From fe06f8e734eaeadd91b8043f7f8db031e6fed5e1 Mon Sep 17 00:00:00 2001 From: Hassaan Khan Date: Wed, 16 Jul 2025 12:18:28 +0500 Subject: [PATCH 1/3] notes, bold heading script ran --- .../11.0/admin/administration_overview.md | 5 ++- .../11.0/admin/cmdlets/cmdconnectppe.md | 6 ++-- .../11.0/admin/cmdlets/cmdcopyppepolicy.md | 6 ++-- .../11.0/admin/cmdlets/cmdexportppeconfig.md | 6 ++-- .../11.0/admin/cmdlets/cmdexportppepolicy.md | 11 ++++--- .../cmdlets/cmdgetppebulkpasswordtest.md | 6 ++-- .../admin/cmdlets/cmdgetppeconfigreport.md | 11 ++++--- .../admin/cmdlets/cmdgetppedefaultpolicy.md | 8 ++--- .../11.0/admin/cmdlets/cmdgetppeenabled.md | 8 ++--- .../11.0/admin/cmdlets/cmdgetppehelp.md | 20 ++++++------ .../admin/cmdlets/cmdgetppelicenseinfo.md | 24 +++++++------- .../admin/cmdlets/cmdgetppepasswordtest.md | 8 ++--- .../11.0/admin/cmdlets/cmdgetppepolicies.md | 10 +++--- .../admin/cmdlets/cmdgetppepolicyenabled.md | 8 ++--- .../admin/cmdlets/cmdgetppeserverversion.md | 8 ++--- .../11.0/admin/cmdlets/cmdgetppeversion.md | 8 ++--- .../11.0/admin/cmdlets/cmdimportppeconfig.md | 11 ++++--- .../11.0/admin/cmdlets/cmdimportppepolicy.md | 11 ++++--- .../11.0/admin/cmdlets/cmdremoveppepolicy.md | 8 ++--- .../admin/cmdlets/cmdsetppedefaultpolicy.md | 8 ++--- .../11.0/admin/cmdlets/cmdsetppeenabled.md | 10 +++--- .../admin/cmdlets/cmdsetppepolicyenabled.md | 10 +++--- .../cmdstartppecompromisedpasswordchecker.md | 8 ++--- .../admin/cmdlets/cmdstartppehibpupdater.md | 6 ++-- .../11.0/admin/compromisedpasswordcheck.md | 5 ++- .../11.0/admin/configconsole.md | 29 ++++++++++++----- .../admin/manage-policies/manage_policies.md | 10 ++++-- .../11.0/admin/manage-policies/messages.md | 10 ++++-- .../11.0/admin/manage-policies/passphrases.md | 5 ++- .../manage-policies/policy_properties.md | 17 +++++++--- .../manage-policies/rules/character_rules.md | 10 ++++-- .../manage-policies/rules/complexity_rule.md | 5 ++- .../manage-policies/rules/compromised_rule.md | 5 ++- .../manage-policies/rules/dictionary_rule.md | 10 ++++-- .../manage-policies/rules/history_rule.md | 29 ++++++++++++----- .../manage-policies/rules/maximum_age_rule.md | 10 ++++-- .../manage-policies/rules/minimum_age_rule.md | 5 ++- .../11.0/admin/manage-policies/usersgroups.md | 5 ++- .../configuring_the_password_policy_client.md | 12 +++++-- .../password_policy_client.md | 5 ++- .../11.0/admin/ppe_tool.md | 24 ++++++++------ .../11.0/admin/systemaudit.md | 17 +++++++--- .../evaluation/enforcing_multiple_policies.md | 5 ++- .../11.0/evaluation/evaluation_overview.md | 5 ++- .../evaluation/testing_the_password_policy.md | 15 +++++++-- .../11.0/gettingstarted.md | 4 +-- .../installation/disable_windows_rules.md | 5 ++- .../11.0/installation/hibpupdater.md | 31 ++++++++++++++----- .../11.0/installation/installationclient.md | 15 +++++++-- .../11.0/installation/installationgpm.md | 5 ++- .../11.0/installation/installationserver.md | 5 ++- .../11.0/installation/installationweb.md | 15 +++++++-- .../11.0/installation/upgrading.md | 13 +++++--- .../11.0/web-overview/configuration.md | 14 ++++++--- .../web-overview/editing_html_templates.md | 15 +++++++-- .../11.0/web-overview/securing_web.md | 5 ++- .../11.0/web-overview/using_web.md | 15 +++++++-- .../11.0/web-overview/what_new.md | 22 ++++++++----- docs/passwordpolicyenforcer/11.0/whatsnew.md | 14 ++++----- 59 files changed, 430 insertions(+), 211 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.0/admin/administration_overview.md b/docs/passwordpolicyenforcer/11.0/admin/administration_overview.md index 50074e2e96..179e262c4c 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/administration_overview.md +++ b/docs/passwordpolicyenforcer/11.0/admin/administration_overview.md @@ -19,7 +19,10 @@ not jeopardize network security. You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other networks and applications. -**NOTE:** The [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md) contains +:::note +The [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md) contains step-by-step instructions to help you quickly install, configure, and evaluate Password Policy Enforcer. Consider using the Evaluation Guide if you are using Password Policy Enforcer for the first time, prior to installing and deploying on your domains. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdconnectppe.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdconnectppe.md index 04c9ae1837..381ea78c0d 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdconnectppe.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdconnectppe.md @@ -8,12 +8,12 @@ sidebar_position: 10 The **Connect-PPE** cmdlet establishes a connection to the PPE Server. -SYNTAX +**SYNTAX** **Connect-PPE** [[__-Local__] `<_SwitchParameter_>`] [[__-Domain__] `<_string_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-Domain** `<_string_>` @@ -30,7 +30,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **OutVariable**. For more information, see about_CommonParameters [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Connect-PPE -d "DCNAME1.COMPANY.COM" diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdcopyppepolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdcopyppepolicy.md index adc94781e8..fe1120dc42 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdcopyppepolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdcopyppepolicy.md @@ -8,12 +8,12 @@ sidebar_position: 20 The **CopyPPEPolicy** cmdlet makes a copy of a PPE policy. -SYNTAX +**SYNTAX** **Copy-PPEPolicy -DestPolicyName** `<_string_>` **-SrcPolicyName** `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-SrcPolicyName** `<_string_>` @@ -29,7 +29,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Copy-PPEPolicy -s "Eval Policy" -d "User Policy" diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppeconfig.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppeconfig.md index 289cf0fdf9..43ef11fe55 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppeconfig.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppeconfig.md @@ -8,11 +8,11 @@ sidebar_position: 30 The **Export-PPEConfig** cmdlet exports the Password Policy Enforcer configuration to a file. -SYNTAX +**SYNTAX** **Export-PPEConfig** [__-File__ `<_string_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-File** `<_string_>` @@ -24,7 +24,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Export-PPEConfig -file c:\ppe\ppe_config diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppepolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppepolicy.md index 4384bdb977..816085ff03 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppepolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdexportppepolicy.md @@ -8,14 +8,17 @@ sidebar_position: 40 The **Export-PPEPolicy** exports a Password Policy Enforcer policy to a file. -**NOTE:** This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start +:::note +This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start PowerShell with the **Run as Administrator** option. +::: -SYNTAX + +**SYNTAX** **Export-PPEPolicy** -PolicyName `<_string_>` [__-File__ `<_string_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PolicyName** `<_string_>` @@ -31,7 +34,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Export-PPEPolicy -PolicyName "Eval Policy" -File C:\ppe\EvalPolicy diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppebulkpasswordtest.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppebulkpasswordtest.md index ef2c19fe99..2df75b53e2 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppebulkpasswordtest.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppebulkpasswordtest.md @@ -9,12 +9,12 @@ sidebar_position: 50 The **Get-PPEBulkPasswordTest** cmdlet runs the Password Policy Enforcer bulk password test of the specified policy. -SYNTAX +**SYNTAX** **Get-PPEBulkPasswordTest** **-PasswordFile** `<_string_>` **-Policy** `<_string_>` **-ResultFolder** `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PasswordFile** `<_string_>` @@ -35,7 +35,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEBulkPasswordTest -PasswordFile C:\PPE\password.txt -Policy "Eval Policy" -resultFolder C:\PPE diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeconfigreport.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeconfigreport.md index 0c653ed816..1c5563b301 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeconfigreport.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeconfigreport.md @@ -8,14 +8,17 @@ sidebar_position: 60 The **Get-PPEConfigReport** cmdlet saves a Password Policy Enforcer configuration report. -**NOTE:** This cmdlet calls the PPE Tool. You must be an administrator to run this cmdlet. Start +:::note +This cmdlet calls the PPE Tool. You must be an administrator to run this cmdlet. Start PowerShell with the **Run as Administrator** option. +::: -SYNTAX + +**SYNTAX** **Get-PPEConfigReport** **-Folder** `<_string_>` -PARAMETERS +**PARAMETERS** **-Folder** `<_string_>` @@ -27,7 +30,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEConfigReport -Folder C:\PPE diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppedefaultpolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppedefaultpolicy.md index a1749d2981..0e879a81a5 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppedefaultpolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppedefaultpolicy.md @@ -8,11 +8,11 @@ sidebar_position: 70 The **Get-PPEDefaultPolicy** cmdlet reports the name of the Password Policy Enforcer default Policy. -SYNTAX +**SYNTAX** **Get-PPEDefaultPolicy** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -20,8 +20,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEDefaultPolicy -Default policy : Eval Policy +**Default policy : Eval Policy** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeenabled.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeenabled.md index 1a2d8c242c..6a6d8afaec 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeenabled.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeenabled.md @@ -8,11 +8,11 @@ sidebar_position: 80 The **Get-PPEEnabled** cmdlet returns the enabled/disabled status of the PPE Server. -SYNTAX +**SYNTAX** **Get-PPEEnabled** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -20,8 +20,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEEnabled -Status PPE : Enabled +**Status PPE : Enabled** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppehelp.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppehelp.md index 8505700f0b..841dc4fc2b 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppehelp.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppehelp.md @@ -9,11 +9,11 @@ sidebar_position: 90 The **Get-PPEHelp** cmdlet lists the available Password Policy Enforcer cmdlets. If a cmdlet is specified, returns help for the cmdlet. -SYNTAX +**SYNTAX** **Get-PPEHelp** [[__-Cmdlet__] `<_string_>`] -PARAMETERS +**PARAMETERS** **-Cmdlet** `<_string_>` @@ -25,31 +25,31 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> get-ppehelp get-ppehelp -NAME +**NAME** Get-PPEHelp -SYNOPSIS +**SYNOPSIS** Get a list of the PPE Cmdlet -SYNTAX +**SYNTAX** Get-PPEHelp [[-Cmdlet] ``] `[]` -DESCRIPTION +**DESCRIPTION** Get a list of the PPE Cmdlet -RELATED LINKS +**RELATED LINKS** https://www.netwrix.com/password_policy_enforcer.html -REMARKS +**REMARKS** To see the examples, type: "get-help Get-PPEHelp -examples". @@ -57,4 +57,4 @@ For more information, type: "get-help Get-PPEHelp -detailed". For technical information, type: "get-help Get-PPEHelp -full". -For online help, type: "get-help Get-PPEHelp -online" +**For online help, type: "get-help Get-PPEHelp -online"** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppelicenseinfo.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppelicenseinfo.md index cc370fe8a0..8e16b89468 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppelicenseinfo.