Frequently Asked Questions
Do I have to install client software to enforce a password policy?
No. PPE includes an optional Password Policy Client to help users choose a compliant password, but the PPC is not needed to enforce password policies.
Does the Password Policy Client install a GINA DLL?
No. The Password Policy Client in recent versions of PPE does not install a GINA DLL. Some very old versions of the Password Policy Client did install a GINA DLL.
Are users prompted to change their expiring password if the Password Policy Client is not installed?
Yes. Use the Prompt user to change password before expiration setting in Group Policy to control this feature. PPE can also send e-mail reminders to users before their passwords expire.
Is Password Policy Enforcer compatible with Remote Desktop Connection and Microsoft Terminal Services?
Yes.
Does the Password Policy Server create a single point of failure?
No. One of our competitors uses this deceptive claim to discredit PPE. The nFront Password Filter page addresses the misleading claims made by nFront Security. Our published test results show that Password Policy Enforcer is more capable, efficient, and secure than nFront Password Filter.
Does PPE allow users to reset forgotten passwords?
Not directly. It integrates with ANIXIS Password Reset to provide a secure self-service password reset system.
Does PPE extend the Active Directory schema when installed?
No. PPE only creates a single Active Directory container object to hold configuration settings. If you decide to use the History rule, then you will need to choose where PPE will store the password history for each user. This can either be an existing AD attribute, or a new attribute. You can also use the Windows history rule with PPE if you do not want PPE to store a password history.
Does PPE make any other changes to Active Directory?
It sets the "User must change password at next logon" flag if the PPE Maximum Age rule is enabled when a user's password expires. Windows handles all other account updates including password changes and account lockouts.
Does Microsoft support systems with PPE, or the PPE client installed?
Yes. PPE only uses documented Microsoft APIs. PPE is installed on tens of thousands of domain controllers, and the optional client is installed on over a million desktops.
Which operating systems is PPE supported on?
Windows 2000, Windows Server 2003, Windows Server 2008, Windows XP, Windows Vista, and Windows 7.
Does PPE work with Windows Server Core and read-only domain controllers (RODC)?
Yes.
Does PPE work with Windows x64 (64-bit) Editions?
Yes.
Can PPE expire passwords gradually?
Yes. PPE's Maximum Age rule has transitional modes that expire old passwords gradually.
Can PPE send e-mail reminders to users?
Yes. The PPE Mailer can send up to three customizable reminder e-mails to users before their password expires.
Can PPE stop a user from reusing a password for a specified time?
Yes. PPE's History rule can be enforced for a number of days, or a number of password changes.
Can the password policy be relaxed for long passwords?
Yes. PPE can disable any number of rules when a user enters a passphrase.
Does PPE store passwords to enforce the Similarity rule?
No. PPE does not store passwords or password hashes to enforce the Similarity rule.
Does PPE store passwords to enforce the History rule?
No. PPE only stores hashes of the passwords. The hashes are salted for additional security. PPE does not store password hashes if the History rule is disabled. You can use the Windows history rule with PPE if you do not want PPE to store a password history.
Does PPE work with Windows NT domains or standalone computers?
PPE V6.0 does not, but PPE V3.6 does.
Can we use PPE's password policy enforcement in our applications?
Yes. Send an e-mail to support@anixis.com to request information about the PPE Client API.
Can ANIXIS develop a new rule to help enforce our password policy?
Yes. We do sometimes modify PPE to enforce unusual password policies. Send your request to support@anixis.com