies.

Has anyone else found a way to get around this? I have different departments that need to have different length passwords and our service desk don't like that the auto-generate function then gives the error saying that it doesn't match the complexity requirements (and I agree it's not ideal)

Looking at the Script Module "Generate User Password" I can see that it's possible fairly easily to force all generated passwords to a longer lengh, but I need it to either check the Fine-Grained Password Policy applied, or to be able to amend it and say something like - if the user is a member of group XXX, then it needs to be Y characters

In PS I'd find this fairly easy, but for some reason Quest still seem to be using VBScripts for this.......

Any suggestions or pointers would be very much appreciated.

  • Strictly speaking, there's absolutely nothing preventing you from implementing your own, more sophisticated PoSh-based password generation script that takes into account fine grained password policies.

    Should Quest ship such a beast with the product? We can debate that all day long but as I say, you aren't going to break anything or "void your warranty" by doing your own.

    Heck, there's even an AD cmdlet for finding out what they are in your environment:

    Get-ADFineGrainedPasswordPolicy

  • Thanks. I'd certainly be interested to see if anyone else on here has implemented their own for such a purpose... Out of interest, do you know if Quest have any plans to get rid of the vbscripts that ship with ARS in favour of PoSh?
  • PoSh has been the stated preferred language for script development in the product for some time - since v6.8 perhaps? Having said that, I cannot guess why the password script was never updated. And yes, the SDK still has some catching up to do as well. But help with all this is what us friendly folks in the forums are for. :)

  • Feature ID 734457 has already been made to change the included Password Generation script over to PowerShell and it has been accepted by product management. I do not yet have a firm date or version for when it will be included, but I will update this thread when I do.
  • I agree, a built in password generator would be a great addition, I've recently created a password generator similar to what you are looking for take a look and feel free to adapt it to your needs.

     

    #########################################################################################

    Zigabyte Fine-Grain Password Generator

    #########################################################################################

    function Get-Password()
    {
    Param(
    [String]$lSpecialChars = '!$%&/()=?*+#_',
    [String]$lNumberChars = '1234567890',
    [String]$lUpperChars = 'ABCDEFGHKLMNPRSTUVWXYZ',
    [String]$lLowerChars = 'abcdefghkmnprstuvwxyz',
    [int]$minPassWordLength = 8,
    [int]$maxPasswordLength = 8,
    [int]$numOfLower = 2,
    [int]$numOfUpper = 2,
    [int]$numOfNumbers = 2,
    [int]$numOfSpecial = 2,
    [bool]$mustBeginWithLetter = $True
    )



    # Ensure minPasswordLength -le maxPassWordLength
    if($minPassWordLength -gt $maxPasswordLength){'Minimum cannot exceed Maximum password length';return}

    # Check for Infinite Loop
    if($($numOfNumbers+$numOfLower+$numOfNumbers+$numOfSpecial) -gt $maxPassWordLength){'infinite loop';return}

    # Set Password to null
    $password = $null

    # Set Character Type Counters to 0 Prior to entering Loop
    $uCt = 0;$lCt = 0;$nCt = 0;$sCt = 0

    # Sets Legal Letter Characters
    [String]$lLetterChars = $lUpperChars + $lLowerChars

    # Sets Legal Password Characters
    [String]$lChars = $lSpecialChars + $lNumberChars + $lLowerChars + $lUpperChars

    # Loop to generate Random Password
    for($i = 1;$i -le $MaxPasswordLength;$i++)
    {
    # If first Character Letter is set to True
    if(($i -eq 1) -and ($mustBeginWithLetter -eq $True))
    {
    # Get Random First Letter
    $randomChar = [char](($lLetterChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random)
    $password = $password += $randomChar
    }
    else
    {
    # varible to ensure equal distribution of character types
    $random = Get-Random -Minimum 1 -Maximum 5

    # Get Random Character
    switch($random)
    {
    1{$randomChar = [char](($lnumberChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random);break}
    2{$randomChar = [char](($lSpecialChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random);break}
    3{$randomChar = [char](($lUpperChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random);break}
    4{$randomChar = [char](($lLowerChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random);break}
    default{$randomChar = [char](($lChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random);break}
    }

    #$randomChar = [char](($lChars).ToCharArray() | foreach{[byte][char]"$_"} | Get-Random)
    $password = $password += $randomChar
    }
    # Count Each Character Type
    if($randomChar -cmatch '[a-z]'){$lCt++}
    if($randomChar -cmatch '[A-Z]'){$uCt++}
    if($randomChar -match "[!$%&/()=?*+#_]"){$sCt++}
    if($randomChar -match '[0-9]'){$nCt++}

    # Check Password to ensure Minimum Password Length and Character Requirements have been met
    if(($password.Length -ge $minPassWordLength) -and (($lCt -ge $numOfLower) -and
    ($uCt -ge $numOfUpper) -and ($nCt -ge $numOfNumbers) -and ($sCt -ge $numOfSpecial)))
    {
    return $password
    }
    # If Password is equal to Maximum Password Length and Minimum Character Requirements have met Return Password, Else Get New Password
    elseif($maxPasswordLength -eq $password.Length)
    {
    if(($lCt -ge $numOfLower) -and ($uCt -ge $numOfUpper) -and ($nCt -ge $numOfNumbers) -and ($sCt -ge $numOfSpecial))
    {
    Write-Output $password
    }
    else{Get-Password}
    }
    else{continue}
    }
    }

     

    Zigabyte Corp.