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppelicenseinfo.md @@ -8,11 +8,11 @@ sidebar_position: 100 The **Get-PPELicenseInfo** cmdlet returns the Password Policy Enforcer license information. -SYNTAX +**SYNTAX** **Get-PPELicenseInfo** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -20,44 +20,44 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** ``` PS C:\> Get-PPELicenseInfo -ANIXIS Software License Certificate +**ANIXIS Software License Certificate** Product: Password Policy Enforcer -License type: Perpetual +**License type: Perpetual** Licensed to: test -Version: 11 +**Version: 11** Users: 100 -JrPQdyhsxWrLj7RsuX322Ni8vwIRr6ozC+sY3M16aJba +**JrPQdyhsxWrLj7RsuX322Ni8vwIRr6ozC+sY3M16aJba** XuRXG6VjOjWUMT1XwqO4c3VA0eIB8+z4KyUNEzLjmSZKvtLsHb0kFYi1zRiL -6EBVflEmzxYIsCvAlsg1fNfK1JgjFefOc1gENy2CBikDTbe+HnHf3aVBq6p2 +**6EBVflEmzxYIsCvAlsg1fNfK1JgjFefOc1gENy2CBikDTbe+HnHf3aVBq6p2** Va1eXmMXToi3NDNJCNFzQHy7ZGC5AhQ8GIjQfgK8z9s1sHzpdj2Gn+9BEyQQ -nv833QdoFhjKoAXN/xCecZclkCkP9f1GLuq4kN0Emsh5qqXl686JBJlisA3o +**nv833QdoFhjKoAXN/xCecZclkCkP9f1GLuq4kN0Emsh5qqXl686JBJlisA3o** XWQrEQ0Me9P3TkSUpb742JCngQaGcjKHvQoufBJ+GIrcwWG2DZJ1i9xrOJMT -g8D5eFDz/OiqXuZyBHFTInbq77V59x/xtIlUffBW7sCUmY8B+ZhLR2XpLdxr +**g8D5eFDz/OiqXuZyBHFTInbq77V59x/xtIlUffBW7sCUmY8B+ZhLR2XpLdxr** S+4E37Lhf46bScltZxfHZbDQKZuT4hdMKnnzgNHEzkMh8Q3T/40sMvQbAV4O -tDF633YsQMH3Ttbyc+vAvIvbAHJOVhBpNd9TCybfas+j6uQL5fa4qo8dFrx+ +**tDF633YsQMH3Ttbyc+vAvIvbAHJOVhBpNd9TCybfas+j6uQL5fa4qo8dFrx+** +UrPakOmSL/eDR7xB5/zmB37shDXIPfzfG/Vu7I1/EQuH01rZDyafHnzTmmm -1hCMqyi+oVzxZtN8I3sIpAH3FLu+1N37CuHJFrXD97Iu6RjKi+11nG9BmZ2Q +**1hCMqyi+oVzxZtN8I3sIpAH3FLu+1N37CuHJFrXD97Iu6RjKi+11nG9BmZ2Q** 0SX5EYc= ``` diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepasswordtest.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepasswordtest.md index 85c549fb4a..60ae549c96 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepasswordtest.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepasswordtest.md @@ -8,12 +8,12 @@ sidebar_position: 110 The **Get-PPEPasswordTest** cmdlet runs the Password Policy Enforcer password test for a user. -SYNTAX +**SYNTAX** **Get-PPEPasswordTest** **-Password** `<_string_>` **-Username** `<_string_>` [__-OldPassword__ `<_string_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-Password** `<_string_>` @@ -33,11 +33,11 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEPasswordTest -Password qwerty -User PPETestUser -Assigning default policy "Eval Policy" +**Assigning default policy "Eval Policy"** Log diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicies.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicies.md index 94a7973e98..a5b21ecf8b 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicies.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicies.md @@ -8,11 +8,11 @@ sidebar_position: 120 The **Get-PPEPolicies** cmdlet returns the Password Policy Enforcer policies. -SYNTAX +**SYNTAX** **Get-PPEPolicies** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -20,14 +20,14 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEPolicies -Admins Policy +**Admins Policy** Eval Policy -Test +**Test** User Policy diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicyenabled.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicyenabled.md index 08c960cc65..73cbf7892a 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicyenabled.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppepolicyenabled.md @@ -9,11 +9,11 @@ sidebar_position: 130 The **Get-PPEPolicyEnabled** cmdlet returns the enabled/disabled status of a Password Policy Enforcer policy. -SYNTAX +**SYNTAX** **Get-PPEPolicyEnabled** **-PolicyName** `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PolicyName** `<_string_>` @@ -25,8 +25,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEPolicyEnabled -PolicyName "Eval Policy" -Policy "Eval Policy" is Enabled +**Policy "Eval Policy" is Enabled** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeserverversion.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeserverversion.md index 612a4bae01..e06e006c49 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeserverversion.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeserverversion.md @@ -8,11 +8,11 @@ sidebar_position: 140 The **Get-PPEServerVersion** cmdlet returns the Password Policy Enforcer server version. -SYNTAX +**SYNTAX** **Get-PPEServerVersion** [__-DC__] `<_string_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-DC** `<_string_>` @@ -29,8 +29,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEServerVersion -DC NT-DC03.NWXTECH.COM -Version: 11.0.0.74 +**Version: 11.0.0.74** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeversion.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeversion.md index 1bbfb9d55e..a8ea853f45 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeversion.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdgetppeversion.md @@ -8,11 +8,11 @@ sidebar_position: 150 The **Get-PPEVersion** cmdlet returns the version of the Password Policy Enforcer PowerShell module. -SYNTAX +**SYNTAX** **Get-PPEVersion** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -20,8 +20,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Get-PPEVersion -Version: 11.0.0.74 +**Version: 11.0.0.74** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppeconfig.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppeconfig.md index 5600814e21..8143b93088 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppeconfig.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppeconfig.md @@ -8,14 +8,17 @@ sidebar_position: 160 The **Import-PPEConfig** cmdlet imports a Password Policy Enforcer configuration file. -**NOTE:** This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start +:::note +This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start PowerShell with the **Run as Administrator** option. +::: -SYNTAX + +**SYNTAX** **Import-PPEConfig** **-File**] `<_string_>` `<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-File** `<_string_>` @@ -28,7 +31,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Import-PPEConfig -File C:\PPE\ppe_config diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppepolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppepolicy.md index 049e03e9da..b8369daae9 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppepolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdimportppepolicy.md @@ -8,14 +8,17 @@ sidebar_position: 170 The **Import-PPEPolicy** cmdlet imports a Password Policy Enforcer policy from a file. -**NOTE:** This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start +:::note +This cmdlet calls the **PPE Tool**. You must be an administrator to run this cmdlet. Start PowerShell with the **Run as Administrator** option. +::: -SYNTAX + +**SYNTAX** **Import-PPEPolicy** **-File**] `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-File** `<_string_>` @@ -27,7 +30,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Import-PPEPolicy -File "C:\PPE\EvalPolicy" diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdremoveppepolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdremoveppepolicy.md index 46289d7d17..4c7c0461c5 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdremoveppepolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdremoveppepolicy.md @@ -8,11 +8,11 @@ sidebar_position: 180 The **Remove-PPEPolicy** cmdlet removes a Password Policy Enforcer policy. -SYNTAX +**SYNTAX** **Remove-PPEPolicy** **-PolicyName**] `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PolicyName** `<_string_>` @@ -24,8 +24,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Remove-PPEPolicy -PolicyName Test -PS C:\> +**PS C:\>** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppedefaultpolicy.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppedefaultpolicy.md index 1d7ea6b7ad..eab817d18a 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppedefaultpolicy.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppedefaultpolicy.md @@ -8,11 +8,11 @@ sidebar_position: 190 The **Set-PPEDefaultPolicy** cmdlet sets the Password Policy Enforcer policy as the default. -SYNTAX +**SYNTAX** **Set-PPEDefaultPolicy** **-PolicyName**] `<_string_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PolicyName** `<_string_>` @@ -24,8 +24,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Set-PPEDefaultPolicy -PolicyName "Eval Policy" -Default policy : Eval Policy +**Default policy : Eval Policy** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppeenabled.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppeenabled.md index c52cd347f8..93ba290ba7 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppeenabled.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppeenabled.md @@ -8,11 +8,11 @@ sidebar_position: 200 The **Set-PPEEnabled** cmdlet sets the enabled/disabled status for the PPE Server. -SYNTAX +**SYNTAX** **Set-PPEEnabled** **-Enable**] `<_int_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-Enable** `<_int_>` @@ -25,12 +25,12 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLES +**EXAMPLES** PS C:\> Set-PPEEnabled -Enable 0 -Status PPE : Disabled +**Status PPE : Disabled** PS C:\> Set-PPEEnabled -Enable 1 -Status PPE : Enabled +**Status PPE : Enabled** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppepolicyenabled.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppepolicyenabled.md index 35979a8fa8..9a3c732c86 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppepolicyenabled.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdsetppepolicyenabled.md @@ -9,12 +9,12 @@ sidebar_position: 210 The **Set-PPEPolicyEnabled** cmdlet sets the enabled/disabled status for a Password Policy Enforcer policy. -SYNTAX +**SYNTAX** **Set-PPEPolicyEnabled\_\_**-PolicyName** `<_string_>` **-Enable\__] `<\_int_>` [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-PolicyName** `<_string_>` @@ -31,12 +31,12 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLES +**EXAMPLES** PS C:\> Set-PPEPolicyEnabled -PolicyName "Eval Policy" -Enable 0 -Policy "Eval Policy" is Disabled +**Policy "Eval Policy" is Disabled** PS C:\> Set-PPEPolicyEnabled -PolicyName "Eval Policy" -Enable 1 -Policy "Eval Policy" is Enabled +**Policy "Eval Policy" is Enabled** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppecompromisedpasswordchecker.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppecompromisedpasswordchecker.md index bc9291c639..df0a0f12ec 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppecompromisedpasswordchecker.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppecompromisedpasswordchecker.md @@ -9,11 +9,11 @@ sidebar_position: 220 The **Start-PPECompromisedPasswordChecker** cmdlet runs the Password Policy Enforcer Compromised Password Checker. -SYNTAX +**SYNTAX** **Start-PPECompromisedPasswordChecker** [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** `<_CommonParameters_>` @@ -21,8 +21,8 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Start-PPECompromisedPasswordChecker -PS C:\> +**PS C:\>** diff --git a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppehibpupdater.md b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppehibpupdater.md index 681d461b37..cebaa80ad0 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppehibpupdater.md +++ b/docs/passwordpolicyenforcer/11.0/admin/cmdlets/cmdstartppehibpupdater.md @@ -8,14 +8,14 @@ sidebar_position: 230 The **Start-PPEHibpUpdater** cmdlet starts an update of the Hibp database. -SYNTAX +**SYNTAX** **Start-PPEHibpUpdater** [[__-Web__] `<_SwitchParameter_>`] **-Folder** `<_string_>` [__-File__ `<_string_>`] **[-Inc** `<_SwitchParameter_>`] [`<_CommonParameters_>`] -PARAMETERS +**PARAMETERS** **-Web** `<_SwitchParameter_>` @@ -40,7 +40,7 @@ This cmdlet supports the common parameters: **Verbose**, **Debug**, **ErrorActio **ErrorVariable**, **WarningAction**, **WarningVariable**, **OutBuffer**, **PipelineVariable**, and **OutVariable**. For more information, see [about_CommonParameters](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_commonparameters?view=powershell-7.5). -EXAMPLE +**EXAMPLE** PS C:\> Start-PPEHibpUpdater -Folder "C:\HIBP\DB" -File "C:\Users\Administrator\Desktop\db for HIBP Updater not real small\stealthintercept-hibp-database-1.0.0.zip diff --git a/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md b/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md index 8e6c6ce233..4ca5c37e49 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md +++ b/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md @@ -10,8 +10,11 @@ The Compromised Password Checker finds compromised passwords. Users can be notif advised or forced to change their password. The check can be scheduled to check existing passwords against a compromised hash list at any time. -**NOTE:** Create the **Compromised Passwords Base** file prior to enabling the Compromised Password +:::note +Create the **Compromised Passwords Base** file prior to enabling the Compromised