3.1.1.7.1 General Password Policy

This policy is referenced from the dBCSPwd and unicodePwd triggers.

The following constraints MUST be satisfied; on error, the server MUST return a processing error. For more information on error codes, see section 3.1.5.

  1. Minimum Password Length Constraint: If all of the following conditions are true, the following constraint MUST be satisfied:

    1. Conditions:

      1. The userAccountControl attribute value contains UF_NORMAL_ACCOUNT.

      2. The objectSid attribute value does not have the DOMAIN_USER_RID_KRBTGT value as the RID.

      3. The userAccountControl attribute value does NOT contain UF_PASSWD_NOTREQD.

      4. The Effective-MinimumPasswordLength attribute value (see section 3.1.1.5) is greater than 0.

      5. The requesting protocol message is a password change (as compared to a password set).

    2. Constraint:

      1. At least one of dBCSPwd or unicodePwd MUST be nonzero-length and equal to a value other than the hash of a zero-length string.

  2. Minimum Password Age Constraint: If all of the following conditions are true, the following constraint MUST be satisfied:

    1. Conditions:

      1. The userAccountControl attribute contains UF_NORMAL_ACCOUNT.

      2. At least one of the dBCSPwd or unicodePwd attribute values is present and not equal to a hash value of a zero-length string.

    2. Constraint:

      1. The pwdLastSet attribute MUST be less than the current time plus the value of the Effective-MinimumPasswordAge attribute (see section 3.1.1.5).

  3. Password History Length Constraint: If all of the following conditions are true, the following constraints MUST be satisfied:

    1. Conditions:

      1. The userAccountControl attribute contains UF_NORMAL_ACCOUNT.

      2. objectSid does not have the DOMAIN_USER_RID_KRBTGT value as the RID.

      3. userAccountControl does NOT contain UF_PASSWD_NOTREQD.

      4. minPwdHistory on the account domain object is greater than 0.

      5. The requesting protocol message is a password change (as compared to a password set).

    2. Constraints:

      1. If the unicodePwd attribute is being updated, the value of the unicodePwd MUST NOT be present in the first N hashes stored in the ntPwdHistory attribute value, where N is the value of the Effective-PasswordHistoryLength attribute (see section 3.1.1.5). For details on how ntPwdHistory is maintained, see section 3.1.1.9.1.

      2. If the dBCSPwd attribute is being updated, the value of the dBCSPwd MUST NOT be present in the first N hashes stored in the lmPwdHistory attribute value, where N is the value of the Effective-PasswordHistoryLength attribute (see section 3.1.1.5). For details on how lmPwdHistory is maintained, see section 3.1.1.9.1.