Is GAM preventing Google from enorcing password policy changes?

[Tim Mueller]

I am attempting to strengthen password requirements in Google Admin console. I made changes to a test OU and selected "Enforce policy at next login" but when signing in as a user in that OU, whose password does not meet the new requirements, I am not forced to change the password. When  Google lists the following (next paragraph) as one reason why a password policy might not be enforced. Is it possible that enabling API access for GAM when it was installed is preventing Google from enforcing the new policy? Thanks.

From Google: "Google can't enforce password strength and length requirements on passwords set using a hash method—for example passwords created using the bulk user upload tool, the Directory API, or sync tools such as Password Sync or Google Cloud Directory Sync. For details, visit the Google Workspace Admin SDK or see About Password Sync."

[Ross Scroggs]

Tim,

Send me a Meet/Zoom invitation and we'll discuss.

Ross

On Thu, May 16, 2024 at 2:52 PM Tim Mueller <tmue...@nucharters.org> wrote:

I am attempting to strengthen password requirements in Google Admin console. I made changes to a test OU and selected "Enforce policy at next login" but when signing in as a user in that OU, whose password does not meet the new requirements, I am not forced to change the password. When  Google lists the following (next paragraph) as one reason why a password policy might not be enforced. Is it possible that enabling API access for GAM when it was installed is preventing Google from enforcing the new policy? Thanks.

From Google: "Google can't enforce password strength and length requirements on passwords set using a hash method—for example passwords created using the bulk user upload tool, the Directory API, or sync tools such as Password Sync or Google Cloud Directory Sync. For details, visit the Google Workspace Admin SDK or see About Password Sync."

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/babc03ef-172e-4fd0-bb63-00734a0617d7n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Jay Lee]

For additional security, GAM sends only the hash of user passwords, not the clear text policy itself.

You can send plaintext password (over HTTPS of course) by adding "nohash" to the user create/update command.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS_XugN1wHKzi%3D3ckqXLkb7kMA_ezPp%3DbOdKd0iFBOPdOA%40mail.gmail.com.

[Tim Mueller]

Thanks, that makes sense, but I did a test where I created a new OU, created a user manually, via the Admin Console. I signed in and out as that user. Only then did I increase the password length requirement and enable "Enforce password policy on next sign-in". It still did not require me to change the password. This is puzzling since no hashing should have taken place. 

[Jay Lee]

It may be that the policy wasn't being enforced yet. Policy changes can take 24 hours to apply to users.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/38bdae1b-cbbc-4f63-9ccb-61c87f55af56n%40googlegroups.com.

[tmue...@nucharters.org]

Thanks,  I did think of that and will test again tomorrow, but I've never had to wait more than a minute for any setting to take effect. Which proves nothing, of course.
--

Tim Mueller
Technology Department
Northern United - Humboldt Charter School
Northern United - Siskiyou Charter School

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/HSQ2xJ7f-eg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp8NUoxpf-CqyR8U7paRO8tE-Sbj9V%3DrwDANEqvapV5sdg%40mail.gmail.com.

[Tim Mueller]

UPDATE: After a meeting and some testing with Ross, we concluded that the issue is that Google does not enforce the "Enforce password policy at next sign-in" setting, regardless of how the user account was created. Changes to the password length requirement setting are preserved, without that enforcement, users can continue signing in with the shorter password. 

 I contacted Google Support via chat, which was escalted to Meet. They spent a long time explaining the function of each setting and that everything will be fine now that I understand the settings, despite me sharing my screen and demonstrating the problem, live. So a complete waste of time. 

The resolution is simple, though:

gam update user [email] changepassword on
There are fewer than 100 users involved here, so I can easily create a batch file to handle this.

Many thanks to Ross and Jay for their help with this.