Password Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md) topic for instructions. +::: + The Compromised Password Checker is launched from the Configuration Console: diff --git a/docs/passwordpolicyenforcer/11.0/admin/configconsole.md b/docs/passwordpolicyenforcer/11.0/admin/configconsole.md index a679db31ac..91a2249216 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/configconsole.md +++ b/docs/passwordpolicyenforcer/11.0/admin/configconsole.md @@ -64,9 +64,12 @@ object\*\*. Local configurations are stored in the **HKLM\SOFTWARE**ANIXIS**\Password Policy Enforcer** _version\*\*_\ registry key\*\*. -**NOTE:** Users with write permission to these objects can configure Password Policy Enforcer. +:::note +Users with write permission to these objects can configure Password Policy Enforcer. +::: -Domain + +**Domain** - Defines policies for domain user accounts. - Select a Domain Controller from the list of domain controllers where PPE is installed. @@ -74,7 +77,7 @@ Domain ![Connect To Domain Configuration](/img/product_docs/passwordpolicyenforcer/11.0/administration/connecttodomain.webp) -Local +**Local** - Defines policies for local user accounts. - Only affects the computer where it is set. @@ -95,7 +98,10 @@ Links to documentation and support tools. html or txt file. Browse to the folder where you want the report. - **Open Property Editor** launches the Property Editor. - **NOTE:** Properties should only be changed when advised by Netwrix Support. + :::note + Properties should only be changed when advised by Netwrix Support. + ::: + ### Settings @@ -147,7 +153,10 @@ Here are the default settings. - Source (client or server) - Rules the password does not meet. - **NOTE:** Passwords or password hashes are not sent over the network. + :::note + Passwords or password hashes are not sent over the network. + ::: + Most rules are enforced by both the Password Policy Client and Password Policy Server. If the Password Policy Enforcer Client is installed, a non-compliant password can be rejected before @@ -189,16 +198,22 @@ Here are the default settings. - **Path**: Click **Browse** and select the path to the pickup folder. -**NOTE:** Saving email to a pickup folder is the fastest and most reliable delivery method. Use this +:::note +Saving email to a pickup folder is the fastest and most reliable delivery method. Use this option if your mail server supports pickup folders. +::: + The Password Policy Enforcer Mailer sends emails at 2:00 AM every day (local time on your server). Check the Windows Application Event Log to monitor its progress. You can also run the Password Policy Enforcer Mailer from the command line to send email immediately, or to troubleshoot problems. -**NOTE:** You can change the time the mailer runs. Set the **PPE Mailer** service startup to +:::note +You can change the time the mailer runs. Set the **PPE Mailer** service startup to **Disabled** or **Manual**, then stop the service. Create a task to run "**PPEMail /send**" at the desired time. +::: + #### License diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md index 74a722a31e..69e590d26b 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md @@ -151,8 +151,11 @@ context menu items are also available when you are editing a policy. users who do not have a specific policy assigned. **Default** is indicated in the policy list. The context menu changes to **Remove Default**. -**NOTE:** If you assign a different policy as the default you are prompted that an existing default +:::note +If you assign a different policy as the default you are prompted that an existing default is set. +::: + ## Rename @@ -188,8 +191,11 @@ specified. **Step 3 –** Assign this policy to the users who do not have to comply with any Password Policy Enforcer rules. -**CAUTION:** If Password Policy Enforcer has only one policy and that policy is also the default +:::warning +If Password Policy Enforcer has only one policy and that policy is also the default policy, then Password Policy Enforcer enforces the policy for all users. +::: + The Password Policy Client and Password Policy Server communicate over UDP port 1333 by default. If you need to change the default port, then type the new port number in the **Password Policy Server diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/messages.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/messages.md index 505af7f355..3cd936a06f 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/messages.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/messages.md @@ -19,9 +19,12 @@ Password Policy Client messages. ![Messages](/img/product_docs/passwordpolicyenforcer/11.0/administration/mesages2.webp) - **NOTE:** Start each custom message with two spaces, a hypen, and a space before your message so + :::note + Start each custom message with two spaces, a hypen, and a space before your message so the X and checks can appear for the rule. For example: " **- Include an upper case alpha character.**" The quotes are only there to illustrate the message. + ::: + - Rejection Reason – Displays why an intended password was rejected on clients that have the Netwrix Password Policy Enforcer Client installed @@ -56,5 +59,8 @@ Reason, and Generic rejection messages for any of the components you want to use **Step 7 –** Click **Save** and review your changes in the Preview area. Click **Save** f you edit the message. -**NOTE:** If you do not see the **Preview**, contact your network administrator to set up the +:::note +If you do not see the **Preview**, contact your network administrator to set up the firewall to allow Password Policy Enforcer to communicate. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/passphrases.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/passphrases.md index 0f998d6f99..73c4c74c1f 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/passphrases.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/passphrases.md @@ -36,6 +36,9 @@ accepts passphrases that comply with all enabled rules, irrespective of the comp ensures that passphrases can be used, even if they do not meet the compliance level when Password Policy Enforcer is configured to disable one or more rules for passphrases. -**NOTE:** Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can +:::note +Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can be weaker than a well-chosen password. Do not disable too many rules under the assumption that length alone makes up for the reduced complexity. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/policy_properties.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/policy_properties.md index 5b485d666e..7330c0afe1 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/policy_properties.md @@ -29,9 +29,12 @@ Select the **Default characters set**. The default value (Netwrix Password Polic users to comply with rules that use the Password Policy Enforcer character set. Choose the alternate option (Windows) to have users comply with rules that use the Windows character set. -**NOTE:** Only Password Policy Enforcer 10.0 and higher contain the Windows character set. Password +:::note +Only Password Policy Enforcer 10.0 and higher contain the Windows character set. Password Policy Enforcer 9, Netwrix Password Reset and Password Policy Enforcer/Web 7 (and older for all products) always use the Password Policy Enforcer character set. +::: + - Some languages such as Japanese do not distinguish between uppercase and lowercase. These characters are in the Windows Alpha set, but not in the Upper or Lower sets. @@ -65,14 +68,20 @@ The user logon name and new password are sent to the program as command-line par example, if you add the commands below to a batch file, Password Policy Enforcer records each user's logon name and new password in a text file named **passwords.txt**: -echo Username: %1 >> c:\passwords.txt +**echo Username: %1 >> c:\passwords.txt** echo Password: %2 >> c:\passwords.txt -**CAUTION:** This script is shown as an example only. You should not store user passwords. +:::warning +This script is shown as an example only. You should not store user passwords. +::: + The command can now include the [USERNAME] and [PASSWORD] macros. If neither is specified, then the command is executed with both parameters to maintain compatibility with existing programs/scripts. -**_RECOMMENDED:_** Use the [USERNAME] parameter if the password is not needed by the program/script +:::info +Use the [USERNAME] parameter if the password is not needed by the program/script so that the password is not unnecessarily sent to the change notification command/script. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/character_rules.md index 9683f878cc..d41945ec9f 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/character_rules.md @@ -18,9 +18,12 @@ use the Character rules with their default character sets, or define your own. B Password Policy Enforcer selects the Password Policy Enforcer character on the [Set Priorities](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md#set-priorities) page. -**NOTE:** Only Password Policy Enforcer 11 and higher will contain the Windows character set. +:::note +Only Password Policy Enforcer 11 and higher will contain the Windows character set. Password Policy Enforcer 9, Netwrix Password Reset3 and Password Policy Enforcer Web 7 (and older for all products) use the Password Policy Enforcer character set. +::: + Select the **Characters (Granular)** check box to enable the Characters rule. @@ -59,9 +62,12 @@ embedded numeric characters, but these passwords do contain embedded numeric cha bold type): "he**7**llo", "4he**3**llo", "23hello**7**$45". Embedded numeric and special characters can help to protect passwords from cracking attacks. -**NOTE:** The First Character, Last Character, and Complexity rules are easier to configure, and +:::note +The First Character, Last Character, and Complexity rules are easier to configure, and easier for users to understand. Use these rules instead of the Character rules if they can enforce your desired policy. +::: + You can customize character sets with the Characters option for a selected set. diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md index 61f1713751..64304ec061 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md @@ -25,8 +25,11 @@ changing the Reject passwords that do not comply with value in the Policy Proper mandatory rule can still be disabled when a passphrase is used. See the [Passphrase](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/passphrases.md) topic for additional information. -**NOTE:** The Complexity rule uses custom character set definitions from the Character rules, even +:::note +The Complexity rule uses custom character set definitions from the Character rules, even if the Character rules are disabled. +::: + This default character set contains the following: diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/compromised_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/compromised_rule.md index 368df99438..a69ed24e51 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/compromised_rule.md @@ -16,8 +16,11 @@ Select the **Compromised** check box to enable the Compromised rule. You can browse to your compromised passwords base files or type a path into the text box. The path can contain environment variables like -**CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files +:::warning +%SystemRoot%. hash files should only be read from a local disk. Using shared hash files degrades performance, and could jeopardize security. +::: + See the [HIBP Updater](/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) database usage. diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md index bd214e004b..1166bee621 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md @@ -66,9 +66,12 @@ can contain environment variables like %SystemRoot%. A sample dictionary is inst \Program Files (x86)\Password Policy Enforcer\ folder. The dictionary file should be read from a local disk. Using a shared dictionary degrades performance, and could jeopardize security. -**NOTE:** The `\Program Files (x86)\` folder does not exist on 32-bit Windows, so move the +:::note +The `\Program Files (x86)\` folder does not exist on 32-bit Windows, so move the dictionary into the `\Program Files\Password Policy Enforcer\` folder if you have 32-bit and 64-bit computers sharing a common Password Policy Enforcer configuration. +::: + Click the **Sort** button if the dictionary file is being used with Password Policy Enforcer for the first time, or if words have been added to the file since it was last sorted. The Password Policy @@ -91,8 +94,11 @@ The custom dictionary should meet the following requirements: 2. All words are capitalized. 