We are migrating Active Directory from from Windows Server 2003 to 2008 shortly. With 2008 we would like to be able to use a separate password policy for a particular group of PCs. One suggested password policy would force users to choose a new password from a predefined list when a password expires. So we would then effectively be rotating between 3 passwords. I know this doesn't seem like a good idea and I am proposing a different solution. But can this be done? Can we use Active Directory to store the viable passwords for a particular PC?
SnapOverflow
What you describe is known as a Password Filter. The default Windows Password Filters do not provide the exact functionality you're asking for. You will need to either code your own, or purchase a third party implementation.
A quick Google search should return many third party commercial options, I am hesitant to link any one specific vendor as this topic gathers spam-links too frequently. This SourceForge project may be a decent starting point should you build your own.
This isn't possible with Active Directory, the only similar Policy is to compare the new password against the last X number of set passwords and prohibit it's application if it matches any of them. The only way I can suggest is an excel spreadsheet visible only to the administrator who would then apply the password.