Share via

What is user experience for implementing On-premises Active Directory Domain Service (AD DS) password protection

Patel, Gautam 0 Reputation points
2024-01-30T22:44:39+00:00

Hello,

We are in the initial stage and planning to implement the Microsoft Entra Password protection and have the below questions in regards to it.

As per article (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-on-premises) it talks about what do users see when they try to reset or change a password to something that would be banned. It does provide three different error messages that are displayed.

Below are the questions that I'm looking for answers to it

  1. What will users see when we implement password protection for on-prem AD?
  2. What kind of error message will be displayed when user is trying to reset the on-prem password on their windows laptop? Is it going to display the existing policy details for on-prem AD + the new error messages for banned password?
  3. Do we need to adjust some configuration (GPO settings) within on-prem AD so that it will display the banned password error messages?

Please let me know if you have on-prem AD and have faced this situation.

Thanks.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,791 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 10,955 Reputation points Microsoft Vendor
    2024-01-31T10:05:47.8866667+00:00

    Hi @Patel, Gautam

    Thank you for posting this in Microsoft Q&A.

    What will users see when we implement password protection for on-prem AD?

    Password protection for on-prem AD is a feature that helps you enforce strong passwords in your organization by using a global and custom banned password list. The password protection is implemented for on-premises Active Directory Domain Service, users will see error messages when they try to reset or change their password to something that is banned.

    What kind of error message will be displayed when user is trying to reset the on-prem password on their windows laptop? Is it going to display the existing policy details for on-prem AD + the new error messages for banned password?

    When a user attempts to reset or change a password to something that would be banned, one of the following error messages are displayed: 1.Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password. 2.We've seen that password too many times before. Choose something harder to guess. 3.Choose a password that's harder for people to guess".

    Do we need to adjust some configuration (GPO settings) within on-prem AD so that it will display the banned password error messages?

    No, you don't need to adjust any Group Policy Object (GPO) settings within on-premises Active Directory Domain Service (AD DS) to display the banned password error messages.

    For your reference: Enable on-premises Microsoft Entra Password Protection

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.