Q. Once a Windows privileged account managed by ERPM, will these privileged accounts still be affected by Windows local security policy as highlighted?
A. We cannot break the rules of Windows and in turn your group policy. If you have a minimum password length defined, we cannot set a password shorter than your minimum length. If you have a maximum password age defined (for example 30 days) and the account is not set to never expire and the ERPM change interval is greater than 30 days, then the password in Windows will still expire 30 days after the change. If ERPM changes more frequently than 30 days, then there will be no issue.
The gray area is with minimum password age and password history. I call this a gray area because for these policies to apply, the password has to be changed rather than reset. The following is all within the constraints of how Windows works. ERPM will attempt to modify the password in the following order:
- Administrative reset - doesn’t need to know about previous password and as an administrative reset doesn’t care about minimum password age or history. If admin privilege fails, go to step 2.
- User password change - attempt to connect to the system/directory as the user (impersonated connection) and issue a password change command. This requires the previous password be known by ERPM and will respect minimum age and history. If this step fails or no previous password is known by ERPM go to step 3.
- Try reset permissions - this would apply to Active Directory accounts where delegation to permit ERPM to do a password reset have been configured. Like step 1, this does not need to know the previous password and minimum password age and history does not apply. However, as this is a non-administrative session, you will still fail trying to change the password on a protected account such as an administrator, account operator, etc. If this fails go to step 4.
Typically, when there is this type of conflict with the job, ERPM will return an error 2245 or similar:
Error 2245 - "The password is shorter than required". This is a generic message that windows returns when the password does not meet your password requirements. When using the admin interface to change passwords as we are, causes are generally related to length and characters used. For example, if you have turned on password complexity then if this policy is enabled, passwords must meet the following minimum requirements:
- Not contain all or part of the user's account name
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters (e.g., !, $, #, %)