3. The sort button is pressed after pointing to a file in the dictionary rule. -**NOTE:** If you are using a custom dictionary, please provide a different filename. The default +:::note +If you are using a custom dictionary, please provide a different filename. The default dictionary file (dict.txt) may be replaced during an upgrade. +::: + ## Dictionary File Replication diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/history_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/history_rule.md index df064ac61b..158f20f305 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/history_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/history_rule.md @@ -30,10 +30,13 @@ so a domain controller that can handle 1,000 password changes a minute with SHA- to handle 250 password changes a minute with Argon2. All numbers are approximate. Use Argon2 if your domain controllers can handle the load. -**NOTE:** Changing the **Hash function** does not modify existing history records. It sets the +:::note +Changing the **Hash function** does not modify existing history records. It sets the function to be used for new password history records. If a user has Argon2 and SHA-256 hashes in their password history, then Password Policy Enforcer calculates both the Argon2 and SHA-256 hashes during a password change to ensure the new password is not in the password history. +::: + The History rule is normally not enforced when a password is reset. Select the **Enforce this rule when a password is reset** check box to override the default behavior. You must also select the @@ -42,7 +45,10 @@ when a password is reset. Click the **Messages** tab to customize the Password Policy Client rule inserts. -**NOTE:** The History rule is not enforced when testing passwords from the Test Policies page. +:::note +The History rule is not enforced when testing passwords from the Test Policies page. +::: + Password Policy Enforcer updates a user's password history whenever their password changes. The password history is updated even if Password Policy Enforcer or the assigned policy is disabled. A @@ -56,11 +62,14 @@ password history, or configure Password Policy Enforcer to use an existing attri Disable Password Policy Enforcer's History rule if you do not want Password Policy Enforcer to store the password history. -**NOTE:** Password Policy Enforcer does not store passwords in the password history, it only stores +:::note +Password Policy Enforcer does not store passwords in the password history, it only stores the Argon2 or SHA-256 hashes. A salt protects the hashes from precomputed attacks, including rainbow tables. If you do not want Password Policy Enforcer to store a password history, then leave the History rule disabled. You can use the Windows History rule together with Password Policy Enforcer's other rules to enforce your password policy. +::: + Password Policy Enforcer can store up to 100 password hashes for each user, but it only stores the minimum needed to enforce the current password policy. For example, if Password Policy Enforcer is @@ -89,13 +98,16 @@ history in a new or existing attribute. A new attribute is recommended, but you attribute if you do not want to extend the AD schema. An AD attribute is only needed for domain user accounts because the password history for local user accounts is stored in the registry. -**CAUTION:** Password Policy Enforcer's password history attribute is confidential to stop +:::warning +Password Policy Enforcer's password history attribute is confidential to stop authenticated users from accessing the password history of other users. See the Microsoft Article [Mark an attribute as confidential in Windows Server 2003 Service Pack 1](http://support.microsoft.com/kb/922836) Microsoft article for additional information. Confidential attributes have additional protection in Active Directory, but they are not as well protected as the Windows password history attributes. There is a higher risk of unauthorized access to the password history if it is stored outside the Windows password history attributes. +::: + Follow the steps below to create a new Active Directory attribute for the password history. @@ -104,11 +116,11 @@ a member of the Schema Admins group. **Step 2 –** Open a Command Prompt window to the Password Policy Enforcer installation folder. -(\Program Files (x86)\Password Policy Enforcer\) +**(\Program Files (x86)\Password Policy Enforcer\)** **Step 3 –** Type the following command: -: ldifde -i -f History.ldf -c "DC=X" "DC=yourdomain,DC=yourdomain" +**: ldifde -i -f History.ldf -c "DC=X" "DC=yourdomain,DC=yourdomain"** Replacing the last parameter with your domain's DN. @@ -133,7 +145,8 @@ administrator accesses the password history they might be able to extract the ha but they cannot extract the passwords directly because the password history does not contain any passwords. -**CAUTION:** The password history of a local user account is not automatically deleted when the user +:::warning +The password history of a local user account is not automatically deleted when the user account is deleted. If a local user account is deleted, then another local user account is created on the same computer with the same username, the new user will inherit the deleted user's password history. The default registry permissions stop users from accessing their own password history, so @@ -144,3 +157,5 @@ user's current password is validated, and the Windows Minimum Age rule is enforc password history is checked, so every compliant and incorrect password guessed will overwrite one hash in the password history. This information applies only to local user accounts. The password history for domain user accounts is deleted when users are deleted. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/maximum_age_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/maximum_age_rule.md index 0e38321617..1e18b0e117 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/maximum_age_rule.md @@ -24,7 +24,8 @@ required number of characters do not expire until the second (higher) days value values are identical, then passwords will expire after the specified number of days, irrespective of length. -**NOTE:** When the Maximum Age rule is configured to delay the expiry of longer passwords, it +:::note +When the Maximum Age rule is configured to delay the expiry of longer passwords, it creates an Active Directory security group called "PPE Extended Maximum Age Users". Password Policy Enforcer uses this group to identify which users are eligible for a delayed password expiry. Users are added and removed from the group automatically. You can move and rename this group, but do not @@ -33,6 +34,8 @@ name. Change a Password Policy Enforcer configuration setting (any setting) afte the group to trigger a cache update in Password Policy Enforcer. Password Policy Enforcer recreates this group if you delete it. To stop creating a group, make the two days values equal in all policies. +::: + Choose a value from the Mode drop-down list to specify how Password Policy Enforcer handles expired passwords. The Standard mode forces all users with expired passwords to change their password during @@ -55,12 +58,15 @@ Users with expired passwords are always prompted to change their password, even and Warning modes. Users can ignore the prompt to change their password unless they are being forced to change it. -**NOTE:** The password expiry prompt is a Windows client feature, and is displayed even if the +:::note +The password expiry prompt is a Windows client feature, and is displayed even if the Password Policy Client is not installed. Windows clients display the prompt 5 days before passwords expire by default. You can alter this behavior in the Windows Group Policy security settings. See the [Interactive logon: Prompt user to change password before expiration](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration) Microsoft article for additional information. +::: + Password Policy Enforcer expires passwords at 1:00 AM every day on the domain controller holding the PDC emulator operations master role. It sets "User must change password at next logon" for users diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/minimum_age_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/minimum_age_rule.md index 3d887ec3b7..691601e932 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/minimum_age_rule.md @@ -15,13 +15,16 @@ Select the **Age (Min)** check box to enable the Minimum Age rule. Select the number of days before a user can change their password. -**NOTE:** The Minimum Age rule is unique because users cannot comply with it by choosing a different +:::note +The Minimum Age rule is unique because users cannot comply with it by choosing a different password; they must wait until the required number of days has elapsed. The Password Policy Client consequently handles rejections by this rule differently to other rules. Rather than displaying the usual message components, the Password Policy Client only displays the Minimum Age rule's Reason insert. See [Password Policy Client](/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/password_policy_client.md) topic for additional information. The Rejection Reason template, macros, and inserts from other rules are not displayed when a password change is denied by the Minimum Age rule. +::: + The Minimum Age rule is not enforced during policy testing, but the test log does show the user's password age. A log entry is also added if the Minimum Age rule would have rejected the password diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/usersgroups.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/usersgroups.md index 3ac22d64bb..221d00a97d 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/usersgroups.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/usersgroups.md @@ -41,8 +41,11 @@ child OUs. If this behavior is not desired, then you can assign a different poli ![managing_policies_3](/img/product_docs/passwordpolicyenforcer/11.0/administration/managing_policies_3.webp) -**NOTE:** Different assignment types can be used for a single policy. For example, you may assign +:::note +Different assignment types can be used for a single policy. For example, you may assign users to a policy by both OU and group at the same time. +::: + As you assign users and groups to the policy, they are displayed on the page. diff --git a/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/configuring_the_password_policy_client.md b/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/configuring_the_password_policy_client.md index fcbc08cf85..edae6fd28a 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/configuring_the_password_policy_client.md +++ b/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/configuring_the_password_policy_client.md @@ -21,7 +21,7 @@ Client. You can use Active Directory GPOs to configure many computers, or the Lo Editor to configure one computer. The Password Policy Client configuration is stored in the HKLM\SOFTWARE\Policies\ANIXIS\Password Policy Client\ registry key. -Install the Password Policy Client Administrative Template +**Install the Password Policy Client Administrative Template** **Step 1 –** Connect to any Domain Controller where you have Password Policy Enforcer installed and have the group policy management console available. @@ -88,8 +88,11 @@ Windows 10 and 11. **Step 1 –** Use the **Group Policy Management Console** (gpmc.msc) to display the GPOs linked at the domain level. -**NOTE:** If you are not using Active Directory, then open the Local Group Policy Editor +:::note +If you are not using Active Directory, then open the Local Group Policy Editor (**gpedit.msc**) and skip step 2. +::: + **Step 2 –** Right-click the **Password Policy Client GPO**, then click the **Edit...** button. @@ -100,4 +103,7 @@ Templates**, **Classic Administrative Templates** (**ADM**), **Password Policy E **Step 4 –** Double-click the **Display settings (Windows 10)** setting in the right pane of the Group Policy Management Editor. -**NOTE:** Information about each option is shown in the Help box. +:::note +Information about each option is shown in the Help box. