From 3138782aae2092167f9da2d526a90f190bf26027 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 11:01:37 +1000 Subject: [PATCH 01/21] Change internal links from absolute to relative --- .../11.2/admin/configconsole.md | 16 +++++++-------- .../admin/manage-policies/manage_policies.md | 20 +++++++++---------- .../manage-policies/rules/maximum_age_rule.md | 8 ++++---- .../11.2/admin/manage-policies/rules/rules.md | 2 +- .../11.2/admin/settings.md | 16 +++++++-------- .../installation/disable_windows_rules.md | 2 +- .../installation/domain_and_local_policies.md | 8 ++++---- .../11.2/installation/installationclient.md | 10 +++++----- .../11.2/installation/installationgpm.md | 4 ++-- .../11.2/installation/installationserver.md | 6 +++--- .../11.2/installation/upgrading.md | 8 ++++---- 11 files changed, 50 insertions(+), 50 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md index e04724ab5c..e41f97a5ba 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md +++ b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md @@ -8,11 +8,11 @@ sidebar_position: 10 The Password Policy Enforcer (PPE) Configuration Console is a graphical user interface for centrally configuring and managing PPE. You can install the Configuration Console on any server or workstation. -Use the **PPE Configuration** desktop shortcut or Start menu item to open the console. If these don't exist, then use the [server components installer](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) to install the Configuration Console. +Use the **PPE Configuration** desktop shortcut or Start menu item to open the console. If these don't exist, then use the [server components installer](../installation/installationserver.md) to install the Configuration Console. ![Configuration Console Dashboard](/images/passwordpolicyenforcer/11.2/evaluation/ppedashboard.webp) -When the console is connected to a [domain configuration](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md), the configuration changes you make in the console replicate to all the domain controllers in the domain. Active Directory (AD) replication propagates the changes at normal replication intervals. The console applies configuration changes only to the local computer's registry when connected to a [local configuration](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md). +When the console is connected to a [domain configuration](../installation/domain_and_local_policies.md), the configuration changes you make in the console replicate to all the domain controllers in the domain. Active Directory (AD) replication propagates the changes at normal replication intervals. The console applies configuration changes only to the local computer's registry when connected to a [local configuration](../installation/domain_and_local_policies.md). ## Enable and Disable Password Policy Enforcer @@ -31,28 +31,28 @@ The Help menu contains the following items: ## Set Global Settings -Click **Settings** to configure [global configuration settings](/docs/passwordpolicyenforcer/11.2/admin/settings.md). +Click **Settings** to configure [global configuration settings](settings.md). ## Connect to a Configuration -Password Policy Enforcer can enforce password policies for [domain and local](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) user accounts. Domain configurations contain password policies for domain user accounts. Active Directory stores these configurations. The registry stores local configurations, which contain the password policies for local user accounts. Click the **Connected to** selector to connect to a configuration. You can choose which domain controller to connect to when working on a domain configuration. PPE always stores a local configuration in the local computer's registry. +Password Policy Enforcer can enforce password policies for [domain and local](../installation/domain_and_local_policies.md) user accounts. Domain configurations contain password policies for domain user accounts. Active Directory stores these configurations. The registry stores local configurations, which contain the password policies for local user accounts. Click the **Connected to** selector to connect to a configuration. You can choose which domain controller to connect to when working on a domain configuration. PPE always stores a local configuration in the local computer's registry. :::note PPE stores domain configurations in the `CN=Password Policy Enforcer ,CN=System` container object. It stores local configurations in the `HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer ` registry key. Only users with write permission to these objects can configure Password Policy Enforcer. ::: :::tip -You can distribute local configurations by exporting the configuration registry key and importing it into other computers. The [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md#distribute-the-local-configuration-with-group-policy) page shows how to distribute a local configuration with Group Policy. +You can distribute local configurations by exporting the configuration registry key and importing it into other computers. The [Domain and Local Policies](../installation/domain_and_local_policies.md#distribute-the-local-configuration-with-group-policy) page shows how to distribute a local configuration with Group Policy. ::: ## Add a Policy -Click **Add policy** to create and configure a new [password policy](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md). +Click **Add policy** to create and configure a new [password policy](manage-policies/manage_policies.md). ## Check for Compromised and Reused Passwords -Click **Password Scanner** to check for [compromised and reused passwords](/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md). +Click **Password Scanner** to check for [compromised and reused passwords](compromisedpasswordcheck.md). ## Check Your PPE Installation -Click **System Audit and Support** to [review and troubleshoot your PPE deployment](/docs/passwordpolicyenforcer/11.2/admin/systemaudit.md). +Click **System Audit and Support** to [review and troubleshoot your PPE deployment](systemaudit.md). diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md index ae508bc6c7..f277165048 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md @@ -6,13 +6,13 @@ sidebar_position: 20 # Manage Policies -Password Policy Enforcer (PPE) can enforce up to 256 different password policies per domain. Password policies are collections of rules that users must comply with when choosing a new password. You can [assign policies](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to users directly, or indirectly through Active Directory security groups and containers (Organizational Units). +Password Policy Enforcer (PPE) can enforce up to 256 different password policies per domain. Password policies are collections of rules that users must comply with when choosing a new password. You can [assign policies](usersgroups.md) to users directly, or indirectly through Active Directory security groups and containers (Organizational Units). PPE doesn't enforce any policies when it is first installed, so the policy list is empty when you open the configuration console for the first time. ![Configuration Console Dashboard](/images/passwordpolicyenforcer/11.2/evaluation/ppedashboard.webp) -PPE adds the policies you create to the policy list. Use the buttons above the policy list to [test policies](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/testpolicy.md), set policy priorities, and export the configuration. Use the options menu (**⋮**) to the right of each policy to perform actions on that policy. +PPE adds the policies you create to the policy list. Use the buttons above the policy list to [test policies](testpolicy.md), set policy priorities, and export the configuration. Use the options menu (**⋮**) to the right of each policy to perform actions on that policy. ![Dashboard with Policies](/images/passwordpolicyenforcer/11.2/administration/ppedashboardpolicies.webp) @@ -25,11 +25,11 @@ PPE adds the policies you create to the policy list. Use the buttons above the p The policy editor opens. The policy editor has many settings. The following pages explain the settings in each tab: -- [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) -- [Users & Groups](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) -- [Passphrase](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/passphrases.md) -- [Properties](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md) -- [Messages](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/messages.md) +- [Rules](rules/rules.md) +- [Users & Groups](usersgroups.md) +- [Passphrase](passphrases.md) +- [Properties](policy_properties.md) +- [Messages](messages.md) ## Edit a Policy @@ -38,11 +38,11 @@ Click the name of a policy in the policy list to make changes to the policy. ## Test Policies -Click **Test Policy** to check if Password Policy Enforcer's current configuration accepts or rejects specific passwords. The [Test Policy](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/testpolicy.md) feature is a useful troubleshooting tool when PPE isn't accepting or rejecting passwords as you expect. +Click **Test Policy** to check if Password Policy Enforcer's current configuration accepts or rejects specific passwords. The [Test Policy](testpolicy.md) feature is a useful troubleshooting tool when PPE isn't accepting or rejecting passwords as you expect. ## Set Policy Priorities -Policy priorities help Password Policy Enforcer resolve [policy assignment conflicts](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md#policy-assignment-conflicts). If more than one policy is assigned to a user, and PPE can't decide which policy to enforce using the other conflict resolution rules, then PPE always enforces the policy with the highest priority. +Policy priorities help Password Policy Enforcer resolve [policy assignment conflicts](usersgroups.md#policy-assignment-conflicts). If more than one policy is assigned to a user, and PPE can't decide which policy to enforce using the other conflict resolution rules, then PPE always enforces the policy with the highest priority. Click **Set priorities** to view or modify policy priorities. This button is only visible if you have more than one password policy. @@ -50,7 +50,7 @@ Click **Set priorities** to view or modify policy priorities. This button is onl Select the policy you want to reprioritize, then click **Higher** or **Lower** to move the policy up or down. Click **Apply priorities** to accept the new priority order. -The [Assign Policies to Users](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) page has more information about how PPE assigns policies and resolves conflicts. You can also click **Test Policy** to quickly see which policy PPE enforces for a particular user. +The [Assign Policies to Users](usersgroups.md) page has more information about how PPE assigns policies and resolves conflicts. You can also click **Test Policy** to quickly see which policy PPE enforces for a particular user. ## Export Configuration diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md index 6804b3fa8f..75e026d368 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md @@ -6,7 +6,7 @@ sidebar_position: 10 # Age (Max) Rule -The Maximum Age rule forces users to change their passwords regularly. This decreases the likelihood of an attacker finding a password that is still in use. Only [domain policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) can enforce this rule. +The Maximum Age rule forces users to change their passwords regularly. This decreases the likelihood of an attacker finding a password that is still in use. Only [domain policies](../../../installation/domain_and_local_policies.md) can enforce this rule. ![Maximum Age rule](/images/passwordpolicyenforcer/11.2/administration/agemax.webp) @@ -32,7 +32,7 @@ Use the Warning and Transitional modes to gradually introduce a new password pol It takes approximately 50 days for PPE to force all users with expired passwords to change them in the 2% Transitional mode (2% every day). The 5% Transitional mode reduces this to 20 days, and the 10% Transitional mode further reduces it to 10 days. PPE selects users randomly, so these are estimates only. You must eventually switch to the Standard mode to ensure that all old passwords expire. Don't leave PPE in the Transitional or Warning modes permanently as this won't give you predictable, forced password expirations. ::: -Password Policy Enforcer always prompts users with expired passwords to change them, even in the Transitional and Warning modes. Users can ignore the prompt to change their password unless PPE forces them to change it. Windows clients display the prompt even if the [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md) isn't installed. Windows displays the prompt five days before passwords expire by default. You can change this value with Group Policy: [Interactive logon: Prompt user to change password before expiration](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration). +Password Policy Enforcer always prompts users with expired passwords to change them, even in the Transitional and Warning modes. Users can ignore the prompt to change their password unless PPE forces them to change it. Windows clients display the prompt even if the [Password Policy Client](../../password-policy-client/password_policy_client.md) isn't installed. Windows displays the prompt five days before passwords expire by default. You can change this value with Group Policy: [Interactive logon: Prompt user to change password before expiration](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration). PPE expires passwords at 1:00 AM every day on the domain controller holding the PDC emulator operations master role. It sets "User must change password at next logon" for users whose password expired, or is due to expire on that day. PPE doesn't expire passwords if the Maximum Age rule is in Warning mode, or for users with "Password never expires" set in Active Directory. Some passwords won't expire immediately when the Maximum Age rule is in a Transitional mode. @@ -45,7 +45,7 @@ Click **Set up email** to edit the email template for the email reminders. The correct format for the **From** text box is `"Display Name" `. You can edit the email body with a visual editor or raw HTML editor by clicking **Visual** or **HTML**. :::tip -If the email body is too long to fit in the text box, then enter a file path with the "file:" prefix in the body text box: `file:C:\path\filename.ext`. The file path can include environment variables like %ProgramFiles%. Don't use quotes for long filenames and don't include any other text. The [Mailer Service](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) reads the email body from the specified file. +If the email body is too long to fit in the text box, then enter a file path with the "file:" prefix in the body text box: `file:C:\path\filename.ext`. The file path can include environment variables like %ProgramFiles%. Don't use quotes for long filenames and don't include any other text. The [Mailer Service](../../../installation/installationserver.md) reads the email body from the specified file. If users aren't receiving their email reminders, then ensure the **From** address is a valid sending address for your mail server. ::: @@ -66,6 +66,6 @@ The email's subject and body can contain various macros. Click **<#>** whe | [EXPIRY_MONTH_NAME] | Expiry month (January, February, ...) | | [EXPIRY_YEAR] | Expiry year (2026, 2027, ...) | -Click **Set up SMTP** to configure your [mail delivery settings](/docs/passwordpolicyenforcer/11.2/admin/settings.md#notifications). +Click **Set up SMTP** to configure your [mail delivery settings](../../settings.md#notifications). Click **Log event for every expired password** if you want PPE to log an event to the Windows Application Event Log whenever it expires a password. \ No newline at end of file diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md index 77b57baa59..5b1c430430 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md @@ -6,7 +6,7 @@ sidebar_position: 10 # Rules -Password Policy Enforcer (PPE) uses rules to accept or reject passwords. Each [policy](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md) has rules that you configure independently of the rules in other policies. To configure the rules for a policy: +Password Policy Enforcer (PPE) uses rules to accept or reject passwords. Each [policy](../manage_policies.md) has rules that you configure independently of the rules in other policies. To configure the rules for a policy: 1. Open the PPE configuration console. 