How do I edit the password generation policy in Directory and Resource Administrator? (NETIQKB13241)

  • 7713241
  • 02-Feb-2007
  • 10-Nov-2011


Directory & Resource Administrator 8.x


How do I edit the password generation policy in Directory and Resource Administrator?

How do I change the values used for the Generate Password option in DRA?


For DRA 8.0 SP1 and Newer:

DRA has the option to enforce a specific password policy. This Policy is configured on the Primary DRA Server, while using the Delegation and Configuration Console

  1. Use the DNC console to connect to the Primary DRA Server, as an DRA Assistant Admin with DRA Administration Powers
  2. Highlight the Policy and Automation Node
  3. Choose the Configure Password Generation Policies Link
  4. Put a Check Mark in the box for Enforce Password Policy
  5. Click the Apply Button to enable the Password Policy
  6. Click the Link for Password Options
  7. Choose the specific limits to be imposed
  8. Click the Apply Button to set the limits
  9. Click the OK Button to return back to the DNC Console

For DRA 8.0 and Older:

By default, Directory and Resource Administrator (DRA) uses hard coded values for the password generation policy.  The algorithm to generate passwords and the hard coded values are in a C++ COM object.  However, the registry on the DRA server can be modified so that if the values below are present, DRA will use them for the policy.

To change the password generation policy, add the following DWord values under the HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Password Policy registry key on the Administration server.

  • EnablePasswordPolicy (must be set to 1 for this to work)
  • MinUpperChars
  • MinLowerChars
  • MinChars
  • MinDigits
  • MinSpecial
  • MaxConsecutiveAlpha
  • MaxSameCharRepeat
  • MinPasswordLength
  • MaxPasswordLength

Note: All values must be set.  No value should be left blank.


Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be resolved. Make sure that you back up your Registry prior to making any changes.



For security purposes, some orginizations have specfic requirements for AD user passwords. These requirments can be enforced when DRA Auto Generates a new password.

Additional Information

Formerly known as NETIQKB13241

You will need to perform a full Multi-Master Sync for these changes to apply to all of the DRA Servers.