Highlighted
Super Contributor.
Super Contributor.
335 views

Force users to change password after modifing policy

Hello,

I builded a universal password policy forcing users to use >=12 characters in passwords.

It works, if a user tries to change his password he wilf be asked for valid password as described in the rule.

But the old, short passwords are further valid until the user changes it. I choosed

Authentifizierung

Überprüfen, ob vorhandene Passwörter der Passwortrichtlinie entsprechen (erfolgt bei der Anmeldung)

 

in english

 

"Verify whether existing passwords comply with the password policy (verification occurs on login)"

 

but nothing seems to happen when a user logs in using his old  password.

 

Is there anything more I have to do to force users changing their passwords to a valid one?

 

Holger

 

Labels (1)
Tags (1)
7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Do you mean that the user is NOT asked to change it while logging in? That would e.g. happen if you don't have "require unique" ticked in the UP Policy.

If you like it: like it.
Highlighted
Super Contributor.
Super Contributor.

Hello,

I ticked "require unique".

Does anybody have another suggestion for solving this problem?

Holger

@MicroFocus: I'm a little bit confused, if I choose (translated from german...) "Check whether existing passwords comply with the password guideline (takes place at login)" then I think it has to work well or I should get a notice why it couldn't work...

 

 

 

 

 

Highlighted
Knowledge Partner
Knowledge Partner

If (in your offset) someone with a 10 character password logs in he should get asked to change it. Grace logins would still apply, but the expiration notification would step in immediately. Which OS and client build are you using? Could you post screenshots of the policy settings?

 

If you like it: like it.
Highlighted
Super Contributor.
Super Contributor.

Hello,

the summary of the policy:

Universelles Passwort
Optionen
Universelles Passwort aktivieren wahr
Erweiterte Passwortregeln aktivieren wahr
NDS-Passwort bei Auswahl des universellen Passworts synchronisieren wahr
Einfaches Passwort bei Auswahl des universellen Passworts synchronisieren wahr
Benutzer darf Passwort abrufen wahr
Administrator darf Passwörter abrufen wahr
Folgenden das Abrufen von Passwörtern ermöglichen falsch
Verteilungspasswort bei Auswahl des universellen Passworts synchronisieren wahr
Überprüfen, ob vorhandene Passwörter der Passwortrichtlinie entsprechen (erfolgt bei der Anmeldung) wahr

Regeln
Passwortänderung durch Benutzer zulassen wahr
Das Passwort des Benutzers nicht ablaufen lassen, wenn der Administrator das Passwort festlegt falsch
Anzahl der Zeichen, die vom aktuellen Passwort und früheren Passwörtern abweichen 3
Anzahl der früheren Passwörter, die für den Ausschluss von Zeichen berücksichtigt werden müssen 2
Eindeutige Passwörter anfordern wahr
Ausgeschlossenes Passwort 9876543210
Ausgeschlossenes Passwort qwertzuiop
Ausgeschlossenes Passwort 1234567890
Mindestzahl der Zeichen im Passwort 12
Höchstzahl der Zeichen im Passwort 32
Minimale Anzahl verschiedener Zeichen 6
Maximale Anzahl der fortlaufenden Wiederholung eines Zeichens 3
Numerische Zeichen in Passwörtern zulassen wahr
Erstes Zeichen darf nicht nummerisch sein falsch
Letztes Zeichen darf nicht nummerisch sein falsch
Mindestzahl nummerischer Zeichen im Passwort 1
Groß/Klein-Unterscheidung in Passwörtern zulassen wahr
Mindestzahl von Kleinbuchstaben im Passwort 1
Mindestzahl von Großbuchstaben im Passwort 1
Nicht-alphabetische Zeichen im Passwort zulassen falsch
Nichtalphanumerische Zeichen im Passwort zulassen wahr
Nichtalphanumerisches Zeichen als erstes Zeichen nicht zulassen falsch
Nichtalphanumerisches Zeichen als letztes Zeichen nicht zulassen falsch
Mindestanzahl der nichtalphanumerischen Zeichen 1
Sonderzeichen zulassen wahr

Passwort vergessen
Aktiviert: wahr
Herausforderungssatz: Muster für Herausforderungssatz
Aktion: Passwort ändern

