Q&A: How to Manage Password Policies: UDM-Policy and Samba-Policy?

This article provides guidance on managing password policies, specifically focusing on the UDM-Policy and Samba-Policy configurations. It outlines how to activate and customize password quality checks and Microsoft’s complexity requirements, as well as how these policies interact during user logins and password changes.

It is strongly recommended that the UDM-Policy and Samba-Policy are set to the same values.

UDM-Policy

When the Password quality check is enabled in the UDM-Policy, you can set your own complexity requirements using the UCR variables password/quality/*. For more information on the UCR variables take a look in our handbook.

Bildschirmfoto vom 2024-03-28 12-07-37

Samba-Policy

By checking the box Passwords must meet complexity requirements, a Microsoft policy is activated. The information in the question mark pop-up displays the complexity requirements enforced when using this Microsoft policy. These complexity requirements are part of Passfilt.dll and cannot be changed directly.

Bildschirmfoto vom 2024-03-28 12-07-56

Interaction between UDM-Policy and Samba-Policy

When Samba is installed, the Samba-Policy takes effect during UMC login and Self-Service login, including when users change their passwords. Only when the password is changed directly in UDM (udm users/user or the user module in UMC) the UDM-Policy will be used.

Password Settings for the User Module in UMC (or udm users/user)

You can determine whether only the settings of the Samba-Policy should apply (setting the variable password/quality/mspolicy to sufficient), or if additionally the settings of the UDM-Policy should be considered (setting the variable to true), which would also take into account self-defined blacklists. In the latter case, the defined password length of the UDM-Policy takes precedence over the Samba-Policy.

Bildschirmfoto vom 2024-03-28 12-09-47

UCS@school

If you want to reset the password for a user, the UMC module will prompt you to enter a temporary password, following the UDM-Policy. If the affected user (student, teacher, or employee) logs in with this temporary password and is prompted to create a new private one, the system will check it against the Samba-Policy.


See also: How-to: Configure password history policy for UCS & UCS@school

2 Likes

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon