nFront Password Filter

Download Trial
Watch Video Demo

Windows Update Tips and Tricks email newsletter recommends nFront Password Filter

April 14, 2008

When posed with the question of “How do I exclude users from my domain-password policy, and can I exclude those same users from domain-policy read-and-apply permissions?” John Savill responded with the following answer:

No, the domain controllers (DCs) enforce the password-complexity requirements, so blocking certain users from read-and-apply permissions won’t exclude them from the password policy. When you change your password, it’s sent by secure session to the DC. The DC gets the unhashed and unencrypted password, and checks for rules to apply.

This process is different from typical logon-password handling, in which users’ passwords are hashed by means of a one-way algorithm at the workstation and sent to the DC. Users could set their passwords before introducing the password policy; then, you could make the passwords never expire. Doing so would mean that users would use simple passwords, but then they could never change their passwords, which isn’t a good idea

To configure different password policies for different users, you have three options:

  1. Place users that need a different password policy into a separate child domain. This tactic would require a lot of additional infrastructure.
  2. If you’re using Windows Server 2008, you can use fine-grained password policies. The domain must be running in Server 2008 mode because only Server 2008 DCs understand fine-grained password policies.
  3. Use a third-party add-on that enables multiple password policies within a domain. Third-party options include nFrontSecurity’s nFront Password Filter (

About nFront Security

nFront Security specializes in innovative software solutions for network security. The company's prominent program, nFront Password Filter, protects data integrity by establishing password policies that prevent the use of easily hacked passwords. This enforcement tool is available for Windows Active Directory and Microsoft SQL servers. Companies in more than 20 countries and numerous Fortune 100 companies use nFront Password Filter to meet SOX, HIPAA and PCI requirements. For more information, visit or call (404)348-4678.

Matthew Jacoby
nFront Security
(404) 348-4678 ex. 709 [at]

nFront Security, Inc © 2017

Contact Us | Terms of Use | Privacy Policy