2. Click the name of a policy in the policy list. The **Rules** tab opens by default. diff --git a/docs/passwordpolicyenforcer/11.2/admin/settings.md b/docs/passwordpolicyenforcer/11.2/admin/settings.md index 67218a4f5f..7c15ca2eba 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/settings.md +++ b/docs/passwordpolicyenforcer/11.2/admin/settings.md @@ -14,22 +14,22 @@ Most Password Policy Enforcer (PPE) settings are policy-specific, but there are **Default policy**. Users must comply with the default password policy if you haven't assigned another policy to them. You can use PPE without a default policy, but Netwrix doesn't recommend this because it might leave some passwords unchecked. If you need to exclude some users from PPE's checking, then it's better to set a default policy and explicitly exclude some users: -1. [Add a policy](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md) for the excluded users. +1. [Add a policy](manage-policies/manage_policies.md#add-a-policy) for the excluded users. 2. Leave all the rules disabled for the new policy. -3. [Assign the policy](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to the users who don't have to comply with any PPE rules. +3. [Assign the policy](manage-policies/usersgroups.md) to the users who don't have to comply with any PPE rules. :::tip -Use the [Test Policy by User](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/testpolicy.md) feature to see which policy PPE enforces for a particular user. You can also review the [Policy Selection Flowchart](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md#policy-selection-flowchart) to see how PPE selects a policy for a user. +Use the [Test Policy by User](manage-policies/testpolicy.md) feature to see which policy PPE enforces for a particular user. You can also review the [Policy Selection Flowchart](manage-policies/usersgroups.md#policy-selection-flowchart) to see how PPE selects a policy for a user. ::: -**Enforce policy when password is reset**. Select this option to enforce the assigned password policy whenever someone resets a password or creates a new user account. This option doesn't change the behavior of the [Minimum Age rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md), as PPE never enforces this rule during a reset. PPE only enforces the [History rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md) during a reset if you select this checkbox, and also select the History Rule's **Enforce this rule when a password is reset** checkbox. +**Enforce policy when password is reset**. Select this option to enforce the assigned password policy whenever someone resets a password or creates a new user account. This option doesn't change the behavior of the [Minimum Age rule](manage-policies/rules/minimum_age_rule.md), as PPE never enforces this rule during a reset. PPE only enforces the [History rule](manage-policies/rules/history_rule.md) during a reset if you select this checkbox, and also select the History Rule's **Enforce this rule when a password is reset** checkbox. -**Accept encrypted client request only**. Select this option to have Password Policy Enforcer reject any unencrypted requests from very old versions of the [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), Netwrix Password Reset, and [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md). These requests don't contain passwords or password hashes, but Netwrix still recommends requiring encryption for all requests. This setting applies only to the legacy UDP protocol. The newer RPC protocol always uses encryption. +**Accept encrypted client request only**. Select this option to have Password Policy Enforcer reject any unencrypted requests from very old versions of the [Password Policy Client](password-policy-client/password_policy_client.md), Netwrix Password Reset, and [PPE Web](../web-overview/web_overview.md). These requests don't contain passwords or password hashes, but Netwrix still recommends requiring encryption for all requests. This setting applies only to the legacy UDP protocol. The newer RPC protocol always uses encryption. **Log event when password not checked by service**. Select this option to log an event to the Windows Application Event Log whenever PPE doesn't check a password. This can happen if: - Password Policy Enforcer is disabled. -- The policy [assigned](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to a user is disabled. +- The policy [assigned](manage-policies/usersgroups.md) to a user is disabled. - No policy is assigned to a user, or an error occurs when determining the assigned policy, and a default policy isn't specified. - Someone resets a password, and **Enforce policy when password is reset** isn't selected. @@ -43,7 +43,7 @@ The Password Policy Client and the Password Policy Server each enforce most PPE **Use old icons in Live Policy Feedback**. Select this option if you don't want to use the new, colored icons on the change password screen when the Password Policy Client is installed. -**RPC Port**. The Password Policy Client communicates with the server over a Remote Procedure Call (RPC) port. Enter a different port number if another service uses the default port in your environment. The default port number is 1344. You must also [configure the Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/configuring_the_password_policy_client.md) to use the new port. +**RPC Port**. The Password Policy Client communicates with the server over a Remote Procedure Call (RPC) port. Enter a different port number if another service uses the default port in your environment. The default port number is 1344. You must also [configure the Password Policy Client](password-policy-client/configuring_the_password_policy_client.md) to use the new port. ## Notifications @@ -56,7 +56,7 @@ Password Policy Enforcer sends notification emails to users and administrators. **Save email to a pickup folder**. Select this option if you want PPE to send email notifications to a pickup folder for collection and delivery by a mail server. Configure the mail server to monitor this folder. Enter the path to the pickup folder, or click **Browse** to select it. :::note -Notification settings are only available when you're [connected to](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connect-to-a-configuration) a domain configuration. +Notification settings are only available when you're [connected to](configconsole.md#connect-to-a-configuration) a domain configuration. ::: :::tip diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index 751f2c2202..b338998b62 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -8,7 +8,7 @@ sidebar_position: 20 Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules. -PPE has its own rules for password [history](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md), [minimum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md), [maximum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [length](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md), and [complexity](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration. +PPE has its own rules for password [history](../admin/manage-policies/rules/history_rule.md), [minimum age](../admin/manage-policies/rules/minimum_age_rule.md), [maximum age](../admin/manage-policies/rules/maximum_age_rule.md), [length](../admin/manage-policies/rules/length_rule.md), and [complexity](../admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration. To disable the Windows password policy rules: diff --git a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md index 334eebb9c2..18c81ad302 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md @@ -16,7 +16,7 @@ A typical Windows network has both domain and local user accounts, but you might ## Installation Differences -Install Password Policy Enforcer on all the domain controllers in the domain to enforce password policies for domain user accounts. You don't need to install it on read-only domain controllers unless you're using the [Maximum Age rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. +Install Password Policy Enforcer on all the domain controllers in the domain to enforce password policies for domain user accounts. You don't need to install it on read-only domain controllers unless you're using the [Maximum Age rule](../admin/manage-policies/rules/maximum_age_rule.md), [Password Policy Client](../admin/password-policy-client/password_policy_client.md), [PPE Web](../web-overview/web_overview.md), or Netwrix Password Reset. To enforce password policies for local user accounts, install Password Policy Enforcer on the computers that contain the user accounts you want to enforce password policies for. These computers can be workstations or servers, and they can be standalone or domain members. You don't normally need to install PPE on the workstations and servers in a domain because most users log on with a domain account. If this is the case, you'll most likely only need to install PPE on the domain controllers. @@ -24,10 +24,10 @@ To enforce password policies for local user accounts, install Password Policy En Most of Password Policy Enforcer's rules and features work with both domain and local policies, but there are some differences. These differences are due to password filter technical limitations, and also because some information isn't in the SAM. You can't use the following rules and features with local password policies: -- The [Minimum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md) and [Maximum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md) rules (you can still use the Windows versions of these rules). -- [Policy assignments](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) by groups and containers. +- The [Minimum Age](../admin/manage-policies/rules/minimum_age_rule.md) and [Maximum Age](../admin/manage-policies/rules/maximum_age_rule.md) rules (you can still use the Windows versions of these rules). +- [Policy assignments](../admin/manage-policies/usersgroups.md) by groups and containers. -PPE stores configuration information in Active Directory for domain password policies, and in the Windows registry for local password policies. Click the [**Connected to**](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connect-to-a-configuration) selector in the PPE Configuration Console's home page to choose a configuration source. +PPE stores configuration information in Active Directory for domain password policies, and in the Windows registry for local password policies. Click the [**Connected to**](../admin/configconsole.md#connect-to-a-configuration) selector in the PPE Configuration Console's home page to choose a configuration source. Changes to a domain configuration automatically replicate to all domain controllers in the domain. Changes to a local configuration apply only to the local computer. If you want to use the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 11.0\ registry key from the configured computer, and import it into the other computers. diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md index 5fb92cb972..7868ceb0f9 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md @@ -6,12 +6,12 @@ sidebar_position: 30 # Install the Password Policy Client -The Password Policy Client (PPC) is an optional component that helps users choose a compliant password. It shows users which rules they need to comply with while they enter their new password. The PPC also displays a detailed rejection reason message if PPE rejects the new password. You typically install the PPC on users' computers, virtual desktops, and Remote Desktop Session Hosts. The list of supported operating systems is in the [introduction](/docs/passwordpolicyenforcer/11.2/index.md). +The Password Policy Client (PPC) is an optional component that helps users choose a compliant password. It shows users which rules they need to comply with while they enter their new password. The PPC also displays a detailed rejection reason message if PPE rejects the new password. You typically install the PPC on users' computers, virtual desktops, and Remote Desktop Session Hosts. The list of supported operating systems is in the [introduction](../index.md). :::note The Password Policy Client doesn't store or send passwords or password hashes over the network. The protocol is encrypted for additional security, but even if an attacker compromised the encryption, it wouldn't reveal any passwords or password hashes. -PPE only enforces the [Similarity rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md) if the user changes their password from the PPC, [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. +PPE only enforces the [Similarity rule](../admin/manage-policies/rules/similarity_rule.md) if the user changes their password from the PPC, [PPE Web](../web-overview/web_overview.md), or Netwrix Password Reset. ::: ## Manual Installation @@ -43,7 +43,7 @@ The Password Policy Client runs automatically during a password change. There is ## Automated Deployment -Use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate deployment across many computers. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install the 64-bit Password Policy Client: +Use a software deployment tool or [Group Policy](installationgpm.md) to automate deployment across many computers. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install the 64-bit Password Policy Client: ```batch msiexec /i Netwrix_PPE_Client_11.2.0.148_x64.msi /q @@ -56,9 +56,9 @@ Add an exclusion for `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPEClt.DLL ## Testing the Password Policy Client Test the Password Policy Client by logging on to a computer, pressing **Ctrl+Alt+Del**, and clicking **Change a password**. You should see the password policy rules on the password change screen. If you don't see the rules, then ensure that: -- The [Password Policy Server (PPS)](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) is installed on all domain controllers in the domain. +- The [Password Policy Server (PPS)](installationserver.md) is installed on all domain controllers in the domain. - You restarted all domain controllers after installing the PPS. -- A PPE policy is [assigned](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to the logged on user account. +- A PPE policy is [assigned](../admin/manage-policies/usersgroups.md) to the logged on user account. ## Uninstalling diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md index ab4ea85d90..3d1ad1c506 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md @@ -6,7 +6,7 @@ sidebar_position: 40 # Deploy with Group Policy -You can use Group Policy to deploy the [Password Policy Enforcer server components](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) or the [Password Policy Client (PPC)](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. +You can use Group Policy to deploy the [Password Policy Enforcer server components](installationserver.md) or the [Password Policy Client (PPC)](installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. ## Create a Distribution Point @@ -53,5 +53,5 @@ A distribution point can be a UNC path to a server share, or a Distributed File Allow time for the GPO to replicate to all domain controllers before proceeding, then restart each target computer to complete the installation. Windows installs the component during startup, then restarts the computer a second time if necessary. :::note -The Password Policy Server won't start enforcing a password policy until you [configure](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md) it. Users can still change their passwords during this time, and must comply with the Windows password policy rules (if enabled). +The Password Policy Server won't start enforcing a password policy until you [configure](../admin/configconsole.md) it. Users can still change their passwords during this time, and must comply with the Windows password policy rules (if enabled). ::: diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index 7568c35ba0..2755c6d175 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -7,12 +7,12 @@ sidebar_position: 10 # Install the Server Components The Password Policy Enforcer (PPE) server installer includes the following components: -- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. +- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. - **Configuration Console** — Graphical and command-line tools to configure PPE. Install this component on any computer that you want to configure Password Policy Enforcer from. This could be a domain controller, a management server, or your computer. - **Mailer Service** — Sends email on behalf of PPE. It is typically installed on one server in the domain. :::note -The [introduction](/docs/passwordpolicyenforcer/11.2/index.md) has more information about these components, including their system requirements. +The [introduction](../index.md) has more information about these components, including their system requirements. ::: ## Manual Installation @@ -43,7 +43,7 @@ To manually install one or more server components: ## Automated Deployment -If you have many domain controllers, use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate the deployment. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install only the PPS component and immediately restart the computer: +If you have many domain controllers, use a software deployment tool or [Group Policy](installationgpm.md) to automate the deployment. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install only the PPS component and immediately restart the computer: ```batch msiexec /i Netwrix_PPE_Server_11.2.0.148_x64.msi ADDLOCAL=FeatureServerPPE /q diff --git a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md index c9613683a6..45aa00d0a0 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md +++ b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md @@ -6,13 +6,13 @@ sidebar_position: 60 # Upgrading -Check the [Introduction](/docs/passwordpolicyenforcer/11.2/index.md) to ensure your system meets the minimum requirements before upgrading Password Policy Enforcer (PPE). Also check the [Release Notes and Bug Fix List](https://community.netwrix.com/c/products/password-policy-enforcer/news/) for any upgrade considerations. +Check the [Introduction](../index.md) to ensure your system meets the minimum requirements before upgrading Password Policy Enforcer (PPE). Also check the [Release Notes and Bug Fix List](https://community.netwrix.com/c/products/password-policy-enforcer/news/) for any upgrade considerations. -You can upgrade Password Policy Enforcer by running the installer manually, with [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) or another deployment tool, or by running msiexec. If you use Group Policy to automate the deployment, then copy the new .msi files to the distribution point and add them to the same Group Policy Object (GPO) you used to install the older version. Don't remove the older version from the GPO. Group Policy automatically detects that the new version is an upgrade for an existing package and upgrades it accordingly. +You can upgrade Password Policy Enforcer by running the installer manually, with [Group Policy](installationgpm.md) or another deployment tool, or by running msiexec. If you use Group Policy to automate the deployment, then copy the new .msi files to the distribution point and add them to the same Group Policy Object (GPO) you used to install the older version. Don't remove the older version from the GPO. Group Policy automatically detects that the new version is an upgrade for an existing package and upgrades it accordingly. ## Upgrade the server components -The Password Policy Enforcer server installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Server Components](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. +The Password Policy Enforcer server installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Server Components](installationserver.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. :::warning If the upgrade is major, for example, from 10.x to 11.x, then you should immediately open the PPE Configuration Console after upgrading the first domain controller in each domain. This automatically imports the configuration settings from the old version to the new one. @@ -26,7 +26,7 @@ Don't run multiple versions of the Password Policy Server in a domain for an ext ## Upgrade the Password Policy Client -The Password Policy Client installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Password Policy Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. +The Password Policy Client installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Password Policy Client](installationclient.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. :::warning Don't use any new features while running older Password Policy Enforcer components that may not fully support the new features. Netwrix develops and tests all PPE components together as a single version. For the best experience, use all the components from one version together. From 05ffe545424a835af6fb4360e8b11a27add1c8e3 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 11:26:17 +1000 Subject: [PATCH 02/21] Fix "Age (Min)" --- .../manage-policies/rules/minimum_age_rule.md | 20 +++++-------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md index e16ae74d02..139d1fb768 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md @@ -1,31 +1,21 @@ --- title: "Age (Min) Rule" -description: "Age (Min) Rule" +description: "Configure the Minimum Age rule to stop users from cycling through passwords to bypass the History and Similarity rules." sidebar_position: 20 --- # Age (Min) Rule -The Minimum Age rule stops users from quickly cycling through a series of passwords to -evade the History and Similarity rules. This rule can only be enforced by domain policies. +The Minimum Age rule stops users from quickly cycling through a series of passwords to evade the [History](history_rule.md) and [Similarity](similarity_rule.md) rules. Only [domain policies](../../../installation/domain_and_local_policies.md) can enforce this rule. ![Minimum age rule](/images/passwordpolicyenforcer/11.2/administration/agemin.webp) Select the **Age (Min)** checkbox to enable the Minimum Age rule. -Select the number of days before a user can change their password. +Select a number from the **days** dropdown. Users must wait at least this many days between password changes. :::note -The Minimum Age rule is unique because users can't comply with it by choosing a different -password; they must wait until the required number of days has elapsed. The Password Policy Client -consequently handles rejections by this rule differently to other rules. Rather than displaying the -usual message components, the Password Policy Client only displays the Minimum Age rule's Reason -insert. See [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md) topic for additional information. -The Rejection Reason template, macros, and inserts from other rules aren't displayed when a -password change is denied by the Minimum Age rule. +The Minimum Age rule is unique because users can't comply with it by choosing a different password; they must wait until the required number of days has elapsed. The [Password Policy Client](../../password-policy-client/password_policy_client.md) consequently handles rejections by this rule differently from other rules. Instead of displaying the full rejection message, it only displays the Minimum Age rule's reason insert. The [Messages](../messages.md) page explains how to edit the messages shown to users. ::: - -The Minimum Age rule isn't enforced during policy testing, but the test log does show the user's -password age. A log entry is also added if the Minimum Age rule would have rejected the password -change. +Password Policy Enforcer doesn't enforce this rule during [policy testing](../testpolicy.md), but the test log shows the user's password age, and adds a log entry if the Minimum Age rule would have rejected the password change request. From 6411231ebfbc89d650416fe9e6655375e59489f5 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 11:35:59 +1000 Subject: [PATCH 03/21] Remove redundant "Rule/Rules" from sidebar --- .../11.2/admin/manage-policies/rules/character_rules.md | 4 ++-- .../11.2/admin/manage-policies/rules/complexity_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/compromised_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/dictionary_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/history_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/length_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/maximum_age_rule.md | 2 +- .../11.2/admin/manage-policies/rules/minimum_age_rule.md | 2 +- .../11.2/admin/manage-policies/rules/patterns.md | 4 ++-- .../11.2/admin/manage-policies/rules/repetition.md | 4 ++-- .../11.2/admin/manage-policies/rules/similarity_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/unique_characters.md | 4 ++-- 12 files changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index 001c02dccf..d6fc4850d1 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -1,6 +1,6 @@ --- -title: "Character (Granular) Rules" -description: "Character (Granular) Rules" +title: "Characters (Granular)" +description: "Characters (Granular)" sidebar_position: 40 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md index 13b8371cf6..e01d8bea48 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md @@ -1,6 +1,6 @@ --- -title: "Characters (Complexity) Rule" -description: "Characters (Complexity) Rule" +title: "Characters (Complexity)" +description: "Characters (Complexity)" sidebar_position: 30 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md index 87912ebf8c..16e62e619c 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md @@ -1,6 +1,6 @@ --- -title: "Compromised Rule" -description: "Compromised Rule" +title: "Compromised" +description: "Compromised" sidebar_position: 50 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md index 053456a922..f6dcc5a249 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md @@ -1,6 +1,6 @@ --- -title: "Dictionary Rule" -description: "Dictionary Rule" +title: "Dictionary" +description: "Dictionary" sidebar_position: 60 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md index 86196d7bf5..352ba2f307 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md @@ -1,6 +1,6 @@ --- -title: "History Rule" -description: "History Rule" +title: "History" +description: "History" sidebar_position: 70 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md index daae138f9e..3d80353498 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md @@ -1,6 +1,6 @@ --- -title: "Length Rule" -description: "Length Rule" +title: "Length" +description: "Length" sidebar_position: 80 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md index 75e026d368..cf982a430e 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md @@ -1,5 +1,5 @@ --- -title: "Age (Max) Rule" +title: "Age (Max)" description: "Configure the Maximum Age rule, the Standard, Transitional, and Warning expiration modes, and email reminders." sidebar_position: 10 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md index 139d1fb768..8c390ec065 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md @@ -1,5 +1,5 @@ --- -title: "Age (Min) Rule" +title: "Age (Min)" description: "Configure the Minimum Age rule to stop users from cycling through passwords to bypass the History and Similarity rules." sidebar_position: 20 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md index 2b67b05ac0..21c61034be 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md @@ -1,6 +1,6 @@ --- -title: "Patterns Rule" -description: "Patterns Rule" +title: "Patterns" +description: "Patterns" sidebar_position: 90 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md index f9f3b55c68..a265c33dfc 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md @@ -1,6 +1,6 @@ --- -title: "Repetition Rule" -description: "Repetition Rule" +title: "Repetition" +description: "Repetition" sidebar_position: 100 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md index 2a4cfb77d3..e980c94507 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md @@ -1,6 +1,6 @@ --- -title: "Similarity Rule" -description: "Similarity Rule" +title: "Similarity" +description: "Similarity" sidebar_position: 110 --- diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/unique_characters.