Dictionary Rule Not Working

I have installed Password Policy Manager on all DCs and I need to test against words we have added to the Dictionary file.  I have added the words to all DCs txt files and I am still able to use the words I have added to the files.  We are only using the Dictionary Rule and I have Checked "Enable dictionary lookup to reject passwords that contain: A complete word from the dictionary".  But like I said its not working, I have a test account I am using and it part of the correct groups I have setup on the PP server. 

 

What else do I need to do?  I have checked the encoding with Notepad ++ and the are set to USC-2 LE BOM and I am lost.  I am not sure if it should be this hard, maybe I am wrong.

 

Any help would be greatly appreciated.

 

Thank you,

Wade

  • Hi Wade,

    You mentioned that you are testing against words that you have added to the dictionary file. Have you tested against words that were already contained in the file before you added more?

    Did you also add those words to the dictionary file on the Password Manager server?
    C:\Program Files\Dell\One Identity Password manager\ Service\Password Policy Manager\QPMDictionary.txt
    If you attempt to change password using the Self-Service site then the dictionary file on the Password Manager server is used. If you try to change on a client machine using CTRL-ALT-DELETE then the dictionary files on the Domain Controllers are used.

    Try testing using CTRL-ALT-DELETE and see if the password is rejected.
    And also see if the dictionary rule is enforced if you use some of the original words in the dictionary file.

    Regards,

    Jim Casey
  • In reply to Jim.Casey:

    We have a policy already within AD and none of the original words will work anyways in that file.
    I just added a new word to the file on the Server and tested through the SSite and it let me use the password.
  • In reply to wwalker:

    Hi Wade,

    It sounds like you have it correctly configured.

    I would suggest you open a case with support and let one of my colleagues work with you on it.
    support.quest.com/contact-support

    Regards,

    Jim
  • In reply to Jim.Casey:

    I have opened a ticket just waiting on their response. Let me give you a little more info on the system. And what I have done.

    We have 7 DCs across a couple of firewalls and we have installed PPM on each DC. On the server all I have active is the Dic Rule nothing else. The documentation for this software at best is just a headache. Besides adding PPM to the DCs is there anything else that would need to be done in AD or on the server?

    Thanks again,
    Wade
  • In reply to wwalker:

    Hi Wade,

    If you have PPM installed on each of the DC's and you have the dictionary file copied across then you are configured correctly as long as the Password Policy is scoped, configured and enabled on the Password Manager server.

    If you ignore the dictionary rule and configure the password policy with some other rule which is different to those applied by the AD password policy, is it enforced by password Manager when you try to change password?

    If yes then Password Policy Manager is installed and configured correctly and your issue is narrowed down to the dictionary file.
    If no the then PPM is not configured correctly.

    Either way the support engineer who picks up your case will work with you until the issue is resolved.

    Regards,

    Jim
  • In reply to wwalker:

    Wade,
    Did you have any luck with the Dictionary file, it looks like I'm having the same issue myself.

    -Kyle
  • In reply to kwash:

    To be honest we kind of dumped the project since it ends up not being what we want. But if I remember correctly I had to add the domain to the applied OU in the policy scope of the Password Policy Properties and then add the groups. I just don't remember, I know it was not worth the money or time to mess with. Support was fine product just not what we were looking for.
  • In reply to kwash:

    Hi Kyle,
    What version of Password Manager are you running? How the dictionary rule setup is different in the latest release 5.7.1.

    Thanks
    Stephen
  • In reply to Stephen.Yeomans:

    I'm using 5.7.1, I had a policy configured, created the QPMDictionary.txt file so the option to edit the dictionary file was in the Policy editor, but every password failed. I've removed the policy and created a new one, but the option to edit the file no longer appears.

    The dictionary file is placed in \\domain\SYSVOL\domain\31ef....\ and is in UCS-2 LE BOM encoding.

    -Kyle
  • In reply to kwash:

    What drive is the sysvol on?

    The default location is:
    C:\Windows\SYSVOL\domain\31EB75A4-CD1A-4F67-94DA-9F8F5DF1F5C1

    Password Manager actually looks at the system root path for the location of sysvol, most likely is c drive.

    Thanks
    Stephen
  • In reply to Stephen.Yeomans:

    Does this path need to be on the PWM server, or on the DC?