Handling Conflicting Policies

Different standard and authentication policies can be in effect for the registry as a whole and for individual organizations (for standard policy) and accounts (for authentication policy). If the policy that is set for the registry as a whole differs from the policy that is set for an individual organization or account, the stricter policy applies. For example, suppose registry policy specifies a minimum password length of six characters and policy for the organization named classic specifies eight characters. If you create the account bach cantata classic, the stricter policy (in this case, the organization policy) applies, and the account password must be at least eight characters long. The following table lists the stricter policy for each policy type.

Stricter Standard Policies

For This Type of Policy... This Is the Stricter Policy...

Password expiration date The shorter expiration period

Password lifespan The shorter lifespan

Account lifespan The shorter lifespan

Password length The greater length

Password consisting of all spaces The password cannot consist of all spaces; it must include some characters

Password consisting of all alphanumerics The password cannot consist of all alphanumerics; it must include some nonalphanumeric characters

Maximum ticket renewable The shorter time (note: this feature is not currently used by DCE, and any use of this option is unsupported at the present time)

Maximum ticket lifetime The shorter time

When the registry is created, standard policies are by default at their most permissive state; that is, the password expiration date is none, password and account lifespans are unlimited, the minimum password length is 0, and passwords can consist of all spaces and all alphanumerics. The maximum ticket lifetime is set to 10 hours. (Maximum ticket renewable is not currently used.) To implement stricter policies, you must use the registry modify command.