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/unique_characters.md index b041e1483c..0ba8ea73ba 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/unique_characters.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/unique_characters.md @@ -1,6 +1,6 @@ --- -title: "Unique Characters Rule" -description: "Unique Characters Rule" +title: "Unique Characters" +description: "Unique Characters" sidebar_position: 120 --- From 2d3c01585e1f1c466e7e03c021257da30aa3628c Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 14:10:05 +1000 Subject: [PATCH 04/21] Fix "Characters (Complexity) Rule" --- .../manage-policies/policy_properties.md | 13 ++++++- .../manage-policies/rules/complexity_rule.md | 35 ++++-------------- .../11.2/administration/charcomplexity.webp | Bin 15294 -> 6708 bytes 3 files changed, 20 insertions(+), 28 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md index d127278071..cf1787836c 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md @@ -29,13 +29,24 @@ Select the **Default characters set**. The default value (Netwrix Password Polic users to comply with rules that use the Password Policy Enforcer character set. Choose the alternate option (Windows) to have users comply with rules that use the Windows character set. +PPE's default character sets are: + +| Character Set | Default characters | +| ------------- | ------------------------------------------------------------------------ | +| Alpha Lower | Lowercase alphabetic (a-z) | +| Alpha Upper | Uppercase alphabetic (A-Z) | +| Alpha | Uppercase and lowercase alphabetic (a-z and A-Z) | +| Numeric | Numerals (0-9) | +| Special | All characters not included above | +| High | All characters above ANSI 126 | +| Custom | No default characters | + :::note Only Password Policy Enforcer 10.0 and higher contain the Windows character set. Password Policy Enforcer 9, Netwrix Password Reset and Password Policy Enforcer/Web 7 (and older for all products) always use the Password Policy Enforcer character set. ::: - - Some languages such as Japanese don't distinguish between uppercase and lowercase. These characters are in the Windows Alpha set, but not in the Upper or Lower sets. - Characters classified as a space, punctuation, control, or blank by Windows are included in the diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md index e01d8bea48..f8562f22dc 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md @@ -1,44 +1,25 @@ --- title: "Characters (Complexity)" -description: "Characters (Complexity)" +description: "Configure the Characters (Complexity) rule to require passwords to contain characters from a minimum number of character sets, such as uppercase, lowercase, numeric, and special characters." sidebar_position: 30 --- # Characters (Complexity) Rule -The Complexity rule rejects passwords that don't contain characters from a variety of character -sets. Using several character types can make passwords more difficult to crack. +The Complexity rule rejects passwords that don't contain characters from a variety of character sets. A complex password takes longer to brute-force crack than a simple password of the same length. ![Character Complexity Rule](/images/passwordpolicyenforcer/11.2/administration/charcomplexity.webp) -Select the **Characters (Complexity)** checkbox to enable the Character Complexity rule. +Select the **Characters (Complexity)** checkbox to enable the Complexity rule. -Select the number of required character sets. Passwords are rejected if they don't contain -characters from at least the specified number of character sets. +Select a number from the **Must contain at least** dropdown. This rule rejects passwords if they don't contain characters from at least the specified number of character sets. This number must be less than or equal to the number of character sets selected below it. -Select the available character sets. The number of available character sets must be equal to or -greater than the number of required character sets. +Select the checkbox beside each required character set. Password Policy Enforcer (PPE) has seven character sets. The [Policy Properties](../policy_properties.md) page has more information about PPE's character sets. You can also use the [Characters (Granular)](character_rules.md) rules to customize the default character sets. -Select the **Passwords must always comply with this rule** checkbox to make the Complexity rule -mandatory. Password Policy Enforcer rules are mandatory by default, but can be made optional by -changing the Reject passwords that don't comply with value in the Policy Properties page. A -mandatory rule can still be disabled when a passphrase is used. See the [Passphrase](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/passphrases.md) -topic for additional information. +If the number in the dropdown is less than the number of selected character sets, then users have some flexibility in their choice of characters. For example, in the screenshot above, the password must contain only three of the four selected character sets. :::note -The Complexity rule uses custom character set definitions from the Character rules, even -if the Character rules are disabled. +This rule uses custom character set definitions from the [Characters (Granular)](character_rules.md) rules, even if you disable the granular rules. ::: - -This default character set contains the following: - -| Rule | Default character set | -| ----------- | ------------------------------------------------------------------------ | -| Alpha Lower | Lowercase alphabetic (a-z) | -| Alpha Upper | Uppercase alphabetic (A-Z) | -| Alpha | Uppercase and lowercase alphabetic (a-z & A-Z) | -| Numeric | Numerals (0-9) | -| Special | All characters not included above | -| High | All characters above ANSI 126 | -| Custom | No default characters | +Select the **Passwords must always comply with this rule** checkbox to make the Complexity rule mandatory. Rules are mandatory by default, but you can make some of them optional by changing the **Passwords must comply with** setting on the policy's [**Properties**](../policy_properties.md) tab. The [Passphrase](../passphrases.md) feature can still disable a mandatory rule. diff --git a/static/images/passwordpolicyenforcer/11.2/administration/charcomplexity.webp b/static/images/passwordpolicyenforcer/11.2/administration/charcomplexity.webp index 160b13d0e84b532ebc10c52d9d52b642a7c70a2a..e83b52bb723fbea9472f444dd92fe582e07b5d91 100644 GIT binary patch literal 6708 zcmYjUWmFu>lExioaDqDocX!tWhXBFdAq00B+}#HTcY=EeHVG~v5P}Tu4#8ROyKm3# zk3QX1r@FMIJ}qSh1vXMRIDL5;4LuDZHR{(jCrVf}9HZFOOG7F{h3R-tRO^9mHjPDl zP7e2mz@U~D2+GpjJ3ik1I-J{7C0^D}A6|;IE4mJ^q;igtc{5#FfahlHd1L1d{m%#c(v+eW=m6D>cX7x4}?wO)se)Qe{^Xh)izsQz@N-*LHl` zV-X};kW-~LN^lY3!fSIir&NZ_%XaDF>0inXq4!>H+jL!BY`cD-O5KcM%+qGPE)-eP zX8N1ss9s3Ad;=IgA8M=9Pjz0d{`qI5N8;;Z9r$2!fZ`dv7fmqDe zbjHPFUkmsn39#%=$BVxe_nG~OtO^>^zQ}dTDv`NcT<>pKtz1~cl~l%z|sfD?(ZY1 zJCPn%wRP80mFX@Zamc%;?IA(l)-21NYMa9#ZmzZ7N8sp~V zJoH(nvoV}#!#^NI$6-~*nY*=imWxSm5-UgS+fWL!#QEVLS-`OIZw2C77F z^VAUPemQjVoY>r#DG=jpDHHVm_Tt?}`)I|+KtK<%cVw5FOAQ64ij)h`KZ;J{&Mj}X z#_OHqIQmC#$c5%7-%K(h(8!qn;num4?w{_!wxc0!!YSK6^fOxyFbc7Jgv^>hNlyAW$n0 z?;Q)_NGY@y`wq)1!lq@K?#j1 z*$U6_a7=OCs~H^OlI>`nCkO>jaxs14biqvUo2CQ@5z&pk<2t;)??2$JT#3Yhuc_o9 zrmN?*b^H~RBYRQ`IhkoW3awOc+%?(}pI%t2-aN^7OycfdW`< z9Ghr+l(=1aIX{KI*b&G*p)N^V1fx_C_gf3gY>6JwWwuEyC(sWZ@F(|eG9KLCg9lX2 zS)aAJ!#sy|`n8Y{ajxoYV@4ayR0D2uK^)-il{hNeA|iPa+dUf%w zf5`o*aN+bJlz?$KZXIfR8i8!egOIyD1l>d7jd!U#B<$7g`0nRsAdJ~Di}Gj@)Q|gI zosIL!GT_W=cQ|Av9o+3?xy_sd@)ckf`&H>Wi?9SUMwk|0p#_l@j5mbtquHH^awD;$ z;PjQ>Ln_hC(eF$2elZTzLq&_%0dzfl5Jd=!HUnaN3gcJeVqMBb%Dk#xz*T@pzTHqE z)J&u)#MX4)#bMu}T(6v8k1GM{k(;U8(y)THfgkD3HM zLbth-GA2@GiuZw@;r<0a<(Qz9Ho6o*th&bgH+*TJd&Q2|tZ*=0rwliZC(A)Hh=r^i7 zu$b}0OTTsi;Iz^8G*jXbq~^o<>(X&0pSGo)xU~D8IV@X^qm_n(S)R4ei+*mq?Va~& zAJrAyyYZR(v?PHp#h-?y-8Ml?26>{Fye1TPql1!# zcRsAV?HEq^r{m8aP3!bVs-X$Dpy!R8`lQXTBck_{3f8={gxaA=lLi^nE$Bn8Zyw5y zhqMa=L|RmW8e?e;hJj7Hk40rsNuQ{${^b1Sne*Bpo>s=mp@;52&81Vq0#%cD_gS~<%{*zQUxtnb2 znu+})MyXcyXe*94pjtU0RZ;V#(uuYtdZ>Q<7Q8%PCnk^GY@nFGwB2|zQ&FG$;a#x| z#83R>t-w)8FMDh_j@KVU%GN!m4crYyt7ZH{ zsDjueL_eWX`YaI15}I6lYe%OQ@oFH1RLs2U7IuU@!GtUxaCjQd+4EU;ukuv4hcamU zV~~8p!+s^PET26tiyK}TiZK3UOIj*45UAF{YqO+V7?vvr4E-6=En`njgr2HzoNh6) zsu=NK#aOCc0Bg=YkDbcxAJpCurm#K6_tHv4G&TPT)L?$CJPH>BR8FYGta1@zoPc9kpL>KH2zrd=CGrky z=DxB#38$0_#`?4KHu_S^N)Luq7HYs&s_lr&w{)W!n=A%K(?<+Z{`;Djgu7F5!RG)> z+nuMUYpEV67Occg0Ms`TIL$ErrCSWyoiZBA;*I?3IOX+l6AQ9)TOj?lR8lJHyk%-P z_50x@YfiL;9JkX1Tzu2pJpVqyqlQ5}YIYgf4(9v>bLA}wyW}&P<|B#s(rrvo-C|>O zP15Lal>XW3jxp|?k;j|zPRK+&l7Iv(;_&i$<597Y9LtH#=f}>PViCpljOoky)3aso zI+2Ox9Fya1)88rYn+sUEE2uZH>xusJ+N7i%(5YfW@_+Bj;McjrS?0G2SIw#Y?{!Kf%EMR8E`X8$nKPCA`|p9OSVBf<2! zfEk-SLeR~3P~%SISZGm*`j)vi3R%@VJTd5=2_h}x^m{l|t~b?xRbuz)R8S zq}s-gOsQa*F4?#?A_e?=;WapBS>;}WCARbT0MxU@!I|uDMI#h)HfN*TqG#{R7OrV= zDwWhg&(TOv8qRR9?k2n~|E$gc9`7HUyboWDB0ruHYl6yTGex%%yH_?UWn(S!3tQ^q zGNOJJ#Zk1xaA*}^Ii#{XcRUc$sl-9>@z$LH!_VZp)s+nihc zv*Z`J)=$z-!V|VZyMm#x8jim*7Etg&+}i7_IH`F~RdpNO36}e@HirB&SnI}wgL#5% zTO@@w7WifA1^)I2bPRc$TOMsmAK{f4c_sK)qmEc(-~y~Sw!?TLB4ND3AJQAN%!DztE>AACB&@vzW#wRa0c56OWHxFHSXJ;oX?-)Ym*_|GM* zOqG$=StU7%(>-asDhH4XsAB)pJp4gk$Ha+yy0zs9$Bx5H>f ziElm?9DMtB_NJgV=5@zEriA@E!Rt+^o0h;nw58qtJC6$w={sV3oD3J7NE^I^rQsGD( zplnYKtk}WbID#7>JQJ|!zhn}@&AeKp!8l18POP;1Z9wWb%6?Th^r2r(3x=<((0^I} zU@5%lsp0j0p#V3DXrzrx%rZY~GxVV>x`=wWJJ9|+17N`i-q6-LP1uh3TqqOJ6mXua ztO=Dd*UUizt=WNGWKNKaqyi?Isu6FCtik&+b|eX$&Jb#H+JXq(4uyF8A(xFRq*sXo zV7Namsp975)4dqF3~MCc9GB3hk{2(T55jqs5p~CDiYA}LV%lgvmaM;}&{U6*7rrAq z9P-8(DRNW!nO#7<4V^;B1OU*%WQ8t>1eOZ0f6!Kg&D;uEx|O{CSTGw#G~|t%BF6}u zs?Kth!UD>uYtEKw5rv2_@jOpU((h9fAH!6rCE_uPl)4QKQR7BN&7UyUBNP(3QV&@o zPkTCi!DhtKQxA`q#uKRBQUR;GMY}uHUS{Y+f_7&c?XfRdSO1j%8Fiz3L$`*X2A;wgLvN99RHsfhXP?cV*oz1`O}q6tH2TURW@4Ex zqK2aq0q42wGxqJT8FHaXJe;^cxHEqZQ4^#Bm~B#Rt%^zD$=7poc27|}FvcYAUjdY* z6m;{9Zx9YI+SPM{26v{gh`r;=<>=xYya=^G5!ykS*t(SWr%WNi0hXS@U)yN1Ixx`B zSLudT`SKgYCX)OjXC=-C;;tSyv12jMj6YJG+wiD2BHUJO{P!S@(f%zoDvA`n_Y)|| zQUSETNa|Z#c5PJ!HG5`1!?UA?hZw1Z3e+ARDgH8S{AmyK7Z|NRsB$R)9bgiK-cC=W zx9-~J5jzYK`2Aer+GFYDCu_f>6%C)kp#%PHRE7aaq8-+Wf1 z1oV$)Tyu>&ET>M2lmvz9Elm~NXZ^KTT#vCOs`6)fvzP9spI;NFCPVl5Bty>is$l$s z(P8M`)D)4ipWr;VuT$K&jGt52Q9W4~=}5TBwu(;2BFLJ@F3hPZ#P@ciu@FH`E%Len zdZ6j=cRhf9ThE?wF^x=WH7m3n07vNUtd~~&nSWXnL~#B^#SubMoHda9MG7~%VX<@P zye^4?B^rmc=eBM`GTi4s2gP(e?iHQ;YXYRu7oBt8T-+V_kcd7z3g$FD|BzsX<@%7@{MTe>0OvS_S-OpnVGx@D4 zUoSg<()YCQ02PqnFLRa~4WBK)OPLj4fBk=wtk>;T-(HkZN^u0qxYc};6z+LL0veVK zxGf|FiTKHw8O2&CC6SH(NQJ-|7og?;I#xIAYGIJB*dB=ZYfvgF?pyq+RW4U=C9a&C znAuLiLY5D9`z5;QS6ys3PWbL8O#D^IjtqNqRyH0y`g;`ogIyk}$W7jyN|HR& zFG8T=JB^C%^N7F9D!CvvWLugAv`|Y>F~GnbGyLx9+x?au23Z(I|;psJz4O7 z?1qAEO9~E$5*<9UE}kq*NZ3bY4&hsNO~&evFvn#$$!cO7UxOM)`aEzvZ^$-V1o9(( z({+bXg)2BH<<8BiCVQXM*ZN|F#!rRBu@fn6CmufL0}K9A8Q-5xTrYEo{clNYGD=<_ z&Zd`x1&7tQS#{qg0m3++bw5AKFiZVTc7B$@m72*O#PL@#ADO!wqqCx+oDC># zT|8w6`q@JHl9pRYd-*i2MI8qJS0&<$B(P|F3(nE8i0qQLwGLn;O3x!QPMnuIOD%-7 z!FmVDvJRl`3)+_XFSz?DzLLtI)~cdVT%< z^-)b-o7e`I<@2NpFXhqF@aW6k$)@Bp`ty>a&!^Tt&#z{b%`Yd6pZnos!d6A@yH1Vt z0TI4q&A$K=)9T3N{^kdi8dn*JxTs_YViWLwxwuguy%Qr4TW@!-3&RT6qMBM=_2P6S zarh43+35uGUuHeV9S!a!uC@<3CCq zzz3E&MN`)m#W>E|8dqUhiloz6kE{E3`npVXmXpbgkNa)fQwv{e|Ejt21-kw&DvBor z<$ADlww?T`vK6T_wUCuC37hi%j<9PQ5*S45uxOnX8oss-fe+@V@jrr0O`Jl?K9@nw ze;MuW0_J(Tk~t~}KHAs2m3qj$qRFr)=v{TY870Kt#upk^X_MrNh1Nd%OI#&p|Wj2}Z^e z8EjBxnBAeTK3>J#l)vZZW4%gqG#XI}OHO@9+xm8?#=9)qOuIJ8;0y5kDJ+u5ljb0N zs#adxY_cMWquSTRFKx~dRmV0f&=|1C60Pm*~EX(S8g-~_4FK%LlM1NXVm8iQ4_xl ziXRG|YkFr5-XtVmvX8eFEeLiq(0X?MQ(@wp{TamTgp)Rpd#UC+{KHeo6em4lM$2L% z8V9c6mj3TBX5;`vEZYut)Gd&`CPv$eOfvRCs()m;&hfTkw&6@VASx?KhHgk&-xo&p}3;#_Y{2*Sl60ND;ls>wE4N6J7x!N zAHgXF-2<_<{^cd`5JDxuF^}?d?>kZz;nonoK@O=*yGe-c8fEjq4I=vGB}X<{7At#h zcF@OGy*-aF&zyma9r>`VdF^k5Hxo(C6$B36Bb|3xY9;VigU=s7ZNB=w{LQ6$>;I&3IVmcXf$T3q-i2zb|$Y&trUF9i6q3JPKo`-2dbCz6NhKtXDc(a z{sL^jXIaFhW1(XAs|Ln}*R%LM6~Vz|6==LaM|2U0(zTjiEg#r?X;as_=^4O+i!j=+12My^K(54m10orMdF;+ep|LNus{r`_0kGTxQUCw| literal 15294 zcmY+Kb983S(zox}wkEc1O>En?ZQHgcwlT3av7Jn8Tle>zb6$P>uf13I>aP0LRkgc& zwX&4BcpEPOpdt2CQC*RXsOq2hxf4Jh2#qi(DX4%QN2U}RDakLA=Z^kBgeVL9PfxGm z9w-`Zd-gMTuFr`3wI`s*FNUdm<_IJq;Om!=;GMVEBibw}koQGptNz765$Vc5rtb{+ z0WQ`NRuC=<;(ok+&%Ysjoh%Rz z_gZ`qUfjGYT<(7O{dGz>Hs}qQ1frdD-V4_Exqq*JSbbBj0&fDce^`C;d>?!uT?O>4Yw0KDr@_6!5zvU5%u_1jSlfdr8*wYp)vN;-n+4sk~LHTF6q?xLRt zxPZ@9H@P|;w7Gs{H*(wi=V}GSBp~|gGozm z9&6v&^&)9_+lUvc5onMn|aDEKZ^7r&iB_?OwSRpWS}8X~3%w$}4(O50ob2eSY2 zx(f>0<9{Un$HBWFJ+_Frtbg^nb>_fiU|(Lp7{mvuYx~B|oHRX<|_J=OzN#u z_N{(H=6^f%EcjP;MSWGj6p=RD!i(|^UecX+eZI8@YrX%%pPvIK%(hJReJGm9y80N4 zBYmL5H*u}03;vORSKnsL4*B8zdQOp49>E0J<<|wsfN2m@uAIS0SI(g|UEU#3WI{#C!MjI~rbp5||{WgOmc(pNmjAJVp9Il-hU?Hj&R+h+OSnHre#q$?gvJKbJ!R?TtT7vGMe%1M zWthtW0&a|Y5v`ar=3zPy2&(X}JZ+ZEvH`)EiZm`kcI>cG7Ng17G$h*glK)A7 zceaYy_Fg}GNF&9X|0)juh_}NgEQQ=2=cS(C3@YH@Wog?<9?(`xTEL)RJ4E4 zcy0e*ApWnm|4FNVP>GBQiviKe*X;WA&mc8IU)eo){EY`)*0w_MfAIQ8&UN5s>;|~{ zC0;_Q0&xFKK+yW4`$(f1-FT^3jas`NyVg}=!YL}Q{5cPiIs0XH9h9o0Htt43*PGyJ zm6iD_W$vWL;X;15rDLZiGC5np(rdi!3+soJ z+6%_FB&D;2)M}_8)2{1Jv{ur!yn}P_&R@*Pwp{Q+(75e~q6D82|J3bmf875uy<_g* z{`=knzJa5mfRfSn8nZCE+Qs5=WBD`b*0o9#IyhkUjO#%$ihe;fCh#rN4j>|G;^X^A zl=Sxo(2|R0H?hUzXd9~ho4j{ygT6pzC^}$|k09toEe$uV$O=eu)mYko{M^ri7`apx zYnbqk#tDCVc4Gha+{aPkl~g(NixiykWKa{l$*PLL3M9ddwh#7 zJ;*$vzdWCZx2PQfTM6?XIkBqm>@JeTYj&-w8iiRP0EB5^LN*M)x@#JkKI&4K7|~Ur z+KO)7dTXKK* zD!R^Wvg=>F<%VHciPo! zX#cB4MQqiq$yRV2GW~q!Ri@LZ1Ugk!2$u%lnqbhimihHf(*8mjFZSrkPX=h{hh#A# zg7C^6i;z2w&c+Gq=5_S`D8`xjkq$gfOt@D%i<^W{XAEwNeH~08KIKww9FqFlpD$b! zoaiq1EW2p)($$D~?j%|$k0(78+d6*iz&n3twfjb`kw}q6Wixa)rp6<5Sx-nTV{anO zt7I_I-$V{5X1mUA(jwQ#g1`)#)aX=^pxtiU6Pt}P7!}DNp#Ts7_pJp zaAo+df%-%3QMLCh0dW{RK;;pIdD_~vCt1Ry>vXwF8x93QhjKhh`8FtVIXkxWZgS6R zAo5S*Bk80R@19HtuW-<5tK#(^yC{C;4pi|!zX8YT!Hl$2;%aO2HwVQl4%?h>DlB;s zh}QdmdmI6Kczk)~eoT{%vPkUzm=kSkkL;)WXkKN3`G!{&DqZ?}nc$f4R26&sX+^ zaoTo;=jYt&2}1xp1uE`^f^&d5HEAMpt&qBrL3?}Tq~y0X2#vv{Yogd0m|mrz0w4?k zwt0yNK<@+c`qPb_M7!Un*k9!-jjEV#pj|>O$S@?IKKg<2d$x0Il|M8oEGbY-^n@$x zbCkIdh3iYYY@MqSvbG-?)=xK_rYgVx>Nd>eFf)+(qFlhrZPIQvt#F41vk>k4p5wEX zeAfwfj2sH0H6~I$%zWqqvEGjLqMirq0}vLRSUYRGD6%0UEfCk^uuFKDC)V}k<5;-M zCF4tuC#Dsr%YjuIfFne8MK7?5UT=xe{3o>B(v?cs<75Frcvs?Q(N~+&&ChkNdo$kq zFrkS~P%zwB6E9|@0@uH@XT?3rZR%`or!GWEU5LSf_yyWELs>0DIV|9WO}4h`aYXmw z4!Q!Uu_Z2G_N>OdpG->^8&=m!FruuUFaC_>sI0$|(7_MAw`{P?4N=%8+sNBTAM+rF zoy3N+oY&Itd(KuO>-#AlZ@Tzm;zISyD*9sLjl(pv?j^YT zW`QKN0p%ONpR>m7 z80GGvbI+z3eOFSF7kLrJ%2K<7Ggr}{j0O0{m~+~dVt__iiODs>d{^AX+vSZy_$B@h z4uXKFdeG?kDzBC@{AL%|^Il zvXxLAUlMUFS)ddY63!DKgu)zxf%bFO6zzTJ#!RBu@HRG#jm9cd9xcw0K)f$s!*7cW z6BH${A4le+(*^h!Bg|tx@%=3slSom0mxK~B(+d^tZ*!9$VTHtPe1HJF9!R?K`jCEe zP~(wR6^$9ae+e}WQ2uUFd(qoo=X$oF~+TbHhI4cFJ(=@Sx2SU!78NQjN0EC>&HHL{3A*hA>bGZc1 z4H9zUcWenTNX|ei*Trn{Y+zD0`W3-l1D!