Black list in Active Directory

R

Ryck

Limp Gawd
Joined
Mar 7, 2003
Messages
345
I'm trying to figure out if there is a way to black list passwords in active directory. Is this at all possible?
 
yes but it not built in.
1629397619995.png



https://community.spiceworks.com/to...rd-blacklist-using-microsoft-active-directory
 
Thanks, but I was not sure if there was anything in active directory natively.
 
Ryck said:
Thanks, but I was not sure if there was anything in active directory natively.
Click to expand...
Yes and no, it doesn't work like you think. You need to write the code and build a DLL that implements the functionality. There are some solutions in the wild already.

You'll probably just be better off forcing NIST standards, the length will probably nudge most people away from the exceedingly dumb ones.
 
There are other solutions... As with azure AD it will black list any known bad passwords in the wild. Other password manager solutions can do this for you.
 
Vengance_01 said:
There are other solutions... As with azure AD it will black list any known bad passwords in the wild. Other password manager solutions can do this for you.
Click to expand...
Yeah, I believe we are going with Azure, just waiting to get the project approved. Third party software packages were discussed, but there did not seem to be much enthusiasm for them.
 
Ryck said:
Yeah, I believe we are going with Azure, just waiting to get the project approved. Third party software packages were discussed, but there did not seem to be much enthusiasm for them.
Click to expand...

Remember, you'll need to be licensed appropriately to get password writeback from AzureAD to on-prem AD.

There's essentially 2 lists in AzureAD, one is Microsoft managed and they explicitly do not publish what it contains - though you can generally make the assumption that it's extremely dumb and common ones. Second is whatever you set. These will only apply if you actually use this password writeback functionality to reset the password. That is, if you cheat and use ADUC to reset a password or something, you can ram through whatever dumb password you want (provided it is allowed by the domain). So, beware if your helpdesk is resetting passwords like this - they can game the system.
 
I don't know what method the Mouse House does, but we can't have any passwords that contain the Mouse House character names, they get rejected.
Our sub domain uses quest active roles, or what ever the new name for it is.
When I change my password on the top level domain, there's an option to sync the password through all my other accounts, including o365.
 
You must log in or register to reply here.
Back
Top