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/password_policy_client.md b/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/password_policy_client.md index 5ff360b3f1..79dda7d338 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/password_policy_client.md +++ b/docs/passwordpolicyenforcer/11.0/admin/password-policy-client/password_policy_client.md @@ -22,5 +22,8 @@ The Password Policy Client displays the password policy during a password change see the policy while they choose their password. The Password Policy Client also displays a detailed rejection message to explain why a password was rejected. Both these messages are customizable. -**NOTE:** The Password Policy Client does not modify any Windows system files. It also does not send +:::note +The Password Policy Client does not modify any Windows system files. It also does not send passwords or password hashes over the network. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md b/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md index 6c77403e11..6fdcce5235 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md +++ b/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md @@ -26,16 +26,22 @@ The PPE Tool installs with the default installation of Password Policy Enforcer allows users to perform a number of operations related to Password Policy Enforcer functionality which are described in the table below. -**NOTE:** All PPE Tool operations can be executed from the Command Prompt, if run with administrator +:::note +All PPE Tool operations can be executed from the Command Prompt, if run with administrator rights. +::: + ### PPE Tool Operations -**_RECOMMENDED:_** PPE Tool operations should only be executed one at a time. For example, you +:::info +PPE Tool operations should only be executed one at a time. For example, you should not execute the /e (Export) and /i (Import) operations simultaneously; you should not run /e (Export) and /r (Report) operations simultaneously. +::: + -Common PPE Tool Operations +**Common PPE Tool Operations** | Operation | Operation Name | Operation Description | | --------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -96,13 +102,13 @@ The `` tag can also contain the child `` tag. This tag can have an o #### Example of 'value' mode -Original configuration +**Original configuration** ```xml 1 ``` -Transform configuration +**Transform configuration** ```xml @@ -114,7 +120,7 @@ Transform configuration ``` -Transformation result +**Transformation result** ```xml @@ -128,11 +134,11 @@ Transformation result #### Example of 'combined' mode -Original configuration +**Original configuration** `25` -Transformation configuration +**Transformation configuration** ```xml @@ -148,7 +154,7 @@ Transformation configuration ``` -Result human-readable report +**Result human-readable report** ```xml diff --git a/docs/passwordpolicyenforcer/11.0/admin/systemaudit.md b/docs/passwordpolicyenforcer/11.0/admin/systemaudit.md index 27499d4d95..dc15ed67a2 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/systemaudit.md +++ b/docs/passwordpolicyenforcer/11.0/admin/systemaudit.md @@ -25,8 +25,11 @@ configuration setting. System Audit and Support opens on the **Version Tracker** Click **Run test**. The audit reports the discovered domain controllers and versions. -**NOTE:** If you do not see the **Configuration Timestamp**, contact your network administrator to +:::note +If you do not see the **Configuration Timestamp**, contact your network administrator to set up the firewall to allow Password Policy Enforcer to communicate. +::: + ![System Audit results](/img/product_docs/passwordpolicyenforcer/11.0/administration/systemauditversion.webp) @@ -34,9 +37,12 @@ You can click the export icon to download your results. The file name is **Audit\_\_**timestamp**\_.xlxs**, it is downloaded into the default **Downloads** folder. For large domains, you can apply filters or use the Search feature to make it easier to navigate your list. -**NOTE:** **Debug logging** should only be enabled when you are actively debugging your system. +:::note +**Debug logging** should only be enabled when you are actively debugging your system. Leaving it enabled impacts Password Policy Enforcer performance and uses free disk space to create the logs. +::: + ## Support Tools @@ -55,7 +61,10 @@ and open the property editor. the **PPEExport.xml** file. Click **Open**. A status message is displayed when complete. - **Open Property Editor** launches the Property Editor. - **NOTE:** Properties should only be changed when advised by Netwrix Support. + :::note + Properties should only be changed when advised by Netwrix Support. + ::: + ### Property Editor @@ -64,7 +73,7 @@ be used instructed by Netwrix Support. It is accessed from the Configuration Con **Help** > **Open Property Editor** -or +**or** **System Audit and Support** > **Support Tools** > **Open editor** diff --git a/docs/passwordpolicyenforcer/11.0/evaluation/enforcing_multiple_policies.md b/docs/passwordpolicyenforcer/11.0/evaluation/enforcing_multiple_policies.md index 0a5c9218c9..186fe6eda1 100644 --- a/docs/passwordpolicyenforcer/11.0/evaluation/enforcing_multiple_policies.md +++ b/docs/passwordpolicyenforcer/11.0/evaluation/enforcing_multiple_policies.md @@ -70,6 +70,9 @@ Active Directory Users and Computers console, or the Local Users and Groups cons changes and resets for the **PPETestUser** and **PPETestAdmin** accounts. Password Policy Enforcer should enforce the Eval policy for **PPETestUser**, and the Admins policy for **PPETestAdmin**. -**NOTE:** The [Set Priorities](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md#set-priorities) topic contains +:::note +The [Set Priorities](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/manage_policies.md#set-priorities) topic contains more information about policy assignments, and how Password Policy Enforcer resolves policy assignment conflicts that occur when more than one policy is assigned to a user. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md b/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md index e0e2dc7947..3d9531b96b 100644 --- a/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md +++ b/docs/passwordpolicyenforcer/11.0/evaluation/evaluation_overview.md @@ -18,5 +18,8 @@ Unlike password cracking products that check passwords after they are accepted b system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do not jeopardize system security. -**NOTE:** You can also use Password Policy Enforcer to ensure that passwords are compatible with +:::note +You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other systems and applications. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/evaluation/testing_the_password_policy.md b/docs/passwordpolicyenforcer/11.0/evaluation/testing_the_password_policy.md index 878f31c6aa..5e75c01984 100644 --- a/docs/passwordpolicyenforcer/11.0/evaluation/testing_the_password_policy.md +++ b/docs/passwordpolicyenforcer/11.0/evaluation/testing_the_password_policy.md @@ -37,10 +37,13 @@ rule. Click **View log** to expand Password Policy Enforcer's internal event log. The information in the event log can help you to understand why Password Policy Enforcer accepted or rejected a password. -**NOTE:** Policy testing simulates a password change, but it may not always reflect what happens +:::note +Policy testing simulates a password change, but it may not always reflect what happens when a user changes their password. See the [Policy Testing vs. Password Changes](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/testpolicy.md#policy-testing-vs-password-changes) topic for additional information. +::: + ## Windows Change Password Screen @@ -98,9 +101,12 @@ Follow the steps below to test password policies from these consoles. **Step 4 –** Click **OK**. -**NOTE:** These consoles do not explain why a password was rejected. Use the Password Policy +:::note +These consoles do not explain why a password was rejected. Use the Password Policy Enforcer configuration console, or the Change Password screen with the Password Policy Enforcer Client installed to see this information. +::: + Here are some sample passwords and expected test results when the Users policy is enforced. Try to change the password for the PPETestUser account to confirm that Password Policy Enforcer is @@ -127,5 +133,8 @@ password policy, but this highlights some weaknesses in this policy: These three passwords are only marginally stronger than the rejected passwords. The next section shows you how to improve the password policy so Password Policy Enforcer rejects these passwords. -**NOTE:** Contact Netwrix support[ ](mailto:support@anixis.com)if Password Policy Enforcer is not +:::note +Contact Netwrix support[ ](mailto:support@anixis.com)if Password Policy Enforcer is not working as expected. We can help you resolve the problem. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/gettingstarted.md b/docs/passwordpolicyenforcer/11.0/gettingstarted.md index 0204436fcf..2979b60fcd 100644 --- a/docs/passwordpolicyenforcer/11.0/gettingstarted.md +++ b/docs/passwordpolicyenforcer/11.0/gettingstarted.md @@ -42,11 +42,11 @@ Create the **Compromised Passwords Base** prior to enabling the Compromised Pass ## Exclude PPE Files from AntiVirus Checks -Domain Controller +**Domain Controller** **PPE.DLL** if this file does not load, the password policy is not enforced. -Clients +**Clients** **PPEClt.dll** and **APRClt.dll** if either of these files are blocked, the client does not run. diff --git a/docs/passwordpolicyenforcer/11.0/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.0/installation/disable_windows_rules.md index 89375af92a..52092fb843 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.0/installation/disable_windows_rules.md @@ -42,7 +42,10 @@ Settings**, **Account Policies**, and **Password Policy** items. ![installing_ppe_3](/img/product_docs/passwordpolicyenforcer/11.0/evaluation/preparing_the_computer.webp) -**NOTE:** You do not have to disable all the Windows password policy rules to use Password Policy +:::note +You do not have to disable all the Windows password policy rules to use Password Policy Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you like. Just remember that a password is only accepted if it complies with the rules enforced by both Windows and Password Policy Enforcer. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md b/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md index 7aab8892a4..8e6d3506d7 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md +++ b/docs/passwordpolicyenforcer/11.0/installation/hibpupdater.md @@ -32,11 +32,14 @@ location. The HIBP Updater is installed when you install the Password Policy Enforcer Configuration Console. -**_RECOMMENDED:_** Only run this from one server. +:::info +Only run this from one server. +::: + **Step 1 –** To access the HIBP Updater, navigate to the installation location: -...\Program Files\Password Policy Enforcer\HIBP\ +**...