`Hm2^Hw?%u5+O+NE!f3{142GHwRd)OH| zl)nXkmN{q40Jq()p72)`y~0PWvS^kaczklik+~c|Tw2%C&r~hP{!v$$#}!!odWU_} zdQ^I3CmuUf8oJD**5A_^fW&zRJ!r;0qNGeWCIc<0glPj+^dm_Yi_vVOBAs===C_uz z3!Q*<)*$JZ%2O0%-Ls9bXQX;?+OQg(wf8pDI|t%a0)>#RbD?H^ zyKdr~-%3lMWjsvtUuE!qg^^PEi<{mWVfa&9N~Q{bq-m13Gu6YT%L4sdpZF6#`n3)Y z6)H-tFRK!NyUol!D#r6&bB?*?#hwv+@a?OK_n&rL{(Z!jryXU26#YJa^^a)fibdaFUmDj&!2 z5H=G1@7*v9phIY$2x zQZe*O;`r#p9{x3|{!v?Ude-3&F$wI%A+hr~Vm~GB)lF9E`r1h$Z zUe48e5Ar?2oI~y1xsQy>Z)tdbm}4%d17kK-B7-+!5D@MJ-rZ=uEm}Fj%MUAXjx>+9 zWBH7+L*PY_du(-N6pw*b5skP~t0yf@qt)mE1Ce7h(qmAf!I)g}FrsXV%n*Bxi0L@(8t{5#xA#K-cl)poyWg5(~MLUd zD#*+QlJbpcUEdbg_q8qM;eUeXCanKxhnkW9Hf679W3W@lB_cxd!#c{X7DLYJzCh{% zyYr{>BcB&+Mn654P70*SY^c$NK-@@k$7}|yfm=j@(eaK847vldDjJEJi=J(Md;h{u ztMy1r`~pwK4c(8!mO=!zbN4Sy7@WYNo52*vq|#dgOI)VSfT!mEl1R#-WcOYO!%g(*=nsC zHKdTU50dfwn*Jh;177pxt*l(=QZ0IpTr#k1C+g+_UB@W0 zxbIH{34`)SEJC1h{S}dub}>+}LF$n$M~xrPCGPDDup=x0l$W3Se^O+`$>mo7d?e&6 zwXxf8*~bKJVMXM)z5V|D>1HRP@vtjg$8A$ib=vc*I(9!FEeBy_m*5A@+*l$Qt2T=GSM4qUgM83i!0oYCkYG>zT zRJhxRm(oCI-PrP`5uJ5wN6966Aj>NlL8y)>5Z8REsnl&pIr^xnhEOmf7G`u-1IJR$ zjP&+L6vFNINazg6U3XuY;Hxb7nAE;glz2p%17xJZ{IzBz=4P-Vyug@pXl9>Bo~%x_ z?bPjGU;W12>skoTRsL?1{3S##PeYXX^iTKQQO(JovSBtW~g5sER>10QuO$6OK zkns0!qT<(%0_@uncFlfXNJ=yBYdL)}5GY0!j)ui~G(zIwV}`bWJ3SB{s7c z$ozYQ;Vsn)&Vdmr&sX}5({Mh|BidLSNskINWt)J{OdjVuq9!G%=S6X!K&m<;C7IvgL*wP+VVo4~H@ht?ZYfRoabvi|w!&EWR1S#N?rp0Sw{ zyKQZ5`0jYv#tx@n4>$MBrFb>YNrYU{XIr@T%pvL z6HpaFg0)?|_RZSf2^Um&DJ(>0mk~q``%Zv{I)wq)0Ta=^xH$lrF^kWF{v7Y489`Kj~tc#q6A&SL0gl?bCl(ODQ2mou5aiGm?1&g zH;*XBj-@OT#n`iIR!R!J(o`msFc`J0vU=Tu4ec36UjpNk;&LbEilVP~^3K)~7;(hLT> z6j6JklrCJLkFL}z*0DLh!D1Oie&r}-N!UPDHU&bV~@qu zSB*#Ee7Z6g*m_Vkt@7bk=9m89r+E)JnyjJ2da*~{bz1W8GR;7X%jHFl)5V27tATQ9 z8(qqt>GF0qT3olaJqIP+B(Wuuo4sC2-CM|S9!TEn8P9YiwPl`W$uo7v9jggN7^`p> z*)8l-e90qm+k@s;Eim+fxeT}_n9hd3S6ny8rJ{D)CeBZqi76Z7zQas7=({p{4yDa? z35WMyc_4;g9KRnot-MMx$Vy5^%IDxpW^%Bgc0dJ952#0nuUFQ+o*^Mi(qx=(of&Va zh??zb{`-|oUVLZv=~U&AmCyKj-Q>Xs!@vgUqU?_MX#f>A%US_U!AK}}Zy>E+oUFZE zXO3~wyBVEzf=yr`1VA49Oc-F@_Aimd8Od*!^~QdZ$-YB$oE}qJSqnuIwq){=t_bF& zf(uW3&iq{MO@0EMF7e)S` zec5_#GK**k;u$1F8Bri`*hZG#W|WJSOj^u?zg!9%Lx_(hQtke>OK{32dZ{^s%S?{g z6--V3!oO!pOeNdv4!q3Fr;&Q&5W8Y%{Lchp`5_ZH~ux@wuDCAL&lXGXl$a$kLWhfoDdt zQnV~gwBlLuElf7ssCOw?6y)EI#svA47nD-!axwMXzj$4O`!e6MDVbBD*P#PFrpE)A zp|L(T@IQKtP<&@lh}S)9;B-rT1IM9*hg4RGUJ1%qxTAP)WiaI&Z6DxdVVp45tl%0j zA#+nvDf@1BQc7T$y|^AP!vJdfW#6iB3<{J%RfTD&5D@h)G=UEQxJaZoKPuuUV4) zjwO7RAMQSPAfp7oJ2+=`Zus*8De8;OF4d}MS{)HBBsU}MdjvePRD#O+cd!;PB)%#I^`zVDV4LL4MP5NgTKrYc< zbz!J)yVugSF!-{>>;OvcS@62L3ck1`VS7M?NARuU*}lImeB1IWoJm9Lk1K@;%`0lN zSf9|;ik|QEi0{e_$5#g`qnh}~@%wh7EKQoU^F0*~L2K|5_!1%8u|IH*QMi z)%E5MyFBG&%>`Ni9=8hx#nj)_B;fM?g7LXYxXAbgdUEn;GO6!#j!=4;2DUAwr%*+l z&Ydq-@@a;N@~wS|P}j;F!Q=k+;G}gU5!{L13%l-+vZUbvwIyH+>wG!fmT5h?9T1lW zRV>zVQR5QuqRlDUz_V*Q-@L7)KbOSk7{so&6;H<0`gA!WfO*G_c{&g351#LPdzxj3H+MPG23ZYq%2C~b`%qF3iZ56=mh}MNwv-LP-cIPZ8+VYc z3A)(w7&A6<=1ocvrOAn}P!o`U&?@PUobR%cO^a7de4TtzYkjYZcD!pDUa`*!v;3T& z3@f?A*_)?bjBKo@#n$ zm|$kSG3>0XgXuHRleJCSpgbm2=x{GN4Z`s#r$1`*!+$ZI;(tF3qG-sle@Q)juF@0I z-V{P0%bD?hLPkXBN3Lnuy{picE*gy!$i`HAG2qHKn4@SRvdiC*?didM{u-2JXZ5+$ zV#U>EFf9=z`ugsrOLsn3N0(JWav--`rX}35*pr1|>(-d&oq91?AGIVRv(X0UOA8hF z#Rd~iE*(sp!eU1aE&PM_cAvga?QqfG1bI;PLeXTQ7?YV}d^XmLP@0ydCjSzFX-_5} z5NrF+NbJe#ChO@pYKm9_A|=^4K8Vpyp9N>>YsRnk#>(*GJ`7Ia-LQ3ENu`#Un9kRW zkt!J%z?1(*dJC4-nsm}ZG;Eo}$ckDx))3StRav2L+KIQhJc1OeS}^8zflM|^pJ09r z&tv7zSU?6{WT>|BN6wy^R9qpe&>dmUXSgTGoxHHa)5z+{0(;#PsgIo6JZoT3f@l{H&beROk{{<;Y27S>;bMfaU{rL7cKKu> z(KJg@j?H%ay_B|ae$KXz7UUtY&yK53<S*ps`uT?df&X?F=0@UYFvSRHGmh)3(9 z!6@JdfV7Gq8GEzQqBK>C`H7 z66b2WQJ2h zyu%^%pX2#-5v9a2CG0{Hm)B+*RrpQ;CACaW`>HOFQRr_)zo)R#Tob0qv7yE({Fwu= zT8{XlztW@1C#tu>@aaW*oe(sHcJCN(0Wcz5c>XBP z!jpS61P?Zp`GQgT@Nd+Ke~J~~@~*1HLaCg}{s2(76J@*jqbj)FqH@^lb9@(GE}hPA z%;wnrnsV(zag!#3W7qXDTYea3ZGjThW0fgSN0Ne7xBu#CaW@X01K~iZc@X(WgsO=R0w@S1%v}3&gz2d6{fsPq7 zoAS^$LS*@BHbvttU$rXBm=MYq1#&WCR4(-F2%88Tk_2W^54*VrGx5>#<^0m8B=b4! z7!|5nka(kJt)j=Lt1!lI!?p==*BF#@1tKjv{v+L?@nYOQ42OYz)%1E|>;bnr{}cdb zuI;J^f9m)+4V3r$U^i2nB24^`b8^{yB&`y4gXQsNVs}M#9Ipi{>HIRI2E!hDjmj`O zZI%k(^1Iad=hfp_br8;)tUuJ0V5X^YW zF~xvy2sEgYw4Fck?P`RL$XWV4qOEqW25=?FZBE9KtRI3*KW-z5aC;7fW**!fZa5bO z77K+62WBlF7sTt7P{{dfHR?~t2$2%Ib7fMYqqHI!gPT}5mZ52H$(txxWJ^Suobcm^S&QHN}Ou*G>qhu3s9Gs_c8tG zui;bv^RTo@T-XilcVX#VC`$JdvMLHB=9LCFtF>Aa0-^pA34*)d!M-M>C4)#xz{OKj zFTt6te?j4XwuK8rKlJ6)s88HqtX*z-{ZImeR8#LwVS=c%0 zA|D~bYdzHglDxC){xr0AV)96vaKYXgx{|A!hsIJGvLWKxP}E~9 zork170p5pVGR>VZAVPzrgMhF(2P7+r(G_w1Y?QI9mcAxOGx z$YsAPDTMaODx5c0qU;qx0!6UPkmo%~DG&mR{KX@%D8BB&^omHxN)rPdj*ni@ac{~A z*?iUOZ7A&?DO-c^RFNn_!mXGo&X!i%k|IdgOih&7B>pPW zK9fTvK|;gzwyQh$risr6_;QXdJsy=)7XJPRG%lq%`HO84o2hb>hib7OId4aNF%&?B z^Z~=`n!4G6S#;R|4)03^5JXR}2B}ZQAuK_fgzm!OEmY;m%-UQyl!X;+lc_y{GH@_ zB89_a!-$yNWnmED`J@e|M+P^+-uQPiifsqP+HTA+!m=||I=IIgs3hoUxqnatH5Wtf zKmMXBZYJSGM)1$ic+`4saEDJ5UE*mQ;l#HSDL+O`$IGLjA=BFn8Ysl}lhJf(LYo?) zSfKx*c?5QtvGs*GV3k5%2wq!vg*cS-gF*|Q+9B?~kh_n3)fLcpo4-yJSWL64Dw)m#DBZ9>S`C;B51dB zS0jV9k5cZN@0y1=-MJS-a9pkpF);}9y1S6)oHo?OuxEmuO1ey4Ni~8Xd&A*nm^oc= zhicX@QDd)O1m2F;i4xvTt%u?yk0MO0UI(eLEQLWH`0iN_F7brFAk^mg?MR>r(EK|(}o9e*fI4JuR&FGTo4#i9L;F@zL8Ym|Mj-tShQFma}WrGXpH7yIjp zQ0{S{2t&uFvcVZPKAhWff#~=ShxN*gO>V`eLs)*W-7aaplNkaM4xT*3QpPv4aJ1*0 z<^^o8*+|J$9MWRLP#TRq#q=pa#*@!csN8^kk0#R*&5Jz))3LxRXw|OzSHOKXyc_F6 zmqf{Kxt)dIa5f}3ir53&cxT`76Tws__7f&C-MmHxA9Lqn`XJU}Rrm%jIxo6G&M(q; zDUsue+1r1rZdg+kUmqAV{&)wcX%Jg}=rXW<2C?NEflKrvu56b&B@5sesw%YSN9ib9YV4~9J@4QHWOH#udS@a<>{GG=Er*?Z#SJdkBat3T+e68n? z$Zf=-K91>0Jf>EbadURM7g0}EooXPZ^<2wBU87RXr zv33jD8-H6w{7cmmxN zTeWv8JaB_@^NOyLrf2o-pDTwvDciY;t%mA3zF9Ox%CKIe-}!B}z@);JLZvja{1HV4 ztsF*3KvX+c=&;O^_dXY=^s9`Q6S%*y;GR;nmO9giW2mL{dI3sFwh#N_btpy6utN}={N1_G73 zoonWBv|l2NUL%z?qnYDJo3j51h!o*`D~xSl%&-ri4%Hz?UP}IS$A%lk2`j2^`p+XgP(pN(B}Wv;-z;G0RK2$VZ^1;v+(6fGmu%x2XK72Ph}yvxw) zD~Q*Um^Az1z8s&Q&8)NFVT97!n|!FC@NCYE8ZDB;=OuP-o?99Pcf!rtP${!A;0xhP zr!>8z+5VF6&#emqKhP%f6NSG^?t8VTKy=4pRBZH8A5ts4HBkgOyHo*l7zdR9A(gtn=eJT-0i(Ag%MhUF&Y* z$up9ZX?{T6;L$_y8F5WA_kAEK%wlh|dDfCq%<^+C2fKHPE>3@2osg;n$kV0Htg^Js zaHa!78MpMaYvut{zJNIlwg?@yuRPp%!4K3!cPq#8M7LWj+>4Ww`6 zd)#r`tEoohPXI*Vkga<+%D`|%E&i4SZV66TKBSH!lb>4PS}uYOv&ZFO^Y4Mouw^v zBMU>I6eB;pa|g&~aU`w2W~eWHtKm+VOBJ1Qm7NL>TaZGsy`-b40%pfcYPF?ar8RJ$ zU;Q3WHX~?aPhb}h3dPB1NYkGnCOj0*tI}ihA00hlf-OBbNq6g72OHhE-v}2SG+PI+f+dItT=t@2d&vhxZI=npLg!=`w0df-aJ7aZ^H#t< zl!@gg<4gE(m2HG6dD|zWMPn6j2LSSw@dQ#cCmdIgl7kM zGBA<3LcV)mzggF7Mba~y44bE4m(BYQg9NQ>q$Qr=OvQ-l)@$rwzjR{7j(u@X^mc{r8LJhZVFuBt*ts>J-H{l7vM3c|9jE^3PT}1Iv5^vO;Qa zgJw&ynYdbx>ca{}7u}DNjtnYZlL$0|x$)PgKvH2H2caH@oRp6h^MS!)h^qkw)Vkn_ zC%CVq`M;7ATJ)k z)I?@@V`G4dt%Oj1tu*oSWlg2`J8Y*ITr3Ws5hN}NXaSw@QS;48@s;4Yfh{C}Uf++F zGE>2%LaE$y8}je$HV{hhlj7G>z&6w$%OaBM0$Oo&VIgGr^1jMG{HoJ4kczgg7bY^7 zykl7z5?K!dH8A^iSFJ>`SW3H-g}`a)^MIZu#uolT?-`>mBG=so1M+@eS7DPND^HLC zU8*GTQK}4gqY!*_16wU0#TJOy`^e}e1lB8u;5l;5WeaR1s&A`R;si~@{^s&30288L zG7N8bzkx3y!f*GiTu_z3VU19+&)2hGT?LX%2t_{f!>p`xuy41Im28!7dcp17(NNZiOGKOg0T@YNn%5SWy_qC zYAe`=?+nw9E{OfA8ttC`jRB5IN6E(=D@^Eu$duO?3IcmKzGe8zH%)b*ZuHD13ranv z{?<&v{Fjtf0fqO$rhUx2Yi4ZF1FQIT4U!`8kk9$@J|Si4eO3+kO+gkFiZ}qJy9p;a zvp#ya=4iyS>Kau>eQAg|AHM)C)@3MMKA_V!rUC89*(Fz{>VZl0CxpNwB_}R zcB`0|+~MDxPL63awdoZXM@M_obEHxJbE&nDW*=fUULPZhw($F%f!Vw3s9Zs@)gvt- z5?civfWsOH03hlS&T{39z?qz05cUH=$SG5nLmR;5ev)jJlDB;lAzl**PeB0%V9%7C zDX(%KXXyZ)bS4(r?TEpS8RUic^`0Tn&?fJ2)HOx#sD-TS5F>rWp?iq!3lCTHFL2KtFHFXp|_U@LNjLe~#CTC<# zq_T=ROIGz6{VaIPU3&H0NK!zj^vO2z7Yf>8t-j9b76=o+_fI$0^{)Gdw#J6BQT&0W z*d1-v^2VM;FfS16xOA=e>b9s-#7YP%t7~3-XuXyY*ppYnL7|PE3?-xS36(7zWBN$k zBtV!lFahs`ZMN6+^w}8`nO`d_mKo1@0qqV=P38X_dqhK^<~3ORm6qIaeT& zrDjDuFt<$YZl?*nOD~7{;1xhrkc7qP3*xQ$g`*0+6;Tj%sqlp5orr(5i*C^t2Eq zUfgeez$-M!_pDo#&TkuHUGA?523>!jRnupFfD*U2%;2dp2hXaYGz*SoAOb57Lai_~ zga*k^Doh0)WKxYSN)yx&=iw0wWsOG!s0`iGbRR!4^o5^FC1M!M7j9AgUe;${?A<=~ zmaR&fIr49(S>(FqC1^sa-5zDMYhH?^uFQQfU2^p_eCOcc+DG$06DLH+TJmVal!ob`zrUx!(i@zj%J zIN<7T{X*_BE)Ou6o*_A=lxFM$x64X6wLL9_?Q`i9doP~A+7L_`?6*}56J|zd9yTKH zi-gOmHuVYIvMhPr$#*4U&BXuHp%;DxqE=yFTSZ#VOGC7_cp5DY3k~T(WwNk)nD)-b zFxTzCiCv@&^UC3f_=sn_T6_bYb&$n0;P_@c??rj|mfVT}0`SDyHcdJCvnq~p7M#}U zZ$OT6oOIOz(wB(uo3@a;QqYCU-557c^fQQs-zaM7ac-t0m1Nw(;71Lw>e+<@l^5Qk zI;gM@Z^Nuow0VHYVj_Y7oa1jl=6mB-*xVcfRfKYWG6ZEngb@mpqDkmuhkd!USjAuo zJ1%5F9dDi~BCZsMtf*GN0<#<~V^&}jpC9sNcXWyysXW~jNwKvfW!Fj?P<%xqU*@z1dUhx zBpnN5R~kv`m6s*(NPciGdLciX5eOzGWQma!*Ztd5CEKV#;b})yp0-rR>j={-Km1%+ zvhh6co2A5=$uXN!Q1}2)>UpparLZ9(g-k6H70FH=wYsD}ZqJQ>$0KoqP DpC`@0 From 12715d7b627e871c89c46f15bf62806a4f3ae1f1 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 14:17:20 +1000 Subject: [PATCH 05/21] Fix admonition --- .../11.2/installation/disable_windows_rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index b338998b62..9d375cabfc 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -25,7 +25,7 @@ To disable the Windows password policy rules: ![installing_ppe_3](/images/passwordpolicyenforcer/11.2/evaluation/preparing_the_computer.webp) -:::tip +:::note Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the steps above to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**. ::: From ae68c077350eb0f08828c018337f712d9b35fea9 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Tue, 23 Jun 2026 21:11:19 +1000 Subject: [PATCH 06/21] WIP: Fix "Characters (Granular) Rule" page --- .../manage-policies/rules/character_rules.md | 97 ++++++------------ .../administration/chargranularrestrict.webp | Bin 5246 -> 2994 bytes .../administration/chargranularrestrict2.webp | Bin 5248 -> 0 bytes .../administration/chargranularrestrict3.webp | Bin 15972 -> 0 bytes .../administration/chargranularrestrict4.webp | Bin 18578 -> 0 bytes .../administration/last_character_rule.webp | Bin 0 -> 3422 bytes 6 files changed, 31 insertions(+), 66 deletions(-) delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp create mode 100644 static/images/passwordpolicyenforcer/11.2/administration/last_character_rule.webp diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index d6fc4850d1..1e0383a2fc 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -1,102 +1,67 @@ --- title: "Characters (Granular)" -description: "Characters (Granular)" +description: "Use the granular character rules to control which character types passwords must or must not contain." sidebar_position: 40 --- # Character (Granular) Rules -Password Policy Enforcer has seven Character rules that reject passwords if they contain, or don't -contain certain characters. These rules can increase password strength or ensure password -compatibility with other systems. +Clicking the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters are accepted or required, and can even require the use of certain character types in specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. ![Character (Granular) Rule](/images/passwordpolicyenforcer/11.2/administration/chargranular.webp) -All the Character rules work identically, but each has their own default character set. A character -set is the collection of characters that each rule searches for when checking a password. You can -use the Character rules with their default character sets, or define your own. By default, the -Password Policy Enforcer selects the Password Policy Enforcer character on the -[Set Priorities](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md#set-policy-priorities) page. - :::note -Only Password Policy Enforcer 11 and later contain the Windows character set. -Password Policy Enforcer 9, Netwrix Password Reset3 and Password Policy Enforcer Web 7 (and older -for all products) use the Password Policy Enforcer character set. +You must select the **Characters (Granular)** checkbox before you can enable any of the rules on this page. ::: +## Character Set Rules +The first seven rules work identically; they differ only in their default character set. A character set is the collection of characters that each rule searches for when checking a password. The first seven rules are named after their default character set: Alpha, Upper Alpha, Lower Alpha, Numeric, Special, High, and Custom. -Select the **Characters (Granular)** checkbox to enable the Characters rule. - -For each selected character set, select whether they **Contain** or **Not contain** the specified -number of characters. +A description of the default character set appears beside each rule's name. For example, the Alpha set is described as **(a-z and A-Z)**. This description is for the Password Policy Enforcer (PPE) default character set. If the policy is configured to use the Windows character set, then the characters will be different. The [Policy Properties](../policy_properties.md) page has more information about PPE's character sets. -Select the **contain** option if this rule should ensure that new passwords contain certain -characters. By default, the rule requires only one character, but you can specify a different value by -choosing the required number of characters from the dropdown list beside the **contain** option. +Ensure the **Characters (Granular)** checkbox is selected at the top of the page, then select the checkbox beside a rule's name to enable that rule. -Select the **not contain any...