Using google translation:

description
   Universal password
     Options
Enable universal password true
Enable advanced password rules true
Sync NDS Password when Universal Password is selected True
Simple password when selecting the universal password synchronize true
User allowed to get password true
Administrator is allowed to retrieve passwords true
The following incorrectly allow the retrieval of passwords
Synchronize Distribution Password if Universal Password is selected True
Verify that existing passwords comply with the password policy (done at login) true

     regulate
Allow user to change password true
The user's password will not expire if the administrator sets the password incorrectly
Number of characters that differ from the current password and previous passwords 3
Number of previous passwords to consider for character exclusion 2
Requesting unique passwords is true
Banned password 9876543210
Excluded password qwertzuiop
Excluded password 1234567890
Minimum number of characters in the password 12
Maximum number of characters in the password 32
Minimum number of different characters 6
Maximum number of consecutive repetitions of a character 3
Allow numeric characters in passwords true
First character cannot be numerically wrong
Last character cannot be numeric wrong
Minimum number of numeric characters in the password 1
Allow upper / lower case distinction in passwords true
Minimum number of lowercase letters in the password 1
Minimum number of capital letters in the password 1
Incorrect allow non-alphabetic characters in password
Allow non-alphanumeric characters in password true
Do not allow non-alphanumeric character as first character incorrect
Do not allow non-alphanumeric character as last character incorrect
Minimum number of non-alphanumeric characters 1
Allow special characters true

   Forgot Password
Activated: true
Challenge phrase: sample challenge phrase
Action: change password

and here the configuration options of the same policy:

Konfigurationsoptionen

Universelles Passwort aktivieren

Erweiterte Passwortregeln aktivieren
Synchronisierung des universellen Passworts

NDS-Passwort bei Auswahl des universellen Passworts entfernen

NDS-Passwort bei Auswahl des universellen Passworts synchronisieren

Einfaches Passwort bei Auswahl des universellen Passworts synchronisieren

Verteilungspasswort bei Auswahl des universellen Passworts synchronisieren
Abruf des universellen Passworts

Benutzer darf Passwort abrufen

Administrator darf Passwörter abrufen

Folgenden das Abrufen von Passwörtern ermöglichen
Authentifizierung

Überprüfen, ob vorhandene Passwörter der Passwortrichtlinie entsprechen (erfolgt bei der Anmeldung)

Translation again...

Configuration options

X Activate universal password
X Activate advanced password rules
Synchronization of the universal password 
  Remove the NDS password if the universal password is selected
X  Synchronize NDS password when selecting universal password
X  Synchronize simple password when selecting universal password
X  Synchronize distribution password when selecting universal password
Retrieval of the universal password
X User is allowed to retrieve password
X Administrator is allowed to retrieve passwords
Allow the following to retrieve passwords
Authentication
X Check whether existing passwords comply with the password guideline (takes place at login)

In "Synchronization of the universal password" I tried several combinations without success.

 

We use "Client for Open Enterprise Server 2 SP4 (IR13)" and some earlier versions on Windows 7 Pro and Windows 10 Pro 1909 platforms.

 

Holger

Highlighted
Knowledge Partner
Knowledge Partner

Is it by chance possible that the users in question didn't have a UP before, i.e. that it's the first time they've ever got a UP policy assigned?

That would pretty much explain what's going on...

If you like it: like it.
Highlighted
Super Contributor.
Super Contributor.

Hello,

that's right.
But means it: it doesn't work until the users really adjusted their passwords first time to a policy?

Holger

 

Highlighted
Knowledge Partner
Knowledge Partner

They don't need to have the password adjusted, they need a UP at all to have something to compare with. The legacy RSA based key pair cannot be decrypted and hence can't be compared with the rule definition.

I'd recommend the following: create a UP policy which has no restrictions or requirements, which merely just enables UP and maybe case sensitivity. Assign it to your users. On the next login their UP will "silently" set to match the current NDS password. Now you HAVE something to compare. After a few days or weeks, when you're confident that everyone has logged in once, assign them your restrictive policy. If a password doesn't fulfil the requirements the user will get asked to change it.

If you like it: like it.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.