\Program Files\Password Policy Enforcer\HIBP\** ![hibpfolder](/img/product_docs/passwordpolicyenforcer/11.0/administration/hibpfolder.webp) @@ -48,18 +51,24 @@ Password Policy Enforcer utilizes the Passwords Hash database to check if users password (i.e. during a password reset) matches the hash of a compromised password from a data breach. -**NOTE:** First-time configuration of this window requires downloading the HIBP database from the +:::note +First-time configuration of this window requires downloading the HIBP database from the Netwrix website. +::: + ![HIBP Updater](/img/product_docs/passwordpolicyenforcer/11.0/administration/hibpupdater.webp) -**CAUTION:** Ensure the initial update of the database occurs during non-office hours. Due to the +:::warning +Ensure the initial update of the database occurs during non-office hours. Due to the size of the hash file, this download takes up a significant amount of CPU and download time. +::: + - Passwords Hash Database Folder – Central location of the Pwned database on the application server. The default path is: - …\HIBP\DB +**…\HIBP\DB** - Update Type: @@ -68,10 +77,13 @@ size of the hash file, this download takes up a significant amount of CPU and do instead of downloading the full HIBP database. This option is enabled after a full download of the HIBP database has completed. - **NOTE:** Only the full HIBP database file obtained from the Netwrix website has version + :::note + Only the full HIBP database file obtained from the Netwrix website has version information. That full HIBP database file can be obtained using the Website option. Alternately, the HIBP database can be obtained outside of the application by downloading it directly from the Netwrix website using an FTP connection: + ::: + - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip) - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt) @@ -102,7 +114,7 @@ files. Copy the hash files into the Sysvol share on one domain controller, and t System will copy the files into the Sysvol share of all other domain controllers. Configure the Compromised rule to read the files from: -\\127.0.0.1\sysvol\your.domain\filename.db +**\\127.0.0.1\sysvol\your.domain\filename.db** See the [Compromised Rule](/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/compromised_rule.md) topic for additional information. @@ -112,8 +124,11 @@ local policies. If you are using Password Policy Enforcer for local policies and to receive hash file updates, then use the Sysvol share for file replication and a script or scheduled task to copy the file to a local folder. -**CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files +:::warning +%SystemRoot%. hash files should only be read from a local disk. Using shared hash files degrades performance, and could jeopardize security. +::: + ## Scheduler diff --git a/docs/passwordpolicyenforcer/11.0/installation/installationclient.md b/docs/passwordpolicyenforcer/11.0/installation/installationclient.md index 231bbff03c..2e84272720 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/installationclient.md +++ b/docs/passwordpolicyenforcer/11.0/installation/installationclient.md @@ -48,9 +48,12 @@ and clicking the **Change a password** item. If you do not see the password poli because a Password Policy Enforcer policy has not been assigned to you, or because the firewall rules have not been created. -**NOTE:** The Password Policy Client does not store or send passwords or password hashes over the +:::note +The Password Policy Client does not store or send passwords or password hashes over the network. An attacker cannot determine user passwords by sniffing the communication protocol. The protocol is also encrypted by default for additional protection. +::: + ## Creating Firewall Rules for the Password Policy Client @@ -72,7 +75,10 @@ the Domain Controllers OU. **Step 2 –** Right-click the **Password Policy Enforcer GPO**, and then click **Edit...**. -**NOTE:** You need to create the GPO if you chose the Express Setup option. +:::note +You need to create the GPO if you chose the Express Setup option. +::: + **Step 3 –** Expand the **Computer Configuration**, **Policies**, **Administrative Templates**, **Network**, **Network Connections**, and **Windows Firewall** items. @@ -121,5 +127,8 @@ Password Policy Client: | Destination address | Client Computer IP address | | Destination port | Any | -**NOTE:** If your firewall performs Stateful Packet Inspection, then only create a rule for the +:::note +If your firewall performs Stateful Packet Inspection, then only create a rule for the request datagram as the firewall automatically recognizes and allows the response datagram. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.0/installation/installationgpm.md index 65daf77758..0b77218381 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.0/installation/installationgpm.md @@ -59,8 +59,11 @@ button. **Step 4 –** Enter the full **UNC path** to your **msi** files. -**NOTE:** You must enter a UNC path so that other computers can access this file over the network. +:::note +You must enter a UNC path so that other computers can access this file over the network. For example: \\file server\distribution point share\Netwrix*PPE\_\_version*.msi +::: + **Step 5 –** Click **Open**. diff --git a/docs/passwordpolicyenforcer/11.0/installation/installationserver.md b/docs/passwordpolicyenforcer/11.0/installation/installationserver.md index e124758b38..db5fd6ed39 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.0/installation/installationserver.md @@ -33,8 +33,11 @@ folder. See the [Install with Group Policy Management](/docs/passwordpolicyenfor details. You can also install/uninstall the products using command line [Silent Installation](/docs/passwordpolicyenforcer/11.0/admin/command_line_interface.md#silent-installation). -**NOTE:** Continue with these steps to install one or more features on your current server or domain +:::note +Continue with these steps to install one or more features on your current server or domain controller. You must repeat these steps for each server where the features are installed. +::: + **Step 3 –** Click on the **Netwrix_PPE_Server**version**x64.msi** installation package. The installer is launched. diff --git a/docs/passwordpolicyenforcer/11.0/installation/installationweb.md b/docs/passwordpolicyenforcer/11.0/installation/installationweb.md index a445f5263d..7050834456 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/installationweb.md +++ b/docs/passwordpolicyenforcer/11.0/installation/installationweb.md @@ -38,7 +38,10 @@ Enforcer Web documentation and tools, then click **Next**. **Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if needed. -**NOTE:** Password Policy Enforcer Web should be installed in its own virtual directory. +:::note +Password Policy Enforcer Web should be installed in its own virtual directory. +::: + **Step 7 –** Click **Next** twice. @@ -55,13 +58,19 @@ The HTML templates and associated images are overwritten during an upgrade. You customized HTML templates and images before upgrading. The HTML templates and images are installed in the `\Inetpub\wwwroot\ppeweb\` folder by default. -**NOTE:** A full backup of the PPE Web server is recommended. This allows you to roll back to the +:::note +A full backup of the PPE Web server is recommended. This allows you to roll back to the previous version if the upgrade cannot be completed. You may need to restart Windows after upgrading. +::: + -**CAUTION:** PPE Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade +:::warning +PPE Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade Password Policy Enforcer to a compatible version if you have enabled Password Policy Enforcer integration. +::: + #### Upgrading to V7.11 diff --git a/docs/passwordpolicyenforcer/11.0/installation/upgrading.md b/docs/passwordpolicyenforcer/11.0/installation/upgrading.md index d7e93ca50f..f62d9c6307 100644 --- a/docs/passwordpolicyenforcer/11.0/installation/upgrading.md +++ b/docs/passwordpolicyenforcer/11.0/installation/upgrading.md @@ -13,7 +13,7 @@ upgrading older versions You can also install/uninstall the products using command line [Silent Installation](/docs/passwordpolicyenforcer/11.0/admin/command_line_interface.md#silent-installation). -Upgrading the Password Policy Server +**Upgrading the Password Policy Server** The Password Policy Enforcer installer detects existing installations and upgrades them to 11. See the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/installation/installationserver.md) topic for additional @@ -21,16 +21,19 @@ information. If you are performing an automated installation with Group Policy, **.msi** installer files to the same Group Policy Object used to install the older version. See the [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/installation/installationgpm.md) topic for additional information. -**NOTE:** Upgrade all your servers and domain controllers. Configuration changes performed with the +:::note +Upgrade all your servers and domain controllers. Configuration changes performed with the new version do not affect servers running an older version. If you have multiple versions, you must make configuration changes in both configuration consoles until all domain controllers are upgraded to 11. Failure to do so may lead to inconsistent enforcement of the password policy. +::: + Open the [License](/docs/passwordpolicyenforcer/11.0/admin/configconsole.md#license) settings on the Configuration Console after an upgrade to check your license details. Password Policy Enforcer reverts to a 30-day evaluation license if it cannot import the license key. -Upgrading the Password Policy Client +**Upgrading the Password Policy Client** The Password Policy Client installer detects existing installations and upgrades them to 11. See the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/installation/installationclient.md)[Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/installation/installationclient.md) @@ -42,12 +45,12 @@ The Password Policy Enforcer 11 Password Policy Server is backwards compatible w V9.x Password Policy Client. You are not required to update the Password Policy Clients, but it is recommended. -Upgrading the Mailer +**Upgrading the Mailer** The Password Policy Enforcer installer detects existing installations of the Password Policy Enforcer Mailer and upgrades them to 11. See the [Install Mailer Service](/docs/passwordpolicyenforcer/11.0/installation/installationmailer.md) topic for additional information. -Upgrade Notes +**Upgrade Notes** - Versions 9.x and above do not support perpetual license keys. diff --git a/docs/passwordpolicyenforcer/11.0/web-overview/configuration.md b/docs/passwordpolicyenforcer/11.0/web-overview/configuration.md index af58045e9e..0b05e181f7 100644 --- a/docs/passwordpolicyenforcer/11.0/web-overview/configuration.md +++ b/docs/passwordpolicyenforcer/11.0/web-overview/configuration.md @@ -22,7 +22,7 @@ When Password Policy Enforcer Web is first installed, the Domain List is empty a their domain name. You can configure Password Policy Enforcer Web to display a list of domains instead of an empty text box. -Add Domain +**Add Domain** Follow the steps below to add a domain to the list. @@ -32,11 +32,14 @@ Follow the steps below to add a domain to the list. **Step 3 –** Click **OK**, the click **Apply**. -**NOTE:** The most frequently used domain should be first in the list as it will be the default. You +:::note +The most frequently used domain should be first in the list as it will be the default. You can rearrange the domains by dragging them to another position. You can also click **Sort** to sort them alphabetically. +::: -Remove Domain + +**Remove Domain** Follow the steps below to remove a domain from the list. @@ -63,10 +66,13 @@ controllers. You can also set the Port, Timeout, and number of Retries for the Password Policy Protocol if the defaults are not suitable. -**NOTE:** A Password Policy Enforcer Web license does not include a Password Policy Enforcer +:::note +A Password Policy Enforcer Web license does not include a Password Policy Enforcer license. Go to [netwrix.com/password_policy_enforcer](https://www.netwrix.com/password_policy_enforcer.html) to learn more about Password Policy Enforcer. +::: + ## About Tab diff --git a/docs/passwordpolicyenforcer/11.0/web-overview/editing_html_templates.md b/docs/passwordpolicyenforcer/11.0/web-overview/editing_html_templates.md index 45a335316e..96cd60972b 100644 --- a/docs/passwordpolicyenforcer/11.0/web-overview/editing_html_templates.md +++ b/docs/passwordpolicyenforcer/11.0/web-overview/editing_html_templates.md @@ -25,10 +25,13 @@ The other user interface files are language independent. Most of the formatting and some additional CSS for Internet Explorer is in ppeweb_ie.css. The image files are in the images folder. These files are installed into the `\Inetpub\wwwroot\ppeweb\` folder by default. -**NOTE:** Always backup the user interface files before and after editing them. Your changes may be +:::note +Always backup the user interface files before and after editing them. Your changes may be overwritten when Password Policy Enforcer Web is upgraded, and some changes could stop Password Policy Enforcer Web from working correctly. Web browsers display pages differently, so test your changes with several versions of the most popular browsers to ensure compatibility. +::: + The en_default.htm contains static HTML, but the other .htm files contain special comment tags that are used to prepare the pages. Some of these comments define ranges. A range looks like this: @@ -62,8 +65,11 @@ for additional information. Do not modify the identifiers on the left, only edit right. Resource strings are always inside a range called RESOURCE_STRINGS. Password Policy Enforcer Web deletes this range before sending the page to the user's web browser. -**CAUTION:** You