** option if this rule should ensure that new passwords don't -contain certain characters. +By default, these rules require passwords to contain certain characters. The word **Contain** below the rule's name indicates this. If you want the rule to stop certain characters from being used in passwords, then select **Not contain** from the dropdown. -You can further restrict the rule by defining positions or embedding characters. +When **Contain** is selected, PPE defaults to requiring at least one character from this character set. If you want to require more than one character, select the required number from the dropdown beside **contain**. For example, you might want to specify that passwords must contain at least two special characters. -Click the + sign by the character set. +Click **Add** (+) to add more specific positional requirements for this rule. Two options appear: **In position** and **Embedded**. -Select **In position**. +Select the **In position** option to specify the character positions where the characters must (or must not) appear in the password. For example, you might have a legacy system that requires a special character in the first three characters of a password. You can configure PPE to enforce this rule by selecting **In position**, then selecting **1** and **3** in the next two dropdowns. ![Restricting Characters](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp) -If you want to restrict this rule to certain character positions, choose the starting position from -the first entry box and the ending position from the second entry box. For example, you may want to -enforce a rule that requires a numeric character in the second character position to maintain -compatibility with some other system. - -![Require a number in position 2](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp) - -Click the + sign by the character set. - -Select **Embedded**. - -Select the **Embedded** checkbox to require users to embed these characters within their -passwords. For example, the passwords "12hello", "1hello", and "hello$987" don't contain any -embedded numeric characters, but these passwords do contain embedded numeric characters (shown in -bold type): "he**7**llo", "4he**3**llo", "23hello**7**$45". Embedded numeric and special characters -can help to protect passwords from cracking attacks. - -:::note -The First Character, Last Character, and Complexity rules are easier to configure, and -easier for users to understand. Use these rules instead of the Character rules if they can enforce -your desired policy. +:::tip +Select the same number for the starting and ending position if you want the rule to only check one character position. ::: +Select the **Embedded** option to specify that the characters must (or must not) be embedded within the password. For example, the passwords "12hello", "1hello", and "hello$987" don't contain any embedded numeric characters because the numeric characters are all at the beginning or end of the password. These passwords all contain embedded numeric characters (shown in bold): "he**7**llo", "4he**3**llo", "23hello**7**$45". Embedded numeric and special characters can protect passwords from cracking attacks because users often put these characters at the beginning or end of a password if a policy requires them. -You can customize character sets with the Characters option for a selected set. - -**Step 1 –** Click **Characters** beside a selected Character set. - -**Step 2 –** Enter a **Name**. This example uses **vowels**. +Click **Characters** if you want to override the default character set. ![Set up custom character set](/images/passwordpolicyenforcer/11.2/administration/chargranularvowel.webp) -**Step 3 –** Enter the **Characters**. This example uses **AaEeIiOoUu**. - -**Step 4 –** Click **Apply**. - -If you save and test the policy, **vowels** appears as a requirement. +Enter a **Name** for the character set, then enter the characters making up the set in the **Characters set** text box. Don't enter any delimiters, just the characters. For example, `AaEeIiOoUu` for vowels. Your custom character set name doesn't appear throughout the user interface — it only appears in the [Policy and Rejection messages](../messages.md). Clear one or both of these text boxes, then click **Apply** to revert them to their original values. -To remove a custom set, click **Characters** and delete the information. Click **Apply**. +:::tip +You can combine Character rules to enforce complex password requirements. For example, you might need to enforce a policy such as "passwords must contain a numeric character, but not in the first two positions" to ensure compatibility with some other system. Use two rules to enforce this requirement: +- Configure the [Characters (Complexity)](complexity_rule.md) rule to require a numeric character. +- Configure the **Numeric** character set rule to **Not contain** numeric characters in positions **1** to **2**. +::: -### Enforcing Complex Character Requirements +:::note +Other rules use custom character set names and character sets even if you disable the corresponding granular rule. +::: -You can combine Character rules to enforce complex password requirements. For example, you may need -to enforce a policy such as "passwords must contain a numeric character, but not in the first two -positions" to ensure compatibility with some other system. +The Character Set rules are flexible, but reserve them for cases where the [Complexity](complexity_rule.md) and First and Last Character rules cannot enforce your desired policy. These other rules are easier to configure and easier for users to understand. -Use two of the Character rules to do this: +## First and Last Character Rules +The First and Last Character rules reject passwords that don't begin or end with an allowed character. These rules are often used to ensure password compatibility with other systems. -Set **Characters (Complexity)** to require 1 Numeric character. +Ensure the **Characters (Granular)** checkbox is selected at the top of the page, then select **Characters (First)** or **Characters (Last)**. -![Require a numeric value](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp) +By default, these rules require passwords to begin or end with certain characters. The word **Begin** (First Character rule) or **End** (Last Character rule) below the rule's name indicates this. If you don't want certain characters to appear at the beginning or end of a password, select **Not begin** or **Not end** from the dropdown. -Set **Characters (Granular)** to not contain numeric values in the first two positions. +Click the character set names to select them. A checkmark appears next to the selected character sets. For example, this configuration rejects passwords that end with a numeric or special character: -![Don't allow numeric values in first two positions](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp) +![Characters (Last) rule](/images/passwordpolicyenforcer/11.2/administration/last_character_rule.webp) diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp index 76001100d04bafe119e198aa0f8990087532b7dd..0c3f9631ab806c7d730c8253ebfe30a9b9f17380 100644 GIT binary patch literal 2994 zcmV;j3r+M=Nk&Gh3jhFDMM6+kP&iDU3jhEw>w*>lHQ9Bxe|0U#7vp=F$XBtiAn6=A zjDxMK;82wf=_a`XYbeaPFTm08j8B*utgQ9_{r(I7%j4tGi0p1jsfOAx9ISlY9=QuM zgR5}GoD8m`Rfo3Ro$7QRo-)jgXWDRfcgiqx_O4D9rW+UvIn3ZLw4`jw;p!K1=mI$D zhG|Q#Mhx`|gKuCfErX@grHtggrL6FmsqzJ?T zezK8Yhadl?{ov!t?`CGN#YJck`TKVYtO8ZcdBI>^bcUI8UbHd-G-1xt4-NSG&`wq|@y@6rJfQa2$r(x!t34)Te9gKJN zv`I3u1{(G{+g^?$!f!y-wLiA$%XtH0_aJ1>L}R}ljBB4psKcvB8W4vo^xL*wXU(#z z7(QUznL(iD@v<_h9^yKj3yrfZAFg*xvva|iVQB>(3~(42m!8>caV6I3qkDQ929i#8 z=5>p^QMTY@8!m;x$rhZ;^-)N9?7{bL3D`M+G9pHSbBlD65C_(H7v)09{6kP3d;4I^ zGBbY3r>daGUqxnEn}o=NLOTZN9vo%{<6V_uW@r1gLSL8fV9txiN<_$+^II%66^9Wgw5t11{0!Nee>C*G9jzthM?WIWO8NTX3#!r9-<>%yOv=m1V~KiZVqj9X7`P zos=ZNg?xIv%Y7yjlQD5i%X*Qdw;Gt8 z%W&e(;5=G+Z~4M*JoZ1ez2Hj?AH80E7;q`klQz18Wu;$)fKS$e26iIvM!70l1u$`E zMHVe^-XECuqJO>2xsQZ;TFQTx@}DIFI0u{>76Zei_0JAsdR_l_@nz^lZ5grS zI4PU~&Ix3Ybf<^){0{RfmYeu8bfUJ5Si$-aBLk%~!YM&auf>1Hm!T82WyA`4E@C9k z1wCSVeO^y|89Gs0Myz0x!AuJ3by9p8I#FB3QvQ?BAxf%Q7Mm}oj{`A(-wR{7c+L?s z;`B*5QV<|R3c?IYd5(-^M9gX1qTV9BP;Fu{>Ovh+9=(G!8z)7hxhXbna5h%pWD7zt zZQJ3>0M)UBF%%|rVsj+v&Bv==nwpIU5jh(|OIq6Jzvehuf#oED9_`Km|vVCVP|j(b0|JD2YY#J~1M6 znw_k)vY0JnNS=cy;o1CH3L5vo!x+~Ou|MJ*uaE{{my#dk?ZnT zx6%ckC~T`hxS^nK8>A=z4~v;Ql9hVZOVg38dL)u`n`*Vmy?9+SS7SnH=4#v!8!>bm z@wFx_*A>NSNA5m5(*!R~U1o0UUUQ|bcV>cUPOGGsCV1Jnt^^`S zi}ZkP9w1lsF@dy1XE)4NCKKhaNY3{WOWt*|=}}b5ySOO0RUjhv^7?I%q5v2cmJNI9 zYu=)!E*MEUwDSR(xf&bFT#X-M1BOlu%v^QDE)i`JF~y`(h6Nv3R$AH2)ff>-5XX84 zo4O>R9L*|Qu4+xu%?-Y*!Y#_kM2HbkYA}1^;G*DGfk3RD8>A=!hJ~fZh=Gxu^7Q$f z5aIAcY{1ZIl+7niO|A)Oi-_c6H<3yi^#ti`iuhWSiYBOfY0@5gz&27j)X?DmQ@=ZgQ15(xMSx!}{T0 ztJSH~2F*LOPfGL>!q|GXCTW>^Bx~{qu@3M|O&=))7lmvlNJL;mLESb;Q3vw04vgft z>(%OwNoH&v{kL9h(kAN^PSXa9e2 z58xlseQSUBdmR6Q|Hngex%Pkk!^1zszEAtV^iSL$>t54X%j*+S zuZ;b4{NLr@tl!`~7x#bspQsn&-^+iteY|j$=>A|{to*b65B9&xUqlb<|CxH7^-KKs zb5#XTx+V>=@oIVt7D{9#=1(<=0;bUK3A@GpMA`dwf$5`jClbkOu{Q9Heurq6ox2j zN!0nj3o}~Jbk-2IluC=5*kBJUi<9xWEAqE*cSgs04&DlE(N$PyLC)HlNSCIHxYt#& z(kkO!R>i2)PMRt7UAas6%qG%xH)`}cz+CofCS2PV#%G}-gXhLX@X_Z_JI>`wA^*vN zjtDsLTNiboqA3AyBD}K5PVn&vN3ejB*VwX0NUM!?TOA^vVdFwhR(Y{`^v&12W7rB|gN^HfLjR%|Ps6ap zTE31DV#5Vwj*(Xy>lh0gWWUcf6A17RCzi442G+pLeu@u$z(|uppWCoY?)9N8=vwGS zL{Ov;rh#K7YEFP5&;ARKszC|-6J!JNf ze`f_1$3m%cIJDrURc)G=+AdoApibQrq8e_+xnVGi`mAPwjs&YuBgVR|j*(Xy*rPS{ z+1go*VLL_2lPw`9?+muDQB1uCIcv8Ph>VRRqRp_^#!r=OKOS00Dz$?hGLdiI!Q)+4 z$4IMUQVsXdY-MJt|V zzk!*hpQvF)Tq2d}^nFNS-ekRUc(5bj`|709(gRs4Sfqyxj6Pt0{%2+Wol9aigbp}A z?j!nRjJ#CjDC3>4a)G`0HxK{pU(B?t?shT)^_BmCukFfE!e#r`ShD(*5O>M7EU{Ir zn&mtT^gJ!GgHlW-{L9+zvr>i2VjR4_SSY~bhJ-I;RR(pxXYyvjd;N4V`rECX&5El3 ztj9FYP$8O;+&QmX+kTR>&?|z-uG3Q;t$f_8e%OQP0I+4Un^(-Q(G-UZpS4ggIx1?q>I_TX>c?AsuXgQ%n}o1aYZmE^EgqqOtn z%a^x#(dU`)nTm5zH@?XMCih5QU{%tOoc#4KEL-p&)4Mm$_Fj1*($+|mIs4}gk3s~* z7{Mc{;+~%Fhy>I;hT1-J(R?2v+g`+WbBjbnD?NQ%8^AE-eG+ou?Q~4;e!(?@ef@mV zh6bUl6MOVF31D-GgMUlJILp8W3|HYZfh`QVQ{T7@lCQwr3pvcA_GnX&QYKTBFZ<#% z;42%}U(X>du#`=K03_3!hzdhZ zbhgzvB^-@%B)ITv(hJC5!#qq6rb2Xz&8+>TOjC5`rXG6BBa{NUWraqn~O21a{|7|Zx^ZCnjAV+TMPxb?LAb8u-_%L1M=HFzsy zR5iR!&6{?6DZvcx(2rG)XH%vAV>qj*_XId4CmOR7^KKEw{YuU3qt=lU&CoqWw_qV5 z83n55rsTMB4ErFdBFmYv6w&+l?!LfeBMZ2Oh^v}~Z6gcksD7cfFqxR!hJT2b6JPsO!jQpSHdPyYED8@NC7PQ*yK-H)7KfP#73wl-Md<1d*u?G#yg1}x; z96M!(wfZ0S!>6i_34e7Rh`>jddx7LJw(FNLT7h=e(P?vc$9l>U0r9<`7*JXL>iggh z6?tDW$3*2BqGdVl3+1qZ3G3{|4-~wtCV2dtVz$904FD{)TtFP`4|ATQFmh-4?`CW- zC-Y&1h>1Ku{aUy_KtPep+mnR%D)U(Q`Vc<*KeTiX;@2e(56g5Uk@V=Rc*jeLzyJFC}aMC%YwmcxilMe=7%e3k!{y27uw7EvB)PDDo+fe7O6-09x#m>&8uF(HeQJLw4@$^R}Vo&Db@3XfF_qG$2ihMBn?G=e2>k4`Ua07GmaHJj| zjm&9h(vxp9PFLhEB98QaN(lp3=e9{?(Uz!d!g&ieqk ze^ho!BMDlfKh}!mz{-|Uhxm8yR-)tE2MAP~_OqzZ0f^&A;z{ThFm^P#;3U%Avg5U+}eU@;! zyKeIeG3zg#sT=VAJ8;MbR~K{^a}Zsfld}GLSj>f?2MZRG9n$%d4$?F^0N2ATc_Gv~Zph61IT-P7Qcb*_4Z^@+eAYA88Qgv^5jV9hJA4gG@x zV8K|qAO=E?^0A3Cm~I1V{0vWS0KjT-p>-bEiE+>))Nf&y-~bDPlG+sLQ3U>YncMm; zwW%BO9=1O<`8xd+uSY)s(jP!HqRBjS#;6?}44FSem5xgicK-zF&^sbrjwuREQ4<&Q z!iElz;|s_7A3ySZ2>FoR&|Dn!xOas-dsaVI{uzqnrV2u9prQ_2TBN3L@ry5$?!<9` zz81`xephhd#np9YVJGu?uy><>ImWvRrM6Kb5m5ME)T-cZVSDWbeSqF_ct+gqo+Eg; zghG(dtc_}Ivs3#iTa*2UFrGFt|N0y|N!QDz>Ycx61w8y=-FIKAj?X=rVE4|xA<4_l zqL}#inWgdY2>^J@p%_PEW$Lg2s<9XFHf{M=^ zA6+7wV*sE?kA+Po(_<^uzm*tvTPcr^d757z0FVcax)FqS5edf{m48gV8wz~{z$rE8@F;hlq`%|5mW%op_LK)kJ;{e|Sw(qMD7rtNMVwR!W9jEQxSM9AgN@ zAaV2&F#I4M{u&Co_02Tx=wY*PB%ZpKJL~|lxq^;!Ums^9poekJa}gbA688=nsnxP251xO%M)mh5H7 zhLoNz%uEMm_nuEd@ysjA3_%<|t5Mt1?S?q~=tuF@m3XiOXrk7O3_HPNOaouq1`CWa zDJm$wz*(5LXqQaI2=-FJ&Kag4V=qq-9Kp$Ys8^iAkN14 zXzDgE!m2ut%py*bhra(?sgUa45`3!M1MI?Qo|SU>IS82`UxyJ0SdQsm993ZZsgY?H zfKV2VIlz-*RSjR=j9d)gfCRTx1L8FF6kCi3P>Soql8q&=x9 z?HzYHbRP~HaD0bEceq4$A<9Ci!qxZ$~kS<7+DM8tNuW_A(ZSYDY0@|)wh?GNgyt|I_CPFT2Q~Otzp6W|w*Q}GuqQO~{V@n|ME=WkMSoDu|C z_MDChyfuEgT_s=#3Vt+tV=3N(J%v|5+T1TN7AvDz>3ERIBD!J({~igmPx6`Zm`y~z zGBRp*+!4nHBN2Cj&iEvEk39RxlY%p;C7g8V3s3QSXZvEFOIzX6(=^Hl7tyNOK`bGs z_@sv?rjGnr&`i)!*buy2Vukh|=SdOh;N!5m-I%2gt?Tr_4X?UOw~WoqTfsj)Od;IX z7lwxqTnI|%D)>X_HXBo4|MZVcz5!mkLzzmSImS*%M!U3AD(*1EH2?4Q1`fR^VSXVK z_wwT6#b(luiR~ovQs3NvZokr>E2c8^^{ugQQygzMI&qI+AqCke<8Fs6jp%@5!WIHg@`!La z@cZCQqmMOsHjwZ_tCQuhofTT>_NOgcYsjr&t{;Xe%C8WFg!vcNxfJEg)^pU`os96UQaQ}gTBjJ>$< ztNG5&n@ki7P}qVYXVo1%cnPCnV`ny&8~gsIz85P~zRAv>6FGYWM{eS4-Sb-~#~980 zqtGAK_t8K-*J8Bn@YQ0|(_=J<{a@7j`rarv68^XrSorj ziO;}XWj%Z#D+Ol)m^?C2?usMQS*RE!Y&d3Dt}$AY&oaiboB@~Y9|Uw9^~+_!PbXM; zCIuz}P|A|I8^|Kv1e{0@qBRd0e=sG@6uEHr8+_v>$3J^>$u+Pctahu!;mR8yC;NUH z(@wQ3|0usI{yqn><-nnin$}YsP?s*hGQ$<4A8mbLdcmNwc9gV{+6&$@1e_!vV@i@F zj>D4jEHT_zWll}+0Xe#sH+PfC#QUbGDvCiNkhCo%B1fs3nyS!psMx$N=XMCN>U-Gp zQeL~owoy775epD!l#+^Z#ilT}%r>r_Y(%-w(bW-~79OJ(Q6_%_Zz#!Fn_GT|?49rm zN1a>|w|<6*>0Og+1L#CxgYyUVUF77 zFh}C_&-TSUkk5dfx0UmXBuaTtUTCZo+LAwurrXCU zsZ2E3ZKU-ZCxX0NQNVDPgBC@G0Qk?Y!G&XgrJQWC^YsMa>sSB) E0R8uDP5=M^ diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp deleted file mode 100644 index a5e17d4e24211ec6966f45e883cead1c7f7d2ce1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5248 zcmV-`6o2bdNk&F^6aWBMMM6+kP&goL6aWD5VgQ{1Du4rA06uLrmPjNcA|WKx+Q5Jf ziDz#7e3?|}&TpbaOWtSY6rx>jMNaFV-hY|<1OK_{Z|UREUziWmKhzI+ul9epUgrO} z^t1oZ_5l7@{M`(|-FN zRrcH02QU3j>M!x{uAi3vrTeAoC;Fes4>H>SLTJusXR>Y+92Z?+KgV; zc+0a?cy*qe|72?x^xc{Iflc)kH$GwgIat>O({YB@0ICL|0rL*zuF~NOi@^VXNMVzc zyd29qa(Z(jY#hrva(Z(T$Q(9h(j;NoqRhJ(5Xl>`9?Tv9o#t?vbBa67J$tfuz%i2Jyl!_JjqB;86KomBj`4@Jt;d&_&A5u_4{VNYRk$QUdtjon{B!o*@R9P z41456CJ$*$Od6|GIG*8i0H^#M(0c*D%7vln>oAzi$=AEl=9X(42+PesyW}{@_}d9_ z>1cI6@RbYZx_{TLjtgt91+4>DRKOYViF82>UFI?O(%`||R#w)Gu)dbB zc3IPt)0q<}Mfzt|`Y+B(uOlSRFK9xOqJK=8i@fT`qzsBL4u-+Zv!^GgG9};u{{NOB z001EbBsq%FBWO<>_cc?9^cSYj9>stk+4<;*QMyPEDqax4T%r>smwJJDVm_a5qZfp{ z*he-)t1W2YwF!(Gooq_o%g?y>I42xH~7~=Xw@&5&*8$* z`puuqmD?YJg1S{@V}NxLVNMUbZQUX+x>q1*Jw@Go^%vO&38{n*i_@ ztOrGV+^?hGrdC_Ly&{!Y5+sjcZ(mF16qJDmzz3Y)Y2c_(iX{u2iY;2FzpllLuKcaG zFV9M6(7V?K-zFY8(KXEc391hP;>>l0+`5a)R(XZ{DVAo`1sBCfXepZ0fjR%55BwXv zC@is7;>nw?^X)nf8QWW2I8oHkQc8P`!r0%-%}ogSfHTF%f8Phly^`&~bPdfn@6Vtj zRpB|Zgz%0v+$p$^K?XSABIj&a@!Gi}3XBnD(;ea0C^Nx71x9&S|0LYE&gsUv#w-5c z4tFk8llx-0hdt)8UIexQmz&QP{hTc}_`@c*b$CDTJvy5w@PB!G-Wl}5mj<<8 z`|18Z%r(swe~rNq>P?=nrxed!a^j6MKQH=sSxmeNP0O|cD$_ZSgSDg{>7Z_s`2c5Z ztLg(aP6r8qi9h;<4uKH0_HbMO;j_7~xC;ON9Gi9ed@sojL$473Br44Bs_kY{X&TBp zJ5t#3k8?`qK1$t12b*AW5nx=G&+>(T;J%xBgbb{0@nA!F)u}lMZT2DqtwgJ6; znNK%*=mcDbdMH{o$mK~0GpgyKy{-aXSJ#|NX3dCI=JcmV;ka`@>?jr9@_7`c2#TjId=%$V3L~oukde%NaX}kWYb_&xmgVe|v-b zH|2s$`6J5^ThwH&CNls&)^0KAgd6-|kC{)7(o85}Jst#iTjEVE?4$`QdiIo`c-I}c zU-;```Tc7xMzvA&3tjG~Q&BS%u@Ao~*~B;CB(_4}511~Whyw>S z(3wN>O3kq8?kCTX90>M#U^TsuihGl)V?oKcM?xip~J{k=Mn(Iy?Q(lMYuAiV8n zW&H);{g6Tq5ZSn$L>(_Ax6J^vw0G@anhu)lzaJYwX-?%G0Pj(aW>NTFLd$b;%}%|z zDDlOjOYX3iWD?wOQH7Y)pe(JmgO-Aq;{%S$rXr5_Z1wk=_lm+C^v>DD;qEli!jCdS z)2&OeIqWRN8#?MI*3~5Jw$Zw!96pkuRyMmS(%28{JU^r_;%UrL#iViZj?eU&RulLS z7YN{$8Go^Aj(~Tl#;KB>x@l4O>$*%mS!HqV&F0H?3H9V%@Xuwm$#Ouc| zN?>8pau?x7>g|)NPeTTSqw@LGW!@b;VV5xYq&COK0!x~b z7~GCe@6*=F#T7dLdm!PxVQ*mNh0h?$4Mrt#C#sO55RqfRr;>4AThYjyYo+;a5{P02 z@O;J2$`YA+E)Dk~MBXQ}Vyd7U#76?3+=XO*S0w7fa?^GvIS*qxJvk{Kt7Az4oGMOc zx3WW0QS4+mzUw2%{Cj5v&>=d49qnPmH{s#?>I^t8<-;mNIb=||s zFENhSfy0KDL1v)qrmvCeFYzMV9StouC=#zGJHREK`9LOrs1as($WbW_B5@9ojsIyG zJAeQH001E_H0MpM$oX{pd?Ys!PZJe@ut@QjA~5&SIe>#rhJ;Z}z4w4u*$7h|Xu!+c z>1)Z~3-4crAl_qCX?r1^DeS6hLJ__WroxW)AZ6XaszlDC?8B&Ae|$aI8OAn_c$P;;6B; zEcP8CG8+xMyQvcNHURJQH;_u4pTrup&PuhEdBuG^5#SWfT2F2sgm|ofRAQ`N7#eAF|>BTkFDjI#az-wgCSBP6Wb-$V-9cmxGWLB<46gZi5Aqa8AFzB&fgan2%3GYyXN=FyfrGkkbH>S zpZO7YfKB(*JO|NZHCh4!b#rBJ^KQ!}{B3z@zQ^t0^Jvvy9_bPp3dHP!&*V}V4nq0Q z@98qctaoStglXQH;gt>Rh$i5cY|d#Y3>;53bo98!S@nBbi$37fsl@`>^X^RB>a{Dk zP^~iGzlQ`h)3P-7RYhjiSNG<8J!r4Ys^F5kP{@55vc80stkBvyJb4&&V+noYJ>Ofs zh}Np!?V|ZnX+EYr?yEP?%2os=orsW4f{8ZOR-qw2Z^H^YKCX{}A^; zpY68oYPNWoKAX8I?+E*e82zu6lceYjA&*#h{J?L%R+=H{#mz66G+>{Zqx#b>qdQ;f zE*O?25xI|6FO5Rj)(Ma`3}4WhB5~CDGfX9JpdK3m~$~m{=Tarf&C03?Lv|AEDoiS zO3LKaEqw)0vsG-P5c+ARX5Uq*UAl#7mhy=gKq{OXH~M#nBH?5jxci2^Put*-g{nUK z)e2L7&6EZtukVO)Y~5}8e@ETTq%aXDtgfMa?E17gr2=xx;8MI1lrbJ?jfLXR-Ykmi zTB>0aDZJjgt~Y%>c5VLz7P{cg#TlATA$SnO^;YmDjm(yqw@d804VG31 z5))x7L9uR7;g9-dTVvrbiS_u?5?E-}{M8qjuEA#C{yz3LL3E%hk2)|HM#G{YTXK|C#moK!dGycOXK-5AEqRz z!J2(S3DJ}LqZ)Ux*`WZ#9p0z4ckjWs^ESgwlhBX2wvl-;C}79ej}+ptOvqd+V5zCB z(4`RQrch24sA2d@okJ5au0NLy=DMe{6I|5H6nG*)@0bOC2aD51#uEF(2upMPSuap+5jE-e#x&-oC7@oG={-et5 ze=@E3U9+`yE@lyEae2n;5n9S!!PZ3MzDeTUaK~TBV!;JSu7D|aG%&9_M5rjl+LKI9 zOO#WWV`^(?ab$SoaboTd=9IWK$f)Us8+8?A&G$w+TrkHic|ES7 zJ8K^_&Fvm#45&i{_UuY!c)16?*SN_|w>_+2FF%k3Uoxvbls>S9#eXihvoRu_mP)SU zfx2w)osmkVb<6+wNJvqqkzY0nuPe@h{W_^=SM@7mg6L0U1-c@+nD|@=8M7-^(UxZh zkoAS$r_^1UJ65-*I+q~B{n{ML;F)LE>5{+t9;=5rQ&~5&x8;O0Xjz9J^}yYE;w0k; zdS%d8+sRZ+C0Q5CORkM~59QZaA5~3*5A#Iv&Quvpsv%yXqk=%bf@q0mQ;aoRq^+4{ z_@PNM7?+evW9K<+2fOfPcuZp)G?MD|xE(vsM16}G5m75I)m>1>j%Tg{D=iR!Z}`wR z`R&rp9FNkntCpggY&)xllIcY{O_aP%7D8|UC1<_A6uo6z`>M=tFaV+wrQ;GTdgm{8 zcx38o2}`2pn~XHid7d>U(Thim;hzmv;CXn7Z~h)9wIZuD`pT)Vf0(m&>IWU1a$(a~ z-K9xh*K-s<3rL(V;(x;2&-Bvw5~X8@J+yp><;JhPZoqo!1hr7nd`Xj~up^t6!4kX+ z6CxN8518)3jcs&{P_G*y!+c!)mA!3<$!}10V z_zR-8F1nksO6QQ-y2e!