The Password Policy is Incompatible with the Built-In Domain Password Policy
Specops Password Policy (and all 3rd party password filters in Active Directory) do not and cannot replace the built-in password policy in Active Directory. For all password changes/resets, Active Directory will check its own built-in policy and ensure the new password meets its requirements before even checking the Specops policy requirements. Active Directory also continues to expire passwords per its own maximum password age requirements regardless of what is configured in the Specops policy.
Given this architecture, it is recommended (and in most cases, required) that the Active Directory and Specops password policies are compatible with each other so as not not cause conflicting results for and users and administrators during password change/rest or password expiration. If an incompatibility is detected between your configured Specops policy and the built-in domain policy, a warning will appear in the policy summary view and editor:
The password policy is incompatible with the built-in domain password policy. It is strongly recommended to resolve this. Click here for details…
Click the warning to display which specific requirements are in conflict with the built-in domain password policy. Below is an example of the types of conflicts that might be detected:
Common scenarios include:
- Complexity requirements — decreasing or removing the character group requirements or removing username detection from your Specops password policy while the built-in complexity requirement remain enabled. Active Directory will still reject usernames which do not have 3-of-4 character groups or contain usernames even though these rules are removed from your Specops policy.
- Maximum password age — increasing either the base maximum password age or any of the length-based password aging groups beyond the maximum password age configured in Active Directory. Active Directory will still expire passwords once they hit its maximum password age policy regardless of any extended maximum password age configured in a Specops policy. If Specops length-based password aging allows for passwords that never expire, the AD policy must be set to never expire passwords either (in AD this is done by setting the maximum password age to 0)
Resolve each conflict by adjusting the configuration of either your Specops Password Policy GPO settings or the built-in domain password policy, following the below axioms:
- Any password which is rejected by the Active Directory password policy should also be rejected by the Specops password policy.
- Any password that expires per the Active Directory policy should have already expired per the Specops policy.
Notes/caveats:
- This warning will not consider AD fine-grained password policies, and thus this warning may appear even if the fine-grained policy is compatible with the Specops policy. It is left to the administrator to confirm compatibility per the axioms listed here, as well as to confirm that all users affected by the Specops policy are also affected by the relevant fine-grained password policy
- Passphrase rules are not considered when checking compatibility. If passphrases are enabled in your Specops Policy and character group requirements are reduced, the administrator must confirm that the AD built-in complexity rules are not enforced