may rebrand the Password Policy Enforcer Web user interface, but it is a violation +:::warning +You may rebrand the Password Policy Enforcer Web user interface, but it is a violation of the License Agreement to modify, remove or obscure any copyright notice. +::: + ## Examples @@ -192,8 +198,11 @@ width: 499px; Edit these properties to change the appearance of the error box. You may need to clear your web browser's cache to see the changes. -**NOTE:** Web browsers display pages differently, so test your changes with several versions of the +:::note +Web browsers display pages differently, so test your changes with several versions of the most popular browsers to ensure compatibility. +::: + ### Replace URLs to the Welcome Page diff --git a/docs/passwordpolicyenforcer/11.0/web-overview/securing_web.md b/docs/passwordpolicyenforcer/11.0/web-overview/securing_web.md index 10f323e446..40650d8be2 100644 --- a/docs/passwordpolicyenforcer/11.0/web-overview/securing_web.md +++ b/docs/passwordpolicyenforcer/11.0/web-overview/securing_web.md @@ -17,7 +17,10 @@ Password Policy Enforcer Web sends passwords to the domain controllers over a se you need to set up SSL (Secure Sockets Layer) encryption for the connection between the web browser and the web server. -**CAUTION:** Do not use Password Policy Enforcer Web on a production network without SSL encryption. +:::warning +Do not use Password Policy Enforcer Web on a production network without SSL encryption. +::: + You can use a self-signed certificate, but most organizations purchase certificates from a certificate authority. This is a recurring cost, and you will need to complete forms for the diff --git a/docs/passwordpolicyenforcer/11.0/web-overview/using_web.md b/docs/passwordpolicyenforcer/11.0/web-overview/using_web.md index 66c6d1caf6..383a77287c 100644 --- a/docs/passwordpolicyenforcer/11.0/web-overview/using_web.md +++ b/docs/passwordpolicyenforcer/11.0/web-overview/using_web.md @@ -22,14 +22,20 @@ You can also include the username and/or domain in the URL: `http://[server]/ppeweb/ppeweb.dll?username=maryjones&domain=ANIXIS` -**_RECOMMENDED:_** Install the SSL Certificate the web server and use the HTTPS protocol if Password +:::info +Install the SSL Certificate the web server and use the HTTPS protocol if Password Policy Enforcer Web will be used on an unencrypted network. See the [Install an SSL Certificate](/docs/passwordpolicyenforcer/11.0/web-overview/securing_web.md) topic for additional information. +::: -**NOTE:** A license reminder message is shown occasionally when Password Policy Enforcer Web is used + +:::note +A license reminder message is shown occasionally when Password Policy Enforcer Web is used without a license key. Contact Netwrix support if you would like to evaluate Password Policy Enforcer Web without the reminder message. +::: + ## Change Password @@ -46,9 +52,12 @@ To change a password with Password Policy Enforcer Web: **Step 3 –** Enter the **Old Password**, **New Password**, and **Confirm Password**, then click **Next**. -**NOTE:** Windows increments the bad password count in Active Directory every time a user enters +:::note +Windows increments the bad password count in Active Directory every time a user enters their old password incorrectly. This may trigger a lockout if the Windows account lockout policy is enabled. +::: + ## Error Messages diff --git a/docs/passwordpolicyenforcer/11.0/web-overview/what_new.md b/docs/passwordpolicyenforcer/11.0/web-overview/what_new.md index 443e63fbbc..c2440acb69 100644 --- a/docs/passwordpolicyenforcer/11.0/web-overview/what_new.md +++ b/docs/passwordpolicyenforcer/11.0/web-overview/what_new.md @@ -6,20 +6,20 @@ sidebar_position: 10 # What's New -User Interface +**User Interface** - Displays a diagnostic message if the Password Policy Enforcer does not respond to a request. This is likely to happen if a domain controller is not running Password Policy Enforcer, or if a firewall is blocking access to the PPS port. -Compatibility +**Compatibility** - Compatible with Windows Server 2012 and 2012 R2 (as well as Windows Server 2003, 2003 R2, 2008, and 2008 R2). - Improved Setup Wizard to ensure that PPEWeb.dll is always added to the list of Web Service Extensions on Windows 2003 and 2003 R2 64-bit editions. -Other +**Other** - Uses the Password Policy Enforcer V7.x libraries for improved compatibility with new features in recent version of Password Policy Enforcer. @@ -29,13 +29,16 @@ Other [Install Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/installation/installationweb.md) topic for additional information. -**NOTE:** PPE Web V7.11 integrates with Password Policy Enforcer V7.0 or later. Disable Password +:::note +PPE Web V7.11 integrates with Password Policy Enforcer V7.0 or later. Disable Password Policy Enforcer integration in the PPE Web Configuration console if you need to use PPE Web with an older version of Password Policy Enforcer. +::: + #### New in PPE Web V6.x (Previous Version) -User Interface +**User Interface** - Updated HTML Templates allow customization of all user interface elements including error messages. @@ -45,12 +48,12 @@ User Interface - The Setup Wizard installs and configures PPE Web without the manual setup steps from earlier versions. -Compatibility +**Compatibility** - Compatible with Windows Server 2008 and 2008 R2 (as well as Windows Server 2003 and 2003 R2). - Compatible with 64-bit and 32-bit Windows editions. -Other +**Other** - Additional validation of all user input to improve security. - Can get user and domain names from URL parameters. @@ -59,4 +62,7 @@ Other - Can be used without Password Policy Enforcer if Password Policy Enforcer's additional password policy controls are not needed. -**NOTE:** PPE Web V6.0 integrates with Password Policy Enforcer V6.0 or later. +:::note +PPE Web V6.0 integrates with Password Policy Enforcer V6.0 or later. + +::: diff --git a/docs/passwordpolicyenforcer/11.0/whatsnew.md b/docs/passwordpolicyenforcer/11.0/whatsnew.md index 1ae1abb42d..d71c8bf9df 100644 --- a/docs/passwordpolicyenforcer/11.0/whatsnew.md +++ b/docs/passwordpolicyenforcer/11.0/whatsnew.md @@ -18,43 +18,43 @@ Password Policy Enforcer version 11.0. ## Password Policy Enforcer v11.0 -New: Redesigned UI +**New: Redesigned UI** The user interface of the Management Console has been fully redesigned to reflect modern design standards and account for all the feedback our customers have given us throughout the years. -New: PowerShell cmdlets +**New: PowerShell cmdlets** Netwrix Password Policy Enforcer now includes a set of PowerShell cmdlets that enable administrators to easily manage policy, generate reports, and check the health of Netwrix Password Policy Enforcer from PowerShell in both interactive and automated ways. -New: Support Tools +**New: Support Tools** Additional support tools have been added to allow administrators to check the health of the Netwrix Password Policy Enforcer and audit the version of each installation from one location. This allows customers to quickly identify any problems and keep their Netwrix Password Policy Enforcer installation up to date. -New: Updated Installer +**New: Updated Installer** The Netwrix Password Policy Enforcer QuickStart Wizard has been replaced with MSI packages for easier installation and upgrade of the client and the server. -New: Netwrix Password Policy Enforcer Web +**New: Netwrix Password Policy Enforcer Web** PPE Web is now available to all licensed Password Policy Enforcer customers. PPE Web allows users to change their Windows domain passwords from a web browser and integrates with Netwrix Password Policy Enforcer to enforce customizable password policies and assist users in selecting compliant passwords. -Enhancement: Updated policy templates +**Enhancement: Updated policy templates** The out-of-the-box policy templates have been updated to reflect recent changes in different compliance standards. Old templates will still be available, and customers' current policies will not be changed as part of this update. -Enhancement: Compatibility +**Enhancement: Compatibility** - Deprecation of 32-bit server installations – The product now only supports 64-bit server installations. From 409aafd065253a3f52035bead947a4d48b6e08f5 Mon Sep 17 00:00:00 2001 From: Hassaan Khan Date: Wed, 16 Jul 2025 14:02:20 +0500 Subject: [PATCH 2/3] nested tables fixed --- .../11.0/admin/compromisedpasswordcheck.md | 10 +- .../manage-policies/rules/complexity_rule.md | 19 +- .../manage-policies/rules/dictionary_rule.md | 54 +++++- .../11.0/admin/manage-policies/rules/rules.md | 178 ++++++++++++++++-- .../11.0/admin/ppe_tool.md | 39 ++-- 5 files changed, 250 insertions(+), 50 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md b/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md index 4ca5c37e49..ad449a95ff 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md +++ b/docs/passwordpolicyenforcer/11.0/admin/compromisedpasswordcheck.md @@ -56,12 +56,10 @@ complete. You can schedule it for off hours instead of running it now. Here is an example of the compromised passwords list: -| | | | | | -| ----------------------------- | ------------- | ---------------------------------------------- | ----------------- | ---------------------------------------------------------------------------------- | -| List of compromised passwords | | | | | -| User | Account | Sid | Email | Description | -| admin | Administrator | S-1-5-21-1006207104-1546379664-2458629591-500 | | Sending emails is not possible due to the lack of an email address in the account. | -| user2 | user2 | S-1-5-21-1006207104-1546379664-2458629591-1118 | user2@company.com | Email has been sent | +|User | Account | Sid | Email | Description | +| --- | --- | --- | --- | --- | +| admin | Administrator | S-1-5-21-1006207104-1546379664-2458629591-500 | | Sending emails is not possible due to the lack of an email address in the account. | +| user2 | user2 | S-1-5-21-1006207104-1546379664-2458629591-1118 | user2@company.com | Email has been sent | #### Schedule the Compromised Password Check diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md index 64304ec061..e521678c59 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md @@ -33,12 +33,13 @@ if the Character rules are disabled. This default character set contains the following: -| Rule | Default character set | -| ----------- | -------------------------------------------------- | -| Alpha Lower | Lowercase alphabetic (a - z) | -| Alpha Upper | Uppercase alphabetic (A - Z) | -| Alpha | Uppercase and lowercase alphabetic (a - z & A - Z) | -| Numeric | Numerals (0 - 9) | -| Special | All characters not included above | -| High | All characters above ANSI 126 | -| Custom | No default characters | +| Rule | Default character set | +| ----------- | ------------------------------------------------------------------------ | +| Alpha Lower | Lowercase alphabetic (a
  • z)
| +| Alpha Upper | Uppercase alphabetic (A
  • Z)
| +| Alpha | Uppercase and lowercase alphabetic (a
  • z & A
  • Z)
| +| Numeric | Numerals (0
  • 9)
| +| Special | All characters not included above | +| High | All characters above ANSI 126 | +| Custom | No default characters | + diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md index 1166bee621..bd7225887b 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/dictionary_rule.md @@ -39,10 +39,56 @@ templates in the dictionary file. Wildcard templates are specially formatted dic Password Policy Enforcer uses to reject a range of passwords. The Dictionary rule supports two wildcard template formats: -| Format | Example | Description | -| ------ | --------- | -------------------------------------------------------------------------------- | --- | --- | --- | --------- | --- | ------- | --- | --- | --- | --- | --- | --- | --------------------------------------------------------------------------------- | --- | ---------------------------------------------------------------------------------------- | --- | -| Prefix | | | | --- | | !!BAN\*!! | | !!2\*!! | | | | | --- | | Rejects passwords that start with BAN. For example: band, banish, ban, bank, etc. | | Rejects passwords that start with the numeric character 2. For example: 2ABC, 2123, etc. | | -| Suffix | !!\*ING!! | Rejects passwords that end with ING. For example: pushing, howling, trying, etc. | + + + + + + + + + + + + + + + + + + + + +
FormatExampleDescription
Prefix + + + + + + + + + +
!!BAN*!!