%6KId(Y7&p2DSYbtH2^$at%;9aY z1J`uabTE9L%=>kft4jEl}ieenw=%ZLhjo~ zlAVf?sQ_;{Q=93ZaR)sgtD;1mhC0}n6ZylQ4kZX{+65iVC29bx{p2FAGK3u7v{W{u z71pEow=o;lI<;aci{*EqmhNv+nZ6x8wx<+7Y~`txm&-VpaYFw{3V+D{;BAypvguh$ zx<3T{S*oTXuU8M2e+ndO?v-xWK=%wc()ol)2a0-NuVSAI-c>aQ9~ighD#te*UFd!; z_f<%CW25!zKihTTu%bpfNk!Vh;mmpsiV&|cVal-b_@@kOYHm%6$$v8pDyiL69xY&40#k{OlkA00000 G0001^{amF0 diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp deleted file mode 100644 index 8133221e52528ebe4acf93a0e2abc31fc5cc7693..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15972 zcmY*F@yosf!9Js3~v|D*SVdbOe+QOw9mub- zv=0%Amm#BeSl^nT{WDO2;OOM^xXUm<@dp8){epJ4!CqZXiEKl_gO%{S1y?*qjD`Qh((eJOr+`w}~z>)Cze zv-){@E&q}$20(r1zXGiCcly=*d|%;y*M{t}elLF4zRoJ~$9(_&a(lVG=YQhw^CJ6U zxYnP`4cr|Ccz)TxgMa0|+r8Xg=XU09e~SQ`u4NVhvw+QKkZ0i&{v$vuAP_M8{Wx3t zwtKC=?YH{__)31Kc&dFO*yZo?+XR5WfPT4sFudp9^>z~+_yN9Qf4F~2-}p)Os{n<7 z(jVmq&@0sU)aTnLz#%{BPhxKnAoYjjTmQPYF?I?t;5Q8*`Eh#j`=<~8Q|v2X+i%+M z2_O#mr){4CavcfU34Xrk0H*u^s5&2d>-|>M?jtUp)j``zukw4CNGLE*I9vmT8Nybi zU)(P;2}P1qb)GE6tQu2q$XQZ~VrME9WRzHy@^$6@WLx%6^8hGY(9HF#Ohtk|lP3!9 z1ob<+2is1CG;<_9Wbs+)Ajs+6L@**<7}XL%c@X@y)~-p9k ziNuv2H92wRmbXL;Cq1}!yT-{sScjkyfbe1OLxROl^YS9nO;|YrVuQ|*rd&GS3|AI~ zb}C0p$6b3#_B%8@iBD_X++y>Xke5|qARt$Sy5VrsEsH6A&UQL3S`>TJ?rk_oE1stC z{lHc6zO>X7u7N6_S(POYOe{)?b(ziEkD;_z9}RI56$Y^d9fkV@*W7OtaqCgI}iB( zA%pfy3z0vi;Qn-T{(s5oRwKKjF6()e5X=}cy}4@*q6X*(V({dAaPt4?rRH4RLV^&j zJ(;kPwi@?onN2&sOWCPVU&@@}EB_2iZQ<=WBoU2eKsdK2_zR(eT!5~N!O?*&mImqB z7rWru{V)MRMLq25fEFPqL29r6D2QXpaqn`Lu+@CoB3L6tikx0xwexXAI!sszQz2Yw z?{Gu{w;VZKHJGNBPaHKf!0M?Jzs8+A>BD#QMBV?ZgK+V*H`|5bdziTwB57VN7uoWt zX_b-YBHl*+1Qm{i60gz`+aN_Q_x~ajcN(RU9-&1mker}uObQ0-?g$(IYgncviJ6LW z5W(|&35H=AryyvxRwAHbRIu8Id;ecLarvJcDQ}Bh+;Uf3>Z<+c8LDq4WzrI2j7b!M z=HslH(7M-oh#PG8pSk{44jHZcBp0G2T%!673gICa^GzXUy!~0W`-cKH?tE;KwWPOD zSGs?z(1pdk4)o*e&SotoMmrLhx60nar36Z5U$)c)m;U$^CGhs;M()3yajAQ)gp$1Z zody92PRZM_^TL;;=bVKQPToWyjTEWlga0jof1v~ilymCf(D)0Dxj4zwgR^#|irY8S)B>1++LvF?Y3-~{m zV;>u0K^56$)RKWE6!XY{1E0j;?8((4%dOQqfw&LbQCjENg^vM|xDMwj=PyOou99sG zBpkI;9{d+iZ#FT(SI&oFu10MN=}(P+x%Gb#O6;c0cQ^F8!%Aq9*xUVX2K}Q=p3q*= z1sWlHr!2%~d~P`!YD1UvA6C5Cy36vKuZ1rxQ)KW&!z;QIyZw;O!5VM0IOJ{apid!Z zU}mV$`}Y5(lYd77gn%Y!;cVCM50y!;|LTHG&%_dzX3kO%75!oWl59r=L%-1P%7nSD9(6qoIi(! z&$*7OM>tJ##5F*-fhxO2l7fdP9XgNTf1KUln)5W(YsQ`x#a1#Is+;$QS8*l)tQEO9 z8<#Cw+AfsHWFYGHgq8bG{Qmc~|Hn(!|Iy+9+UZ{~2>|^7CXqnJe}x3PE{pCIB?H+N zpff)NMrbiktw=aHbJw+w0j|#pEnMD3 zvJk5#p>O?$C|3dO1rX7_8jkubV<10kDd-_fkiTqI5MLE}m3}cRadK*)^g=pPSqbW? z%BF0tCp*=Zo6pBrPu4zT8MeotZ4DZB!i)(If=*!$+H1BdVAd{l`FtsqL#e;H?nDWO zo9?EJK=^@H|B*U+)wUK}nZ^Vbc|iz4noGrC4hlvP557=u8u{a;xb*fb0>83%9`Xm9 z`!N9ywAz}%s)C7<>k~l`NCHKc+XnVR5q(AtgYIonOb+Ez;?YBaxU5dSbd(T+RHRCI zLDd`9gw8cG85ci1TU4ob?5QXUzV*7GI_Am&yP_{a3SYhXr&nsX4~|Xj2lntncbA;w zK?J6SGi>&30{VDvok7wO<+JMO5H=T~c|tFPB*dZ}(Lm!!*LJHY*RUOfBa_`(A{=o6 z4r>=KGJiA!T`q-HbgR4jJ<=dLF4i5^_J@anCNj*d_|M9%ulx}WnqE~GE z3v<--e5gg8>#D}AB$9hl`Tzp~1&A^md+JT^w*rEbtdAtba^K>i@Lxq}j04~tu@~;L ze9_l)pjn28*z)8P*Ml%|lRCQGdo0#lrvuKfRl=|9v{IGban0LyI-V(u4XM27m>G+6f3*SX~g z_B@Sbo9f`qy@yXOvvo3MmD0I1%SU*(Kzm%1xn_rmFcFOd!Qr8!UG!srml*H~mM5An zpIcvJHiz@=qKx&ozjUnEnCzu;92f3|gXmO-azWl?z(fV*CZgE55D}yQ zWVyNfWmh+KExkDUcN1JsPQoj&MCvI1=mj~#h+@1W0eAN8T#OX1x?Y=%HB1n@#;{=9 z^m0MIg+95s7@Q71tqMbS>eo{zOoA^|J9m#eR0e~-9Z`L7^qV}NpZ<1)|ElJhzVdGX zTq&ea3p~20;Mlw!m?{RX9X8rl3dL!XmL7I?2SY%h}}zWf5gNo zvTYG>3*b>Q2-Zf}aRHQuD}rp-HW3NzCRAXK;98 zS*hlm`_oP1&HR$2@A!DpLoe?!!)!59?JH9c1PuV(C)psOjLJY$V}r?1KRU}{?pjS0 zFP1g<@>Z~Pi&3!~X=N>2AXRcTV-jzYHFGp2^sjdIr)VG%KrN=df*6fA4<0$mT)ksp zx3I5Sh!A%=me(gd%_=O-vQH=RYgV;Y9EB$_n^Zk80g!*%z!j(-G{aOOaOIB4&4Vy_ zjL1h9IoP;29-Lj1`yMo7riN}rU!iU_p$dyqa zFb(mceKFa{N$iWp5ejmI1CM6QcvzF)c3+mJB60c(6B_&jdki13`90=iMl98Ho@D|4 z24f?K3a9XMZ+y`Not1thH0TVn7GRi@U6<`Yh9DWzD*Rge*vTMyq{1PfZeL-)(pTle zW8q#-IDw~n{s4Ub;XaWr9-FB|eihY8_yN~P_kC|^QS+U68yFcY6LQly*|(aD%UVjt z6^kCcPCS_+Dp{s&aCp_8v8YiIq;NQaY}xD`i-vUF1+`r(?tS>#DU!KjalKYe#BWR? zHmbPf@3$bRS5ZubGf=iWG+T3s)%6|Jml`Zy{!`~i)X*<|ZKn_aii4<_MjPJPaqDlT zy5DoLhiuJ=zR@9Wnjai81Y%cXJ_VvbOC6RdG=z>gjuf}&sz1N3VZCWLH5^U}QRP(! zakVaGBnL^&m3&+m9bj5Ia-IfFXJhEPU|&`-b=dUMttX}MM!$l^=HoQL&9tdo*_F^* zZt(bES{stJqzkbH%sli8n(n$E=oPN@MtC#lPX0AJ6nwXVp3m3N93r^W<=ot1qH z`Loj`NhJblK5c(B&?HnhA3np(-!Bxn8=fQ>@0q!4)$H@_;$5GJ6ZNcbmw`s1_|$=t){7$+B=+V`qHxyj2e zX@_x?L9%JNxAJ$PXI^0xI=>Xq+d+&aCYV$Uf5m1NZkwo3LI}GvQFLdh;ul?_)^N9_ z#{@9vl2CHfCj4qFYl6XPc3%pUNGHhvt9XaEzWx7dYZ7g>$*4rZZVM(7GrY&9k#(ruc z#U-tm&E?ox+Z8-?Vd-sw{jql(F_Ui0B*W{`zQ+qh)FgND-n zGk4f&yMt(zy8{xGUYS9R%11`>pC+WL#=KAgM)wAr-)?q4vAAEspy8)3t8qx;LU~48 zGzE-&+MpbW=!uBUTXce^RGmx;4TAJ9h-6*CPK}n+dvIS)PD&rOg5R~gB1hV4Dw?jB z_BzWZDJ zzaNCIC9e5S{76M2E9hBSRLJ=2QFkEYDrvkAPn*v?L%4oT74hP8Dbqjf;}k;KQ_b}} zG}H&K<9;>4x_xN$aBm|Ps^;^dX;b|{;aic+m0YMo8Pn?E?;Dw)@gt-uP#Gc-fm5}R zyGuj7i&$?F(y4MD(9&7#twT>rL0}j3oTKfeLDjZu-;!;u-1A=EiP=?G60%uXKee5% z3M!(#1;7A)^XBLm8gOrycTbDbP^B^wq!|c!GC$dJ!>$%EpA=!ZiY^oXQww5FE@Cyo z-c1l7H(%{Kd=@z>_$V5O&R({I3=q2KdNrJTxTMNi2MN6RKzwc)cOZQJK90MwjN~JI zP41#_P5_sdOK&3=mULRS4;lbI)*G-dXlb)KFEWn%q6!|S?JBL+_U$!0VlNW-%U z;v%L`ELZch9zNwqNlBIgvX}WKdpw=E=(-k)&tW=pyB6?!6=a@|<$gw!3JEzgd4W=a z28@92tV04?)ifgz7DU*^agZTFr>BMP;UTxy2Ft#|6@GKhvBA)N`Rq({J8RpW6m<}AOIHz9Ru-R|-ngk+X4km2@K z;hJX{498CBQ_x<+i8wU@Z?XtQ$Bej<9g)EJ4=C30@4ph1KOWPM(VDeQP^EW$iVg+> zEr!6`x_1nbhNT`FkDd1k)+0+{z90>eh`s@fa)(6OaRw$T4}$Ee*W*Fsc0_nr8!m!( zf-ZoGSc@;SQOLnCI1e`oR!ne>RH%&Q;phlpa_N`3Fp@(1x|zI3geU%akkL906UyGv zoW?)ili2YL!r*sG{K=RH6{A_lTVQ5c3yO$yb3!M*Y*(*zj3b5*IlOB_oaJ-gO{hd; z$REX#@Hmu?3kP6#YSEcn z%dIrMm-T%~R(r++vBlkd1{Il-7jxuLry5Q7FB^!pYhX6Qd>5=^O^}J<_GvXd2(lee zG?|N_Fvn+W7{Q&>*#_!5Cru%PysZUtUaYk%rKpAR=ak~Jdcat2RtlN^MVIy=f97*Z zBNu>B6TF#~Ny&2=&aSjGc>~*4CukEEi^aK%F;5sELdB#L*aDD4AXyNv(+=}?2xfwb zJ53#ca4av928ooHNms>shDJSvXgNG$Rf@TBjKE8%U{Dbsex(bGomIH!Ftv66 z89h*0j@_Mx!2E}mF6Gr29EMl$%XwIrR<0e*bCMPj;n3#~yau2{2=(}-{9l;gmCSq| zvn6TFbK=GIuFg+oi?^0qOpNX$F_&(;Y(C=}1Z@1etkHJx8a{lfhsEQC5kDdAcM>LbEBT-6W!qjBntrv|6@G-WlNk(y2&H53FAV!n$hZ9z!L^pL_&ehnFyA z#VuCyWthmQL}I^l*xgyjupLJr@Sp(2V;wkC=xy5g+6BD#m*@192|a7%IsOEDCgp5% ztT-2nsx^S=psk|9?}_rd^#M562?`&wCO%GElD*%!gulvLC!s|E4MH)E|AmV{-pw$O zW^9=B4H!|tmBeY0{YO*wgl%D6om~Kl_3RF0IOrJ+{XuXf?1&-OX`L)rJ<irLfVny#XfWqV>4BzimPewep-ycMw#s54|_vmt@-{ouGQEZ0s^4hK527 z87L!)35az{B7f%OivRnCvp(GWwM^op8)dx1P*Sl{&BWea17Xh+nlZeNR>~GeN%`L_ z)$114=9JYPbVhJ??q}!Y4y`QEJgAQ-W!W*24L(1js}eSZ#s0LlOvZ)YhTj#xxSn3C zS~DEzF4$`|^KY#6`(uzRxQ;rd%Rs-9a&BjY(h-9+Nn(LqJX)PDAw#37(zt4+)OXKRE;SZq>`S#p+a#CCUSl zLVzXW#5T99i@tk2GKeog^o_>03i@7S2|rJtg_`0%kYPa(w*A&oTlK14DcxJxJyHev z>7Ph-y(sHAMSs_csoeMI5J9wXLxZk?kxhbSH4iYxx^yT&4vBPE*AKLw9^pxGBeYod zF+%sKZz2@g!%KTH;~WfV?vTvge^!18V;R{#Z(eQ3E2FWv3I6(#s%~=yPcPH%JEr=m z9|INkU52N6+VdbJz^_k_Vs?lBuJ`8Qcmc{ekk1hL8%#@`tm9#1o6^bZc;;MSZ_7|} zV$0s}*UI<^6!KEG5zqC|ppEmUPaaIpyNPry8C1ZpkHWRYcQezxGeApcL8{LM5+l4Q zp3`H2bTOk;CXsmy?F1t-L0JSocl{*d8gZ&7mE%(_cIi^7Ui!SJ*Tr=bKL#ua6f{8v zQ_1ldp^;&`+|KUuKDqHoS_s7*t)u7}J@x2>j#&t47>SB_ZlNv-=SJzeNV_eVeS5HhMyS9U$v0(> zMT|!coKuWyO(?a9^zD-Ux^d?}^6ym6-;>&BiPn6}pTT#zn5 zstn%^xU0ueol{o4KvdIdi=M76YJm#*^+>h13`Q@%1~ChnV`7D2DT~hUee+d(S7r2H zvYulLa+w`Ki&(KJyB(cTU!Is2nVD)KDZf20@Rl_Ci}=Y@%Wpk zUCO?~3AA9$7%OOA4Cu@rFkPNinBbXtaFZB8p->o97O1A6L;jy*4c_lVfa8a4@h#tTL{Q_z*c4lk7W$BX-y^LazKRs4_7uWWy5Bc)xl z@95PT;W!|~T(gSW-^N$1{DkCRsv(MTmcknSX}yn^F!QpPIjaKk)C-%g9UeuUU+fL` zF4RPC=i=zbMOp4|?d8bQ8&Lz7n}N@79!U3blG>F{`h5|e+3Uj(O}C*$Ye#%Br9Y|8 zhtMjRjHa<-Ilua^VpUsq9cxo@E9MR6j&ddZ&Z0o4Q~7>C9l#wsN26*w);_%>O~T@* z37yTucsME+53h5{a!j|8JVs-FnNsmUdew?S)<=bJFmwXV8_}qN3!pN=ZM=@??Q(5PIfwb zxeGCe&AI>y?E}M}iLkyZA9GO#+^8b=iqvO7#;$ftLl=OpJ+kj;uOK)A^C5OFmA8*} z{tW|0)3>6>vmY~sHT%?Gy;3pk81dWqKzTnuzNZW(gEG@4U#LYVO;sw5`%SAie;b|K zCn|(8Zm6sLd#}I+Rc#90-Rm`wp&o-cESta5N}(W2Z{-x|{yZy++^0eRLLgqNtaL4r zBBYVfyo62wqH36^&edZ*5<|eXW4W(H%V=(Q(WKQz3=s6|SnMyo`Fj*}P0<^e`n8an zW!XKHc)5m*#dq_ujTu&Lp1V)ovnCy9SNU%4LY39?_V)6uKWbBdaKyy`+GV@~7kn76|KBbI_D?Oi}J2s>()t4TfJoNO93cRKD=c z?q_^itw7|r?#stU&0(Qosru*g=A9zuo64bg_3CNiA*zR#3 z&iU*`e$3OvSudoGAOj2xu&p|@oUum``5SYiV5LQYIC5{&U^y#cQMMtWr{hbK=~epf z5+A;Z3}XyKHF0WY@J)Ru5vJB|9qkhpsy4WIZ%7{mE{mOXEV{~vM(cfk7QN?73oZOZ zd%2~Z2eB8)$jQqtQ)lxYJKeu-X!ARn>uFdR453KgAAwqJcNVD4`G&U?-;I^DdI_TTeI~;Vd_EL`_RK zr)QeQhLNBv<7ceKrm9=;ov;PL%*{|Ualnb@B3oCzbmJY$d`Wa-1w(xiR15!79gp1Fky~q z+PUhf%mu(@UhfvK*06MXhKqA!!a@7UJv(#IAIQOQd5r5}IyTLmK1w%Ae(NhMrr(O1 zg61(yS2RayR>*t7l2P!teK^NYtN|w_unM(g1F)Q$hAA-*v=(=M!y?Gr6*N4v?pQ~x z$?J%jzT*kQUejH+UY;#c33SGlzh0TyuNyfkA675#|0Q3U!;0Kl6G(Ov16}7;wnW{F zK6+Iv)Zvyco9VUTmX2)pqSsqo-EKp4+lk)fJUV z#1(CO-!l2^zm-`YBmA*3*=7aXlaMkl+(6J9V_6O9 z4u02xj~34?F2RqGflceh*vOhG4ucspkp40-VYTdG-qq!?g`>Rx37ySxuKk+Z$4EV})@TIQT5cuxExlOy@XD2*v260l_(DS&{+apF*+ zaETh0JJ=_WLxZlCS@^qGY3)d()-VY?3yvife!7+6eku{lF6N8dV#27^&j({!9q#u2 zgZTWHkbz|yP`(|*nT0@{&=mIYcJk!7D27{O;}jhNPGygysL3DuW!8{`-{^n;kWr7Q z+d5BWzk0q&pwaZ&DK+^60arnu4u7V*U;L3T8W6$GsnS0jCxd5VB6hv|PbJC|KD~OcW11tQxJsgEaB(hBU4$&{U#D8P(Fd$1RBCXf90L0W=d^m z182HcmgpB^Ny?Q;p+8+O*^dyrYjOxeo}Myir;+-TND^lxV+H$64sMpnb=zkhpGt=E z@@3do(o^?+x=c8YOkBSMw6EbC-f~e=Z1wU$Jk1Kf<}PuC|C(((wP}W!&|kyN+LFn+ zoT7|T@RF&g&YVVD|#PS=k{E~ZC{~?5=jLDs1=z90fi3U6UHBMx! z1eY;Rq9pk=BMD`o%J3F!ov4RqO?hq|&Wi*)!zt{?b`IN!$-9MfMDF*{13kOXfrYu@ zIm!Huxt)C>7E(yH`qdVJ7+V6pU(A-PpVS*f$yfioO~1^&e1&k`tF0guVO%yg)RsM2 zZ}4D~FQvo2`2w>KIf^$8WV4{(S`R?f**aB`Qh#!Xz}){=d~V3Q=oRu_u!wG@WD=FS z{4$!)3}Z|z`7y9$|TtTPZE7Flb8_fBrpmCcWryirxfj z!QsLBxo7rk!4f0jBpRjPoxTExa~VH30psrNBqe(lKOz}_bC`;R+;2^iz*KFZicn~n_BRZJloNl;M6Ve_ zOm0VB{Y_G5MPTL&>G>qB=uQ_lHz?blbHHF&wPs5xKF0k~yskTY)`2>TR=(KHe~!a#c+7`b{AbJ z$C}$JV)ZT)GhF8W=#g+iv6rp1#2xle|7M~nTon})Gjn6u%LtGTg~aTiLXl7Dc!%Nb zg=wFmR(pDTATYu688~4oDTH8m{tT9?oCkZqGO$5vpi`rQ$Fm3ZDp0}7`8uw~1(!xd z6+})ob}#%6qrjZcD0-zayeoPA)CeMf z2K^|yzP(WWawP=2Vj68%A->|w1viZ4yVKfYSh(aDVqv34j8WMGfi%3hSckN1hNq9W@eIzLyv)O`u-fvNNRCzdEfFok)f*ko!nqJElS2j%seu;v<-BN-V{{@#L`$ zpIFXvER0f4IwV@Nx?zF(L!=79J3Vk#{JzuffmG?s{n&v1Wj8x6kq`LjYj#<3*v@A%AYQ-7(Igf8^Uq%O zqNmcX2DA%=FSiERlpV@_y><>J zy*3#vH2&LDPAD*GW*-vpFTMNbsjkxS58{2`Xm*oQwx0IFaK%ZjKv)Ok*L!#nU`=AN zt9h~0m3!tKv#b-Gk+ZPX2-Hd2pmp>c3aQT|O6EF$VfovzcuuLG?|Z|c7xB@v1*_%g zXR)kSFkmfa-5#nIFma|>=6wQY=Wxi&+TAoLMDP`Suf4(Jtds6P6e~Fl<+|=QfbWw4 zx{B+$15+)_Fvg%iwSqfZN|M3Bz$~GZ&v&=&x{hm>M=E0;*!j`u{;T!r>+IDG0b1*C z2V^2@}S~gS?Pkt33V90{{BNK|;)N=IQ69@p&Wt zSTY5p4+cE_!nvD;VBOj!fH?c4z(Q{Q5-XF(8PnOj%1?3sR%5#F^Y-|urCRfh4IkA% zjtb7Y7?*Z?HugpXc*$5!O%8f=rs%_GOh%;AY9@rO zF07o5d`+t%BE1Q8v|8hLwt+p%`RwD&6{D%;a`wF8om5U^&q^V16%7xf#8$8!nMO}y z@mXelN~ZuKO)?%?HYTCD9P@BMV{`-Vk;C3OLH;VEH-?F#W6K>H1EAw{T09kn&t?%N z0<{=i1?la6V{1Eyruby((c4;CZ8w$wjA9BL9V~C!!bf}Sy*98&8?iVc*i9jd;pdgu zn!qxuFa`%0emOn^2PW5ndC_)HhOYIMLwkaKY@lK~jETN8F7i=ScDwdIWJ_@Fz(EKm z)CZ=zuA75Cdq^u2Og7_t%9YrCf*9jiitnTG5X=h?yu{TKtDtbT^(K`5kU`ylwQ0K) z5-Mzc!%g#Q3$ZoRv1hB+8r#Nl={gagm-U6#ohdEMINR;VCfuAUG4!cPo zGz@82L2Z&#$V%bMzQ2P9>6^QtBIwJGc$f!#`fbWP>P2Xsm@d~e9xDr@{XR-=?3K@y zXip4jj%8)?3_Q#*j}dZx2d(5u&mFk&Cp&r3U${UKaj;vA7aflzoMIq_&hF>1Hhtgz zW*!y-*&cmK+-8bN3(k@-b>iH}g-S?;>|*JFO#F2Og}7gnUs-g<7g^O2z_NN%UCfW? zEvB#>R}`AQm_N`O68#PPSM2m%Qh}w>-&QCPN~_9d8e59{k`5$GsHzY@)-umt_f|@` zU$%~BK1dz>YwjiI)}A3dN6FOiMeHSVyg<;#OglX^Tv(D1uqNcXJ)X@O{DK%L&6GaO zEA<+Gt?LF4eu;Asz8RAneT&N%PM7jU3wV=&=4hm$(876hQyzxQSKK(pX8g=%cdU!M zb6LV!yqU^>jB6(M8Gl|SR0|VR-4~@S9{r|S=?VS|7AM(ZlmMS~)^y@qGRK zD@ld2cV6dQJWY8O1Q{MN)mEzrZMyccsyB5P`JF;OCISt>lke`-wc9JSz2bOD>`iCN zZNGO7i5uaR7wqqoia+ImvFfPcl?utI`6_8ecx+a$Bn@$#qHBXa9F!a&1u6d8d|_@v z%QC^_dYwAY7;!HKv+uBha>LB@^B`JbLUqL;F=7(9=3n;l-mH9x zo2IMj)%aeZe8h6f5;kr5r_+lH?HIBX{3Gz}Ee8&}Jo$zq)Z5TpCzKI)C#fIsMR22n;&C;X7N* zb)gvVb&1)h;9>?sdLj_-W$w!BDk2#Lg1qpADcU)z-rA7SF=By5kGvT2T;;}FN#tLH zvm(gMZu=Ty1U@dWK@EGyd?z5XL6*L-zK6E{bdx|R`kAi-l|{+blEm$-#q|XxICj)L z%&i=6cITBUEJT{ZA0xpNWlg&4uKt-7jDxGRgnE9tvngOTSpKjfPH6Cg8oZk+jm_hc z=q+clvs_8;($t3wQv!oG<;n%SN(uQWvl6^<_9?V^4hClR@^x`0-w9i8D zm_8rCs3zivQt;CxTeoDbMQ{4hn);RyjR`bP5n17_YZnfq+qo zUv1)!Xz=TKq)4hCAF@rhQcGYysC%ahd^XOuLsCqqsf54G=>)cZoeke}zSD`v)PeG4J#SX;Hs|t)22q)eP2oXk;dO zK3U4sM$fGsq0zepDh>t(q;Ut2V51W+va@nlEml+Q|*N4mxMY=q12zBClw0ys%8m%`#j{38bYINa-U+2r~vbV z2Y=|mrk6PCSR3T_Fw1-KwYL(bbxo%Y3`ZFf3C%QEyh#x|*Wh#`zF+g@1N)icF|_R( z8JvloX1%LVIquuOHwSJ=-xYltIP!KNP~7~G;QC2%M1y;*%3lk7Elnm)*aBYLf?>7C zlTe`o$jqQu>{FTJ;OeGE3W^O%v_1n>CiTQHFAt-UNeo46F7uQ%)QqdoE7l?cp%!E5 zEu_^fJY#h8@4FdXWjJAyAg%+c3r&L1ROIo&%UH1OGB zcn_>TzZg={fu)iaQ&6~|*LbZHBqP-EQ(G`tH*LY&$8}LqFOR|Z?ER~R10L^>8NYL( zHXlTXBlJPxFFH_2;RSKc4E}(49H9X5;w>+9YJq=7T{qq4*mEIlD?@c4Yq$%Bo387F z=UtZPOCNxhtd%>jO~fN=)@M-$_o&(N0?PRWb4;Ip6t^6imJOA?=PdM60i3%AEI!Zm z)rxH6#WpuR_j>W5>nf3yt^|DMIf%U{65XPzfxRKcHz!)W_EK&ZAnK|=3M{j$XO_Jg z!50qsq0kB5NH=(XedRN&%US+)l^}@NbiTy!DG(b&+oq>fM(<%BW6q@agMVS2_|env z6@GaAOQ;=xj+qC2G15m%2@G<|#`hr*@wzC4Kzts2?ELD-rpp8M1q${jmop~{?4OxsTl767~ zIdXqO9@F7AOAQ%8edRk9eNa+nH5mHi@)wRF?iZRLU+wem8l=!2l-kJ@Daa*W8!ljQsF9Ofc+^f&L!*GeS#Yw97YN6`{s0Wb!DuUC`rf3fGeu}hdn#vG zmo{zV;$=%|-^SPFED*DiC5-GhQBYkRr%$=ns8~SUd zF}O{q5L`c$2oXn_HcnaPBfPM>bWN8_69r%r3{l47r@RgJ^7j`kXesgH!CFK1l6xg- zqWeUmCd+r}76kE!YLjpo8%7PJ-d(}%c9(T}a4wR1&?^qy<@`w!^GMjga#qd(27FXn zTb(`>9tgJyHu2#K0oK!Z=8QUWy*FdMU%zMG(X+{2|7vA}S{am8wCIu+*o@n}r}$Hy zCkWqrfXRVxY`1f633F$sxO_scvfq6aS=mp=t=7~Sre=pl@qwd+UE7Z=Y2+W*B5nB6LYg^eSPtU|ioec_eDWRUp!(FZGs|O4D%p0Z zJSd_(rZz6Mlh=d$2sxnRO!#HHk3Y}T*(%I3N>W)xVQZHBEr~O;D$@Gas>GL*TlH>I z7m@mmoQ)TlWp8X0*g_ti4J4Q*XAG=2i%Jom0pVF>JB^j&Kb;F4%p(vDQ}zc^cZ@4O zP~V!tDQGFVl$jQhI4-!^IO%p6BBQ-Sf@=-x7acn1=!v1$P6JzG)1YW*VTU7&gf2#A zd@DpbQ5PS7x%}7;K$G zPJ&JT(`%vhL?@^H1nba{Q%XXsgM0zwo%2Xdr^eR~N<9K9sS80uD08E2ei-jtNKR|7 zb?Ll^61BBOyG=|G;N_!y4|^mYSX4S6~FB&?WH%(y)@G-^3KVsVfaadz z0v4mI%x}t}_TpnK(Y4Yy`Rx~Ka@ne@^bTr4f6P}p=|id1Sjk^pc<{yyxJ{cs@Tb~> z_U1wwYQSkftNC2`|@N_l>Tu;~`PQ zJxtIa^si4O%hI5fo9rNm#A654DwBD4_CTR@P@J9ukoS>gPdCxYJB$lSltK=nO*fUM z%=OqqHjTXu1NKPkn0l<3iJGleDG+endtX={+#u*9E(Rs%MrkiT?&0#PI_U@WRvM`0 zxn+9@&gHLQAiUd&3n=j{}gxvp`JL*_Vf6X0SMG@@&4?%+$*r`pIwB# z=@`Bl8ZbhwrB<@773x<4KtL?733=GWs$({nq%>;Y=iGr|Y)*F_szci-0cyGSY5(NP HKkfejW-~$U diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp deleted file mode 100644 index 25d57993aa24b3ac7ca208591ea692c26f14a3c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18578 zcmb5V1CTFI(U=t%%*yDlR+bVMkCp@i(hw6?R9ECA^8csLs1KY6OcMmE2EuR0o*_j>QcObPjBObR zA7y3#Ws6;rLzCtTyp37$uzR|)3ox5Z`Qjt_qWrq0N8o+h_^7#J0AN;9ekL6H_YMg1 zg#s>~fIpTlnE))WHe0W635tkpfLFkW-|#?5Km}m?2Kp=IBjD%O2Jt(80&x6IK5*|H z7;yg#1bAN)SaP`2ukBg>w0I-jAiU8}daHht=qT9r%MWP3lRFa_1GGO8z7zg+m4fsc1GCmZ*1=;{TfVO{(Z2469BD^!W6fpZq z2jl>Xet5nku5a5A=LJRq8vxp$1VF+EVWY#bz_P$TAOOGuIQ+W(*DRg_KYhJFdw_>m z@$VSG8;$h}UZ;>Z%`y=Rwu{|Rjs1zf>(AL9Ucvlt@M3Bc-oXH>l}tbef0gHAM`8MJ zD!McB7HL>-Xxqi$Oa;9v#l|lW6r()dCZ=B>${vFDnnBLoc!aY|I*ZQhZDBoCHwdcd zFh(bx49Gc&dX~`QdUW=?LD<#r)FhBl7tnJj)G=;{a$8?kYgbuBz7o|C(nbWF!o4zA4Hro4% zRCtPCR($@E)jby~O#&;XkJIS)H6+9zSKzsTG)39nbQ9P z(rzX6U+64pGU9&CE|S_O7;%t#tN$;g{~90=WboaC!92X4OD+RcdogefBkF93o~Q9u zBpELYQqSduvig@9M7ls;(a&yS2G-ay?H5Q(H6WE5c`8ud&EO%7go_bouI5LvRDuFn zYb9VB_y2UpnQU{+FAbC;{=@uV2lV`R1!^$)~zNusXB#4;Ik4a&m37 z$uh`dp6=xirIH}CQ{>=wu9leXCaN=Y(V>d*!potUP}Rw;NCHlW2(H08L1+_vY5#r% zs%j9hgxP*p39Dq1vhal}li808keqk>42I+-&jt;P_%5R)KAw; z^JXd~t%3tq6~r~*VMslMZWm0?DTcPE6iCNGdU^Iq`b6VsHCrKfAIr`mjgI-U`fu(H zd#wIaa~Z`CXnPE71_@ud$WD5p5*GzaoY#X&xv=kIS&h6bopz+^lC+0N_2r;?P32Yu z+m>>Z^7)36jC>};AeIhZVSk^lDk zjQMVRN(`|tp^ybbmxZf8Po83~N z)%^V*JpLD1oYWw@FkHEY&S4-fsns9n53x zqzFWd>7pusV1x&Mb}v&U@)2gBI5(N`{{lvXh~qUkcTCnG9krkXM5@hC1!}e_NK|gL zO~qkkbF+@xndGNCSZh-c#Gmilk1%Mc0!8~mJVdE@@=!vMcV1&u@`kod2hmX>h4YGQ zJ5|$!