How to avoid that the users do not use the same word in the password changes in the active directory

Question

How can I control in the active directory that the users do not use the same words when I request the change, being more specific I refer to the following example:

My password in the active directory is: gestion2021 and when it asks me to change the password do not allow me to reuse the word management, that forces me to change the first word.

This behavior is very common in the password changes of the users at the active directory level, so I would like to know if it is possible to control it by means of some policy or if there is some functionality in the active directory that does it.

Answer 1

There is no easy way to do it using Windows Active Directory, it is possible to do it using third-party tools or you may try Password filtering. Take a look at:
https://learn.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll
However, there is a feature in Azure Active Directory called Global banned password list which is exactly what you are looking for, take a look at:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
Then you may deploy it in on-premise.

Answer 2

Hi

As Reza has said, there is no native method to block password, it will require a third party password filtering solution to provide this functionality, but might not prevent the reuse of an allowed word. The other option is to increase the Password History count, which will not prevent specific words from being used again, but it will prevent the same password being used again within a that number of changes.

Gary.