!!2*!!
+ 		+ + + + + + + + + +
Rejects passwords that start with BAN. For example: band, banish, ban, bank, etc.
Rejects passwords that start with the numeric character 2. For example: 2ABC, 2123, etc.
+
+ Suffix + + !!*ING!! + + Rejects passwords that end with ING. For example: pushing, howling, trying, etc. +
+ Partial matching is performed even if Wildcard analysis is disabled. For example, the dictionary word "password" will reject the passwords "My**Password**$", "**Password**100", and diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/rules.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/rules.md index 073f3ec247..13eecfcc2d 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/rules.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/rules.md @@ -56,19 +56,171 @@ box is selected, Password Policy Enforcer tests passwords with, and without char This stops users from circumventing the rule by substituting some characters. Password Policy Enforcer detects these common character substitutions: -| Original | | Substituted | -| -------- | --- | ------------------ | -| A | a | ^ @ | -| B | b | 8 | -| C | c | ( or `{` or < or [ | -| D | d | ) or `}` or > or ] | -| E | e | 3 | -| G | g | 6 or 9 | -| I | i | ! or \| or 1 | -| O | o | 0 or (zero) | -| S | s | $ or 5 | -| T | t | + or 7 | -| Z | z | 2 | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Original + + Substituted +
+ A + + a + + ^ @ +
+ B + + b + + 8 +
+ C + + c + + + + + + + + + +
+ ( or { + <[
+
+ D + + d + + + + + + + + + +
+ ) or } + >]
+
+ E + + e + + 3 +
+ G + + g + + 6 or 9 +
+ I + + i + + + + + + + + +
+ ! or | +   1
+
+ O + + o + + 0 or (zero) +
+ S + + s + +

$ or 5

+
+ T + + t + + + or 7 +
+ Z + + z + + 2 +
+ ## Tolerance diff --git a/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md b/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md index 6fdcce5235..d6baf02028 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md +++ b/docs/passwordpolicyenforcer/11.0/admin/ppe_tool.md @@ -43,21 +43,23 @@ should not execute the /e (Export) and /i (Import) operations simultaneously; **Common PPE Tool Operations** -| Operation | Operation Name | Operation Description | -| --------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| /? | help | - Displays Help and exits the application. All other options are ignored. | -| /m | minimal | - Configures the PPE Tool to operate in Minimal mode. - This operation strips away all extraneous information (e.g., policy messages, license information, etc.) while importing or exporting to the PPE Tool. - By default, the PPE Tool imports and exports all information available (e.g., policy messages, license information, etc.). | -| /d | domain [in controller] | - Configures the PPE Tool to operate in Domain mode. - The default controller is localhost. - This operation will make PPE Tool work with the LDAP Password Policy Enforcer instance. PPE Tool imports or exports configurations from the local registry. - To use this operation , you must run PPE Tool as a domain administrator user. However, this operation can be used on both the domain controller and on any member. If an invalid domain controller is provided as an argument, then the PPE Tool will fail at the import / export stage. - This operation is ignored when used to create reports from the file source (present with the /c (Config [in file name]) option). When the PPE Tool starts in a domain environment without the /d (Domain [in controller]) operation, a warning message will appear. However, this will not prevent the PPE Tool from operating on a local environment. | -| /c | config [in file name] | - Uses a config file instead of Password Policy Enforcer export when exporting reports (in the case of /i (Import), /h (Human [out file name]), and /r (Report [out file name]). - The default file is `config.xml`. - This operation defines the input file for the i/ (Import) operation, and thus is necessary for importing files to the PPE Tool. An error message will appear if the /c (Config [in file name]) option is omitted. - By default, the /h (Human [out file name]) and /r (Report [out file name]) operations use the Password Policy Enforcer instance as the reporting source. The /c (Config [in file name]) operation should provide the source configuration file as an argument to create reports. If an invalid file name is provided as an argument in this operation, the PPE Tool will display the appropriate error message and will fail. | +| Operation | Operation Name | Operation Description | +| --------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| /? | help |
  • Displays Help and exits the application. All other options are ignored.
| +| /m | minimal |
  • Configures the PPE Tool to operate in Minimal mode.
  • This operation strips away all extraneous information (e.g., policy messages, license information, etc.) while importing or exporting to the PPE Tool.
  • By default, the PPE Tool imports and exports all information available (e.g., policy messages, license information, etc.).
| +| /d | domain [in controller] |
  • Configures the PPE Tool to operate in Domain mode.
  • The default controller is localhost.
  • This operation will make PPE Tool work with the LDAP Password Policy Enforcer instance. PPE Tool imports or exports configurations from the local registry.
  • To use this operation , you must run PPE Tool as a domain administrator user. However, this operation can be used on both the domain controller and on any member. If an invalid domain controller is provided as an argument, then the PPE Tool will fail at the import / export stage.
  • This operation is ignored when used to create reports from the file source (present with the /c (Config [in file name]) option). When the PPE Tool starts in a domain environment without the /d (Domain [in controller]) operation, a warning message will appear. However, this will not prevent the PPE Tool from operating on a local environment.
| +| /c | config [in file name] |
  • Uses a config file instead of Password Policy Enforcer export when exporting reports (in the case of /i (Import), /h (Human [out file name]), and /r (Report [out file name]).
  • The default file is `config.xml`.
  • This operation defines the input file for the i/ (Import) operation, and thus is necessary for importing files to the PPE Tool. An error message will appear if the /c (Config [in file name]) option is omitted.
  • By default, the /h (Human [out file name]) and /r (Report [out file name]) operations use the Password Policy Enforcer instance as the reporting source. The /c (Config [in file name]) operation should provide the source configuration file as an argument to create reports. If an invalid file name is provided as an argument in this operation, the PPE Tool will display the appropriate error message and will fail.
| + Operations PPE Tool options are as follows: -| Task | Task Name | Task Description | -| ---- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| /e | export [out file name] | - Exports config data (default) from the Password Policy Enforcer instance to the file. - This operations is enabled by default. - This operation can not be used with /c (Config [in file name]) or i/ (Import) operations, but can be combined with /h (Human [out file name]). | -| /i | import | - Imports the config file. - Imports existing configuration using the input configuration file defined by the /d (Domain [in controller]) . If the /c (Config [in file name]) operation is omitted, the PPE Tool will display an error message and exit the application. - When i/ (Import) is used with the /h (Human [out file name]) or /r (Report [out file name]) operations, the latter will be ignored. - /d (Domain [in controller]) and /m (Minimal) operations my affect the result of the import. | -| /h | human [out file name] | - Converts the config file to a human-readable format and produces a human-readable report based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]). - If no custom file name is provided, the default file name will be `config_human_readable.xml`. | -| /r | report [out file name] | - Converts the config file to HTML and produces an HTML report file based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]). - Generates the HTML report into `C:\Program Files (x86)\Password Policy Enforcer\Report` alongside the .css file. - The default files name is `report.html`. | +| Task | Task Name | Task Description | +| ---- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| /e | export [out file name] |
  • Exports config data (default) from the Password Policy Enforcer instance to the file.
  • This operations is enabled by default.
  • This operation can not be used with /c (Config [in file name]) or i/ (Import) operations, but can be combined with /h (Human [out file name]).
| +| /i | import |
  • Imports the config file.
  • Imports existing configuration using the input configuration file defined by the /d (Domain [in controller]) . If the /c (Config [in file name]) operation is omitted, the PPE Tool will display an error message and exit the application.
  • When i/ (Import) is used with the /h (Human [out file name]) or /r (Report [out file name]) operations, the latter will be ignored.
  • /d (Domain [in controller]) and /m (Minimal) operations my affect the result of the import.
| +| /h | human [out file name] |
  • Converts the config file to a human-readable format and produces a human-readable report based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]).
  • If no custom file name is provided, the default file name will be `config_human_readable.xml`.
| +| /r | report [out file name] |
  • Converts the config file to HTML and produces an HTML report file based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]).
  • Generates the HTML report into `C:\Program Files (x86)\Password Policy Enforcer\Report` alongside the .css file.
  • The default files name is `report.html`.
| + ### PPE Usage Samples @@ -72,12 +74,13 @@ C:\Windows/system32>cd.. Once this location has been accessed in the Command console, enter one of the following commands in the [operation] variable above to execute a PPE Tool operation in the Command console. -| Action | Operation | Message | -| -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Simple Config export operation | - ppetool | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. | -| Simple Config export in domain environment with DC %Full computer name of Domain Controller% | - ppetool /d localhost - ppetool /d %Full computer name of Domain Controller% | Config successfully exported. | -| Export local config into local.xml and create it from the HR.xml and report.html reports | - ppetool /e local.xml /h HR.xml /r Report.html | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. Human readable config representation successfully exported. HTML config representation exported successfully. | -| Import Config from config.xml | - ppetool /c config.xml /i | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config import successful. | +| Action | Operation | Message | +| -------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Simple Config export operation |
  • ppetool
| Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. | +| Simple Config export in domain environment with DC %Full computer name of Domain Controller% |
  • ppetool /d localhost
  • ppetool /d %Full computer name of Domain Controller%
| Config successfully exported. | +| Export local config into local.xml and create it from the HR.xml and report.html reports |
  • ppetool /e local.xml /h HR.xml /r Report.html
| Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. Human readable config representation successfully exported. HTML config representation exported successfully. | +| Import Config from config.xml |
  • ppetool /c config.xml /i
| Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config import successful. | + ### Generating Reports with Custom Descriptions From 8f567cefb6f17db9bca0d6444fca956be44ca802 Mon Sep 17 00:00:00 2001 From: Hassaan Khan Date: Wed, 16 Jul 2025 16:16:09 +0500 Subject: [PATCH 3/3] done --- .../11.0/admin/manage-policies/rules/complexity_rule.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md index e521678c59..ca723b123c 100644 --- a/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.0/admin/manage-policies/rules/complexity_rule.md @@ -35,10 +35,10 @@ This default character set contains the following: | Rule | Default character set | | ----------- | ------------------------------------------------------------------------ | -| Alpha Lower | Lowercase alphabetic (a
  • z)
| -| Alpha Upper | Uppercase alphabetic (A
  • Z)
| -| Alpha | Uppercase and lowercase alphabetic (a
  • z & A
  • Z)
| -| Numeric | Numerals (0
  • 9)
| +| Alpha Lower | Lowercase alphabetic (a-z) | +| Alpha Upper | Uppercase alphabetic (A-Z) | +| Alpha | Uppercase and lowercase alphabetic (a-z & A-Z) | +| Numeric | Numerals (0-9) | | Special | All characters not included above | | High | All characters above ANSI 126 | | Custom | No default characters |