> We see interest in AD increasingly driven by customer concern re security. The most recent request was for app administrators to require new passwords every 21 days with specified password length and character types, and not to be allowed to reuse the previous 14(?) passwords.

Sorry for the sidetrack, but the password-change requirements just caught my eye because of this recent article in MSDN Magazine:

https://msdn.microsoft.com/en-us/magazine/mt833498

It is based on Microsoft's own security guidance found here:

https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/

(Funniest line from the above article: "Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you." HA!)

Not sure if you hold any away on such policies, but if you do, the password-change requirement might be something to reconsider. When users are forced to change their passwords (especially that frequently) all they do is increment a number. Either that or they have to write it down to remember, or they forget and need to invoke a reset process. There really is no logical in-between. to those tactics. Multi-factor authentication is probably a far better security measure.

Forced password changes isn't really security, it's security theater, and that's pretty much straight from the mouth of Microsoft.

The thread can now go back to its regularly-scheduled programming. *smile*

Thanks,
Joe Kaufman