Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
jameswatson3 Absent Member.
Absent Member.
565 views

Does SSPR Support AD Fine-Grained Password Policies?


I am piloting SSPR 3.2 using the Active Directory template and LDAP only
as the password policy policy source.

When using the HelpDesk module to view password policy for a user, it
correctly reads the policy set in the Default Domain Policy, but does
not read any Fine-Grained password policies set on individuals or
groups. I have confirmed the FGPP's are applying by attempting password
resets at the MS GINA. There is no reference to FGPP in the
administration guide.

Does SSPR support AD Fine-Grained password policies? If so, how can I
troubleshoot further?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53471

0 Likes
2 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Does SSPR Support AD Fine-Grained Password Policies?


Yes, SSPR can read AD fine grained password policies, it does not read
group policy objects for password policy. For troubleshooting you can
set the log level to trace, and perhaps enable LDAP wire trace. During
the login process SSPR will calculate the user's policy and you should
see it read the user's assigned PSO entry and apply the policy defined
there. Also be aware that by default SSPR will merge the application
defined policy and the LDAP read policy and use the most restrictive
value of each setting where there is a conflict. This behavior is
controlled by the 'Password Policy Source' setting.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=53471

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: Does SSPR Support AD Fine-Grained Password Policies?


I set LDAP as the Policy Policy Source so there should be no merging in
my case.

After some additional examination, I'm observing that SSPR certainly
does read the FGPP, but it does not display it. For example, I cannot
login if the FGPP calculates an expired pw and SSPR is configured not to
allow login with expired password. However, when I change the password
and successfully login, the user's My Account | Password Policy does not
display the policy settings of the FGPP. If I were to set policy in the
Default Domain Policy GPO, it would show the settings like minimum
password policy for example.

Is this expected behavior?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53471

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.