Password Policy Enforcer Upgrading from PPE V5.x

Upgrading from PPE V5.x

The PPE V6.x Password Policy Server is backwards compatible with the V5.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the V6.x Password Policy Client.

Upgrading the Password Policy Server

The PPE installer detects existing V5.x installations and upgrades them to V6.1. Refer to the Installing PPE section for complete installation instructions.

The PPE V6.x management console automatically imports V5.x configuration settings when started for the first time.

The management console imports valid subscription license keys, but it will not import V5.x perpetual license keys as they cannot be used with PPE V6.x. PPE will revert to a 30-day evaluation license if it cannot import the V5.x license key. Open the PPS Properties page after an upgrade to check your license details.

You can run a combination of V5.x and V6.x Password Policy Servers, but do not enable the passphrase feature or the History rule until all the Password Policy Servers are upgraded to V6.x. If you are using PPE's Maximum Age rule, then upgrade the domain controller holding the PDC emulator operations master role before any other domain controllers. Extended use of both versions is not recommended as it adds administrative overhead. Maintain both versions only for a short time while you roll out PPE V6.x.

The Maximum Age rule in PPE V5.x granted users one grace logon after their password expired. PPE V6.x does not allow grace logons, but some grace logons may occur until all domain controllers are upgraded to PPE V6.x.

If you have deployed the Password Policy Client and will be using the passphrase feature, then update your existing Password Policy message templates to let users know that they may not have to comply with all the rules. You can use the new [PASSPHRASE_NOTICE] macro instead of hard-coding the message text into the template. PPE replaces this macro with the following text "You may not have to comply with all these rules if your password contains [n] or more characters."

Any configuration changes made from the V6.x management console will only affect V6.x domain controllers. Likewise, any changes made from the V5.x management console will only affect V5.x domain controllers. You must make configuration changes in both management consoles until all domain controllers are upgraded to V6.x. Failure to do so may lead to inconsistent enforcement of the password policy.

Older versions of the PPE client (prior to V6.0), including PPE/Web V3.x and ANIXIS Password Reset V1.x cannot detect passphrases. Users must comply with the policy's compliance level when these older clients are installed.

PPE/Web V3.x and ANIXIS Password Reset V1.x use the PPE V3.x communication protocol. These clients do work with the V6.x server, however they will always display the Generic Rejection message when a password is rejected by one of the new rules.

Do not use the automatic tolerance option with PPE V4.x or V3.x clients, including PPE/Web V3.x and ANIXIS Password Reset V1.x. These clients will enforce an extremely restrictive password policy if this option is enabled. They will reject any password that contains a character found in the comparison parameter.

Upgrading the Password Policy Client

The Password Policy Client installer detects existing V5.x installations and upgrades them to V6.1. Refer to the Installing the PPC section for complete installation instructions.