*lxZYb}0RC_%uYJB@g_u7_>!uDp|D|_azk9N5xFT079OS9M(6 zMB9R7x(WoZTgY~7VeRIv{V6%|Uhd|wnf`dmYU?L~LX)8zA+KyP-Ti{-J2+isfsBS= zOSq9IKR(!j6{NNN_vW~zGAnY7W77Xh z*4ck7?mND1-YSX%ju9$0bc;@ZA`u4_(v*io?(f}#R@TbVh0J4x9&r`b9Mh$#h|^?# z5#{OQ8nuYPGTLwu9)wLG1wdB#Pb8{9ny#BZ+k*)(aNnl>XZlg2dG+-GGGND4sUfTX zd-bQyW`c&jmdPpE|Ba6aE1Ey^>=-&kKu>4bXQB+-OR=qD&e!LVm;QNc52@?DsQ$h##%Ugg#9vAjWRD?3w5$nEHq2QE2bYBuX&C9=(FUd`z z3ohNiz_}EzXFB9Y37uiYukSnUzY3v$F%W#?i=0gae0QVQRq8Srl_3~b%8P7iC;XZB zcqUdjIy}5`j{KHYvaj%VrR(2u_J3A7|9cGI3j+NBI)gKwC()iOwGkgDlCUe)IySvN zEC8Of=M1>dkFPgyfW=44Pg;duLKboGYs3b&$Ap?inh&0frlhdk`R4O|<|=pOkH@~* zA1T-2#n~h*IGAO9wa`SH-13xk(bJ5-f^?pu^n9zBqjgC;^r!w6KFMIBw6^h8k^~$n zs4K{t0$2Tz#R3GYr)#al)U9L7>O4u(vwHB;eBYpK#W3)G0J%xH1<%X(?8g$n@Hr9^ zL+4-|86!&P)5;x!6~rXa_H1l1V%{Qu>v!<%T6F_f5Mz~MPFf#a;_${nc4tHa-nF*) zcrwaamQET_6~54*&qWTrQllhO7pQS~D~cQ!$5K;8Ad&7Ysrp8(dswaq8B5W6MiY{* zFl(`0Cdd10$?p=n?J=XF(`jR>{Eon>EsG)vX=)3Lp5oI%enGV9wh;)02LMO;FVzV} zL^UTOinK3^Q_mQ04EA-xWIZ)r^XE;YX33ysb;i6j%q{9wp-ek1>+ELvnMMdGykeph zVnsEGoG_+i6VC+CTGt_y- z%g=T@p*Rm4q+;ohc>Amt_7e;FbUAzPaU#hYLn?E5-UXbLH*r|aD>aVHAdrVR={jzN zNbJW{Yz5(;#Gw^Ueb!Cu9IO@SIfb9TWwsK-8!wR%UGfj^8g;0ioy2z1QT=wn_wU*e zAqbV=L*A(9pSy7mzK~sTin4%3=HoG=PKKiOgCr)8D?U2<}qq-r09Bd}}sAx88Ntja3k__3Y7n~HN}J`0yhUHCdGTXyY= zQ`*M-OK~@(79nbZei`HXT*yb62(tA`6G`o7f%E$ynJ)`bc7yiB`WyQ`t?rOyK@$y) zM-{n={u*416ZQpt2c*X}^bWl15L@}u@Z7-)so$&rR^q6&e0$R8*CMPM0lor^ZMvyd z81aQ8F;XNkEP?fL0PHD`Nptr@jh{IFOA)eT=C4HX+mrE7Yvf!;`wKUy<7tJ<(1hI; zf7f4u;?ozazT%fXw#w&K^#l)*i91?6uOEUA$Fb2AlpieUb1h)KpqH#4H5IRggaNmK zKVppx{+j~?5aI1FcQ2~I1#;_7cGWX*u5oQFMCTADn73jQF12pHE)G;>3fhW4y_tT` zulwnikE~d6@$y}!Y(0PVdY9s*Z%gyKf{xXh-U}$@YhK@{{jY3}>WJ$68b6RYO=8r` zeH*vGtg+~1I>y7cLqLN}K+`CLk>Bw+wV#DLESO}11f&p0`LQ9_Y>ezTcN1BUjAzwA!&}He|B7p>_ z?Ofou24hu*c`40;C9Uwf)5x;J{xm?lOZz3bgyFMSO%VB92q#*sN%E$UQ%N#G8eSbd49@>^^$AouVIzT;T^} z^?48P6`=IumRmww*{QCz3?Na2CK1kLphbFEy8dn=0JUNWJI4;Di7MgrlqloN{}UaA z(B7PX03sy0bA8wN;B%iA==+4+{1&r@s1RY@Ro^HBY1w=inhVo3~(_tB9LfLr^!l+FQe$k9!y%V7nqRA zc4wN+goXe(hMhfg4{3x6g^G~V{7CED=E&edFBfg@m?s+UV&p`nM23dfP{Yiagn7ET+72bM*m z?}y^%G=rm|z0TH<88_0jv#hyCu2o^jJpSaY(D9Zlz?ND!M8oKm&*Po|Sn01Mu-R2L zmj(;+#rtgsRod4`xfH0bpHRsehHLt`Dm`a|#2qeQ09pteQS?s=a!_~U;YF&yu zR3tPpJ8QzVT}pY(SDhh8d3WuyS@$#P_XDe0mB`OCm=oAXY~quI&TH?+%{7@fHax1p z4s8@`vo<%Wz;F`EgP)p1Q@SOkYOo^GE^D`QW;!fRWSb~*UaqJQ4qic(ubg$V$GNX$ zxF!NPkNHY_s_IW(V0oZYV6ui)6L7b)Pft#8gtPLJ>f|`7VRBo?hrY)XG9uZhf zPcbT2iKP(Ij7?)EjB8KvTNw4O3%TvBW9L?*T3_{e#YbGK$euf{#_4#3RM5O>{s5$o z)JMb~{Wn?y11(U6^dv^l{nthpy?u!d61NQd)?`65zF8FZiWw0 zOkl6DaoY{UO02ttjUWfc z-p!x7_g)7iTH4Z!T|J~dbo6Dm}vIZy$iR@IVLh>6Jl~mr;3Hgy^bd z3GcIj0bTM(!MUiY&uK^|9{J7YZP5Py!7JWr~FJ^@)$)KMbu$ zQRLn4R*O;hG@s>>7FVfwJ+yE1_z#*~%kD=q685a7(J^>^SDZwFkR|yQXk2&vr?OQ~ zN?i7I2lw5o)81$CCRdQ?P`BmR%T$~gR4Bzj#kvks)l89UD0O^HpIZL~E6F)zB%5g;B~7R=C|0)^~cKu zVx+bPPTLFgDCQcpRvk#74H+!H~VaWQ4tME4Qv8mBz>#mw|R88JT;iZrLHgA z#uOMrA!Dky`|!xg^>9SL_3fE)pok5%tB6im=2SL&6#IR7flD=obLJ7Pv?YC2w4BP2 z)Qo@}@lx`!OiT4R2Y%+c6T}%_n%UX7HFR*oc9+M@KGhn|rVf4FtL14gkx{|iuG8x2LTz8>vF!4|5o0(-)gbdhW zOTS!stGDlME`au)wTe{A*kHp|Ivs_waY_XhM~nTCY+D2^Z9K6amoGr3*moS0OT5Cz z03ZChYQK<5YZ6+V5pnl2I+bioBNJQ5ekSz`Qja5gfV;@Wn;avI<3X`;zHND1!%mrO zUBQ4ldGjgcD-=n|D$2`Q&?8s5=y8&lTyQc}5^oY3^as`tou59Eo8V+hR{yxnzRz%N zlfvgic8;i~CzbM#i@qh%W~-R4@r`m-cC+_}^RIb?cZOc#NsdX#X{-IF&pgnWQ8qMD zh%Bp%&6njbKe04m{O6(8oMrNs5;6mhM+2{Fkd${qX%CyUS&^r-&>TtEz;U`11xR+; zy)cye-4sY4Q4W$XP<@GLjfoH&oj1s|VA+kuznlsA!FKKVIkEupsl`}O9KYMj4*%Ak!Juc z7f>qMU+ypi2^q~l0bSb$IjQ}TXUP~kX=c7pdS9%7#%ZKK;e}~!Z1YJNHmMR-Rv_yV zN#l`5Bql*8QZKkj67PBI!8wFZ3*EXxYaNSRr>=#U^U`-Vguz88DZ%wfwqK1nRM6$S zKpi35ujQb)9ANvV`tp%vT5M=(uEV~Y@G0ny3X zovuYny9#ZJ_NfZZI^z0S(w6n17|1Vvs>v~_Cy&yno{wbgc z*i+C+Ho~-VP}NfkXMcZAX@AuZ4`JN=`G9W09u2Zswi~TBi8sT_eQMOlyU(dr5AELH z0*}dry<%;`0Zi(09qHfKP@uy&&L8rHdHX!3`QIB&Tsbx&NfFSBy7oDX+Kv@YZ?dM{ ztA|=`Wh`fnBKjE~m@MO5 z!k8l#!3O%~TlHl|tT+0+MDUqR9If2QN) zJQ3+3o}MtW+HI5qXPnyzaZ0C($OKLujKJ<`7MnPUdVEj3yz0`gl~aK^U$M+ZL^{5i zu7d9}4u<a`V2~oj0r)msD?Q0&pRmS8H$6np?u^itd752q z3@lMHRw%wDo7T;^S($gcP*C^B9;4HmN>c=Kh|R<)NFw-Hn73lAfag+U;;NuvN{c@q z+6p^*;6OiKvCT}+;ww+#w!Is}C)udbH>29O)g$WEA`b@Q=i>~k19LKyid1H1a0HNo zRJIU4hI>b2=65iOCt!p2kg%`aIetu$UBfDdTJG7y>tB)ru&2tAHm%;5b+5-2l$5T37wOy1HU?zLy)|Iy&!N(+&TvSc#QfP--rbt|EArv< znn7@iPjAqWql*-EQcu0tUuOtPMUd%Us_|)>o^MY1P8nxqeSLBg_7RWMjyk=A;4=t% z`8x?${CCC1(ct2OxD}ZXL|Br$`Znl#b2ha8uC!33*4MUXMuWL)n(9v+7*xYvH)4tA zxL_0C9o>$+&onn_#?m8;L!_4OCO9k@s%eXf0X}X~X#6f~kJ9m&K%lh*#Ui@>Q+BET zR^%#=7ATbH# z8c3nk!7fKdtq(Aae2}-cc)*!uiB^=%Fx8k6=A%>Z>p)UU(auik5qHN8|kzmt;@apoQE>Fhh8ia3IWY6B1<~3u} zntq0lC~6Up)3bT@Fx}#uDE;xqgO}GX0q-V9sBzT*mq}dwkPN+z*?ti1RZnKE70moG zypgH-S>I;82=Pltc?W`~C=67Dxi*6ql+RQ4u^msH(yWPGd7f$}3FK5X99do%uz=%A zH;KMo@AJTb8H!ZThXIiuEv4(UAGLqU)+W0wi zoL`HGjg&(KTGS`%K18jOy)&7(#hnZP(mK^YQV1i*0!RW$-cr^?U>Z#7|M~80f?ot6 z6515zBMUxHu)lbf#DA>-)v&lg$(N^pl;>RhV0^TZiZTc#bk?&Zdr>ag=JVJe|3Obe zKh3?9ZtckolTkJ2o1sYwOAXo?bzovKHrkHdF*YBj8oE^)YSLg6DY<>oPky1iM@LG? zis5}_!Lo{2Esrub6tSoi1$PP5=#UY;=UZf(4or^}#!EO;p+6vyO+jrUCBC^2t>lXZ1lcEk+0uMxye)k5fSb~pIUqQ zULY^xRKX1z)S zRZeZbeCD;x7^_20?7T~Xvxr{)O*H&4^S~QsFxD2H;p>CE2{lBiPFCZfj`$o>Hxifc zFi1B_mKlJRoU@&(68EoEgBeoi`qR}*NzF96L_lge$f@p#18n8@OE`?(oi1^Ik(ANC z$cltNKb zpmWU(ObjkRsJ-U>1{d_DPqr)Eof8;q2D0m~@{W~+Er_IT7}eKZlB;kGZb+Or5&Qcq z8=9>z{Q80Og^LESGKwXMDNp&z$(@{3YK$h-0g%a@zHUsa`W2mx+R^S}-l{8s9{qii znDJR{V#zl6TCq1Ip|LdRdemqn!{;* z)BH!L1_JA9K{XS*bVi#H_ir%D7*zalzhY7cTlhF2ZUN1(QvUfV$OUN;*h$C_*AmVM zq&)X>G5sXwil!0Zo+tX+KB2nTAL^063IusBScokJh`u!7fC|HKdXHthM zU=}-bmTnMq4Eyk6ncUo}n%7#;luJ9lS;P|u?_7=g`6dPU5?LhXpAeT?Xq`?A-z@y% zjV0)Kk7QaoIe_1WE4b?J-8 zONAc>)?$ZU+^SvDk1G)IveNEG)G1nRqJGnNRyPxDl_8%5IjA>EJ99RJ0!w5KRgrf6 z(#dNb_HS2xS%yEe+N6PaChw~jK--^qU(d;m*somAdbB>pK9N zbkd~e2xQgq=k}H#jYn;&C)2d16FBbeggNqKKr0!ZH(Vf~xPH zujeYeW`}R&8cLBg+S?Btpyq`qtx1w;3oD0-BI(;&=gMH8a7_X^9#;nzGfNQ~npmpJF=1B(b!y~Zts?2_O=oI;U zXm)yH5VVW|e(xe;R)Lf+n65U|wl0CG;fhY!!Tz*Y9Jm zU3wNcAX*;Mwmdnq-~J^FW`@fayp{dG@671^-W15neh~`gzfwm+`ogGTo48i&IAd43 z4#b4IsJLgCMV1ID1a18)H$p(jqyMF9UC%SHBCYC}>{Vhz?CNSJqKO$d(ET|7jn+X~ zx1;E%P;{=U?XuCYhKW1IyJe?!tb=&A!d*kqQ$aP-9n)`+Ntyc#=bwI2)&oOV*|5e+c4S@anjn%FGKvaAa z8Yg#@&c;pde~k7U5~=I-->dNd|LsB(!hh-N6nGJ(Jgf<*9|1_ zAwxYDTHl{5i-V`&kQXW-sBnl}WNz}HTU@>h**w{FcuZz@5XGD^luJeLz(ZJb3SGKF zRMVp*YKA|Tnr1xF!*%8O?yjW!N&#gw%^`a|5>tQE!6z%Rw|f}G4ln^EK}s4^^#wM; z1GiUghH4PM&YP>vV7uJb68{o8Y|%$}#y9D~RNPqT56UcwF_ z1}xQW{SLAEX$E8W=%*q_U}r~}rMDexsD{8i5KB5!NgIBnoKf~73%qFCate59ih=Wj z01uFEG?sf2uz=@FdALn8U0MqMV_(HMK>9+r%cP;0^YC}i&-~0A-0~TN>AmK1eM}&- zbW)UR@q`UL;76UlH4Arw+JO5=hGihdO#*{My?9@S4ngP|@iu^RwGYzIxy)te$o~B? zz*QJUM3~!~fJeb;U)J*$9l=D00Kl zgjM;Oudo*Yx>tzWbcEu!&`%jtMNRCy zMCdat9nodwNoXUg^!{j*!!$=K_2?0wy;g7#3qPf7WWaAaW=MJ65B@hoOU4TOd$ryn zbiw?c%g`DKKv(xI^aOAZW*q29iyp4DR>aS|T6CqHx>S?-HDRpCYdWrUgpJq4S-O95 zlJbstybR^GRoP2=c?#Sr0V}R_2U%rvGFW-8eC-y&vYCd5;|fK@$O z-1?6iOLz<<3D)UJ+-sgU8g60VtK=it3i$62+VHw6@_2CVEu z&5W#P8Vc0CPB%1bW;iq3P|9`KU>jp4F1Ne58YAYWq_T1!^y)7ytSN&_erX9ZUW}=A z#3vpHDxd1k2i}p2mOTcZt+3OhqMga$WM7W-m|mhRXB^HU+-+yzJ$6vttI3w4_if(r zaR-Dy(J2zpu{G`f7fP+(JZu8tc@3YFza;!aQzAgWhU1S^H4XY74%t-g(5{lXC50}X zq3SDvJa*<`u<7P9F<%`K`q3(+@!Wc)l}Aq>L=?7<+@lT$lERda=GA#suS42FUk_T> z9XmX#i94-vP_y`%8~u?&7{25ng4c zX!S^0Y1Nq$JKeHljEV_2g3%XNp?hvLudfr$D)5jAdgBpj3hRiD&9!4F@fPZ`e|_d3 z%JHPRfLx8G{}}IBK}s4HGVh?)I_MpKD5^U%6psYNF1K==l6i2z9X?YE*#L`RZ4C9t zfYmmm^?z>sQ#i|LG=9OaAfBzT^SP!j$*xF_1ha0@Qce9DtqratkyxLZX;ZhOXm>ux zM-*6=ht(@2|EZ!&Z^LCI8ZQ@M^pmiZ>mlnAFX2$SR^LlqIyH=S{u^qc`()gnVv$)- zBZntJNGGm$geY;?Pxs}2KX?=!!r5#E3oX56U~5#_;+!pqs~r$70p7yy+JmR;UBjvQ zxW>w7Gmq79$=lGaqbYRkoCrg&S}P@wOWUNFvmY7kQzu?;0!u8!i>|oWh8rMHN_Y- z@98Sadf**uVJXyD9!FlH8s~Uz+hM)RT{yXSGd~seZ@TwU$YHi9MJoKR>)*R?MFifv zcm$h=^6F;BN$w=QY(-zBi8U}Uz8M;``7aroC8|XvR?h8a3rCVB`T_6m5fRzKk5}_# z`|?s4xG^kSznFlW&gTb2v5UImcmG?9kVN@;@xyABZE zI3_~X@>(4MS#w%lswJRa-Q}lh8z%+SfI5o&t7-xJCG~}-(ymwti>`KqDe=1pJjdQY zof8CWYh%(osLlb+$ueyH@ULap5f+YAl4#nalQrqq8MCv`$;q##@s2F4)sCK@B_70A z;7N_<-zI)7dn-6g;vXS*^G@c1yirRjN4J<*bVrQLL!LZvy81|_DeIX*&c?~oAxI3xC@q{}bzLN6Jsul`xlc(O!JoT+D%$1A6_3LK?|t0U)>uPu8g z6yx!rs`;d^s8_7H_86*Srp>qGW;=HmQ_MB@?t|H1noxphDAG8s17$#b-}N&cs+E7N=DP|4IE|rps_q^yD<831zpd&v zomKmNQs22T0v-K^YIz>JWf~nRXQ~KVtop>V-mP&g&`I|jOgw{Qzs8`-VUgbsq9~|; zhUNX+-=R+>KS8~^&YmF;0h}tJmJTqu@XAcjNC+fPC^25qWt%&vx3HT)A6@cX6j}@m zMCnYIl|0t1Ry7_uqg2dHE=mVhm~nvQ+&oIW9@Bl&*b+D`@otk}nA%T3GL^sb9A?VW zmNN2fH)1WQdBziMg?DhT0eU1EZD4z!p0Xg7y_QB{pCv^jd&!8XvhH!x4PWhRwxgtT z=;=+7Z?rDh`W!O8Hw|8BeBRKVWlCou5<_qfT;L%X4iZ7-FW8+m15y+2>qiuOR|5PG zeeq6)ztu5D@kTMc+dhUoY9*LPeE)6{5YlCW7xC?0Twk1-{pQ@)R)P(lMZKyPbY!$2 z|9tV3LP>Bi@;7IT4~7abfIHHAVJdVB)ko)dxXd zXz!fZ_Opn8YfYKKWM+D+weFF2ENd7$CDYqi3@Zv*P$*01G0Rb**V+%?O!&?94!F5^ zYx&XtpA7~KnB>p|%Co90Y7z8>^<9%m_kW$w z-@TprJ^`n>-~qf4ofKm{Q42CAWh_2i_P^FiYvJpNWHDzYGW9>@N_=C403^}KUs~8D2{)7A zyGt`Upb!%?E_i*ba|tvPpzlddrY?t^EP2yx9K z!yVxLb>iOOH)eFC6JpCOA6>kN%W#oqjwB~YDvkoL;=glbvaOt~C-ON!bK*>F)TvV& zM(7DeVa<<&I}hO*jK<~ZKC{$3If1-~Lh)TU9E3(geUX8|HSARWnpz`1m6bJgfoO~q zC0!SDKy=&43>=y3Be8trhdAi&p<)?mD5k+1>8x%VS<^)q-)m46~EVtHo#rhMV%(is&0J#S)6a?4} zXU|xnq^Ca|g_-@fUWrmA($1;&f2~wM&nOSTs&;^W4e%218m1V4lC8i%1K$8UM*t1? z3;Oo*Ha^eNjAG{+C@0-C9qdR_XH)8Lg+MORcAg;nF#5OEcoYXXj8V7zD=Ce7yNb|eUr^@8D6E0B|y zY;(kuHZyV`s&TKX&AJ?Z#owucms%ypgx3ynlh80}yJd5l0I@80QogJmm3R~y!d#RB z4W?eh{E&|>v^GNSXSW=3_V@Wx6Q~tmi!13&NcQYW*AZ19?A*3x7|#C`T>i5=R(R`Zby^}p9vjA z9U+$`)DSN+ZA!dqe-GW$L;T5toX~(ZkzH6Ff2&1%N=&+Xe;}pEy@h&-BtT)^xz8r- za+#Wzk{~{*+Qwg%Tt-pKb?#|ub8K-)Th}(oYE5 zJ(0sh(Xtuo%ky+Xv$C-ohqqm$R4;1a6~DjWPF*#~aYr z{9V}NHDkbpKfY2MU{Z;>7PW9D^L6N~nCr-hVj!t#*TwW3DShpS-}=p5=sD%*aw4vX z0k5Kw#uykz_V&OoD~RAoP0l+_c=2oWX-;mP`uP^9Ag5lvrz8DfvxYW>N7JI`hH&I( zoM{qBcdww`p|M8TP3RD$=iN=M)L`-_$QSg$&}QyriAYrm^D$q9q8jc&BXyy(iX93Ig$L8E%JeAGLkhI11PP+-INRySUG1O2wca174IZZ3h%~jufj3Eqj}}3<3&z~K{7^2F0kpLL7f3#?gXjpvMC0= zqx_oX004=?yz{zD#Dn;yv^Rx-Fe>=#s*-2Po3Tr%jX0CKJ6>4P`GPA1*4jI${BKR~ z0w3+TPd<_bUQ3jmZi{%Ah~N60eZHp0G^6-vXHQ??h^ylm^0$o{i1-|5>y*3bwLWid z26G4SclBfB)HvfwbM z>#z-Cg(vtu+H1OT2w4 z?fi2V{zNq6Fc8+u-Z)0xk%f$XN4qwX1PD_8F?HQj#spB7q?7qjx$gU8ZRtVxKQ?-! zs!lS*PoSwTkYGXH`j-auI_jkl+hB;dsEQRqkuuC^hqUKMCpY5|m3F-N78`zR70}T~ z0f4;^345&S6hQ0Th2B<_!IXanfq%T9a=Iw}I< zg*&Yn&sb~mSZ(RVuOcuW=?k1gu9b}6;d~!Gy^*GusOfNx>N*y2`hZ||bwHN|%uF7L zgQnvFi}E>%rgk2O3pl^w?n$u*oY1cd?UeG^vr$e4jL_+lCmLM1itd)9buNrp~Nm&c*VC_yyHyo^#q2-95q?i4{2X1 z7(vq2bec^Xff|MsQ#|CdTc+I)0s4vrJ{cu6jCXz8tjWS?3H{h=FrE;5LILq?n_in< zohUJQGnJ1l`3N`pg(|`4LJ5x7m48MTmHmDlSU4d|@==``wGrUlIR6Bx$C%2u`%Yhc z3Fh(EM@H}Pl~WK(4t!eV_uYI#K&t3~KYhecS5kN{xc(B@5hY%84tNK-~^0ZB~y<2m-&zUA&Hss{W<5n8?mQUN0?^X%}JNiHYKnzPn?9dP*#9T8jDQ!T)j!%#{i)wJfXgB**RKz+$fkmE3%PYR-n+>@YVDx2cG0jKW zngc;KY#{JJYtw!epLpULA;XnoPS7$*DFVQ54RE{stkJGl%TSeuBJc!#wWmab+@Tl3 z7d=>OZfoQ*Uxj1m<5|Fe%0Z!`>2q)wX0XXmA$^rD`8?p$j+~ovK6%*Nt#^U0$E}Gr zJRFU)BGMYE>yw~uf{g|!8{89BiVhOOCX2t2bL_K3IV2&^pJ9=qP4h# z;PAS$wfa5a;l?++TgWd$#P;on@??4dE!63=2i09Em7dgkF7m0lTctR4|4slY&~ZE% zzK-0%4golX`h0wOA=#wNR7K^D=0SQM&|S8L%q4!F;NOioIpwAlO=U6p1d_dC_Ot7r zirzn9(|$MAW$Ybm6G2yX3|4Wj5=8jt3sS~)x~?H~PuggNIvZ$aw-byHz9S`BRcsve zst~%=Gaer_*?E&WGK{2d7$0$0C-eSLgE{E$$5~IttUE#>T zuDsbURr?EW9?#492#9S`82nXUE^3v-T1Co_OkpgW}$s$#Pn zbA}$wVH9ySSj?=b46WuMbx^u?)Z~13N{@vC|o)%>Z?!OrIjaFAcuZ51gH!P18 z=e|l(1n?X9{tUG3n3I(eOvdn85?Cy;v1pMJgF7*$lajCSf?b3peOpUFWyBkj^C=D# z8Efb~@%mJOs_9$H9snSOeWvE)N??v?pMyvSZ=Hg_l%XYjPz+?#?K|Uc1ea5s6iE=Wl9qOqb?{Dk<9nb{ zx^P$kF+xawW$Hp{0=&?s0o@Bei!hT9! zE(2Du?Cc!2(drqVVVW$QSXUU&pTgCF-J1Xg{)XBXeaXN80N=0B?^Hn%y=hp8NRsug zXJVa6Rjj<-;NS*heo?tK6%{SvUAqGWvSUYmITRbW-*WPLDPmk2(^YBRbj?dHQzwl? za#`0@2kWcCzk_?Uil;G@mwJOafpTaM<=UMEG8?J6#hz$)?1NeAxiICyg zu{^l`^*UrQji7o+1Yr3(|wz({NM2_TtEtQSKv-7~(E za|4-VwuEVJ6;kt5JO*|jN&#SaSD&uJhN=T|K{kU6BwVfezh2C@sGzLuGdZN)(ZA(p z6j+)@uTW7v=v4J_DtU#rMqaPC!R|-`h+}hKg`mCkP@^o9ugm?%9bW-<8J5ONk=Ec_yuB2xk$ym?M^5@VJ5>7Y+h z1fp~IkEer|U>45~W)xnpLOn&(@tD0lYhYfX;oG$Mlx9BJo-d&Go!ubbl0&=YJGA#? zvsa!2p^5GMAOG_y9&$t2-diGlG9ccRs8PYxva_Yo9#RGrDcR|oy(2(`^d<;e>x70r znE{bx_?naS?xIqV><5KBfrhDAfS%vlIxez(HnX)o#j`uI%Ds8fF1WUmwMqW)nV3cu z1}p!DqJ2|RxJoDyS>YKI_^JMgMSH@)R~%)X$&7}$N969)P4UY)Qx+hT^@q3 zF#GA;2;qS$yqYh*)w%*s+6U;&kmDp}xpqCawa>WUSA+ke z+qB3s>qed(VT4*4n~1X zOrIlgm~&6Jjy5X7#N4eEpO%Y5%BHZ!h7pvNr5muD-j2QBrhIm5%vt;}I0U4p%e{W? zD4+Y{7RT7xjnCjbbk0Uxa!hfM$`l^$W)>4POB*-?omIBYI9l*pbz+Hgt^8dq6Kwvd zY+!D?tHSFbF+31*<$Y`6@;AblEX!di4x!#6K^RC)Jc-bQb{9%wcrK8M2_=#|P zrDG#gfVGr`p{FR4rQ4k?+9aN^{x}g}{ZE9cp&xDI@|A}@f+I@OpvR7F;*?+`?+mza(&fvz*v@UV-s{HIk`rg0D?`~oX94vjaag9p}rpa2FsI)CNU zr`K!cx1G`jQV3oixON@D0SeQ{{d-`u32oWo#B^1pzA zQ)cEJsPmyrU8PkVEn%Vw&7kPSDu*3S%o841wzVB^&M0cd`fqF7#t<^6+BRZbb_6je zP~-QXz^-juRkNPI7f(9Cxf!>CxGV0^07az)cegK~fhg{zjQ-1lWLrv@x$-KwkTYCg zK(p~34|e-X@}DICNs@$#f5(Q3FO)w@9AdLTsd9(0lSP)s`dj{UGbsbnAhEJ7uo`oWhzBYKDcGm>n4 z0B__*Ip*O&5;4=42T#P|;7dmXUxj!Xc=mW5dmxNuVBZFHi02`~%YN|%0O9~d5M#SM z_*R^Y29biySKtlljocv4=d}aET4;E$fKL`76zAr?5zV_$G09$$`j_{BX)ZOg%3Ll#l?>x}DpexIz>g zNWSYL#o&#x`HD%#i>PbqttWOL~43=q}& z4yHNl!4vZoyw@;ijd`dN1Caq*U&Az4EpE`xbVKV+P4lrq+Lx_`>nNC}X}XD!bG9?h z{Qyu%`{0Hy$>s$94XyYzcoX-b#9p`#pZ__F!|i59f13l2lK1B$0PLB6J_3IK(T7nV zz4|r4ZeL0MljJ{1{*&ZC7u~^3Fe!`!I#W-Z5hU!m(P3oBITxs{oSeLgAyrLi5v6lp z8kf?jjJ%y7%bHVTe3%Mm2GEtd@1o;^;M>k)LC;ZPBA5~~Rj13${A=EMAa7^>&>~95 zyhf=i2I#3gxfohp{15 zSj1T%EjR&43ax8iV^-9uMa$4iO)Wd)8Y-WZCS~SNmDfQzeNw|0Q}u`Cz9^FUF9_3t z*fX)5yyYZ>);F&y6w}aBwU0w#OKDT)7VEP`u^x#N-)p&?c&D8CMTgcmubPJD>OOQSZOSZ{06Um7e`3VW z=Y{D(#vwO24Tue`Z(dUC;i(?VVcCHE;2;$!nmk!q4IG_<~Xt!!{IvFHpU zTGulq*0_cyLQ1O4{0XyzP0|w|cD{$C!)`3>C^EFZdDY~d5l52Dfkfk2e}*BmG%7{u zL;~&LygMd3{521Fi09q5l8lc-OThcZ*%yh>BG5OlSMtw@gNeq4L|YiKHKQn#h|LKO z#;&LWqy(8vBUWrP$!Wq4T}D+WMlrSev-?LWyJ-7aD;?xWpXgBGuMFa8^*8%Dgl|g_ znHK_DXhy{7$@7zkHrZ&$%h}&7qr_Yo+VUz=IU}YK|D#5K$~=V>VrxoKmFP4XM-|T- zRxx=}br2(E3|sqQb6^7-a@atC*MyG_{GAwL^v(s&lS6zN8X`IfaB|a=O~A6E?|cC| zLyXo=UfNViW_KOOJFxvbF7M?cJ(IyGrnl%Eb+g3K;{1Sz7J_6iF0|#_O7D6)EJMf#*w5G`QS4T$f}rZwm&uC`l>7s9JXjY6X@{VF>Q5a0xi0ZB@&P&h0S* z_QXSTK_n)&1ScPPDzN%X_!Wz2sy32Ya=du(^=JRI!Y2>8(A&dj6OvirD3R^ekNG*5 za{faQ8y=Nzh(LEJ_b*;rMsHeCX)$cpj57ULQR(QbjbYnAnp*R0sN{I(G~o(L_6jQ; z8y0i}5mMwdUcB^#TBoUXLjQq*c@P4Nmu~pHGA&KZDw7Q{F^EoZfweqTVEwv3J05&L ztL-4xF#z!OM<{^qcV<}Oy)!J!AHZ9x^w4T{@)CV5e}Iu*E&W0C-5!(d+=L9@_42R@ z?hLFsb?#uaS-~2&@2PS|`v*yT|30EgFEL0f2 zg*}iR_7MA7Z3jcSK*iyLQA`9NrG#v0)mA4Dxxf+jI8#c5GK7y-B`h2Xg!ysC1N9Vg z(7i1khYP(g@n5I2PzA^$N)LnoKe1?Eb+nOON?)V>5z=u~{Yhu%XervtjgkW^ZKsmT5AT(hU(x z6jps#trSJ;gpD1WLsnY6bVHiQjgbJxjiV}B(=dWZrY-jn%EfXJ`&n%V9SnRwkIwnF z1Vktoh*n_{94%tByC^kyDNu`COluUHTlI5URG(^tuZ#R%V8JIsF&I5Qy5 z4hMxXfrEPM02C_M7LZ(j`zyGy>*XOX!H1y7WWezYS1u2s=k^HPg3gXD@z5-=ma}l= z5}9Oq@#CyDN~{&lUe*5Wp==k(_L@l34d$Haf@TDr#Y`;hc5^CV(r`_+3Pcw|=R#^Iu)wu2#mfC|9LP0hY154qH{V@uUQN-n~gksE;Q zu!k}@GluZF1Kl!8oEiQtohkkRis4KNYiD@z4_}Oy(*bahT))_Rg;^^?;X3&BG|(== z2PdsEs}a~)XVtn{=qT&!>LGB{0pHK*q*dk!4Jl|>`vXK`VoNCQYt~ng<;A_~7ma1EcqKFZ*ic#OHZ?y@g8AYCkgG+?)UlL1zOoQkxH}1PtSZ z-JQx`P@1Ey39XO^;h(Q*Vh}%F3P| zPSPr?N3l@wEu4kLpnwH&7-|JgvJl8TLPY#+!ACLSj{{NlD#Mg5f_9CtT5g? zG`-||8O%9xNXgvYU}9|cmRB1uX&Nr0>-536aZ_ua9}!?7Hlz|)MU2$2wf$FE)@9L0 za`f}z9=HJdr1A=@OjcY%flr42DN7VswJC%8cS!VPwZO7!2bL%ZM?yDJL!u2QiQTt5ZS?L9&-BwBc1#i(IG*O-f7rSbZmY z066>st#ptty#T=X^GkZ18Fd1X{mv}v-7bKWn+T9pZKd3Oi*SP2(422vs~D=h(ajH3 z9vvj`#gTy)S_qQ8RG|&8S89+ws8SkY5A~g>TFbI}Woe~@eCdS%jo#|$?Tuz#BrN7QQ6NnD2Z(bW{jv|JXHf7S}bx>-b z5~siCmD)W|@Ui!c^R|!>TGzZ@SyNk#ZK&Fmx;wiQ@;WH7Pl*$-Twcr7MgB$koSalC zq4mw{a~h)YeR!m_DYLq~4od4&Vg zk}bpC33(lq(x*fWfYmDpdy1&w$5vlXVrZT7(zujHW#sJy3D)|H-KZ`;5P7Nk!*Uhu zV^nCOKm0YvK1SP9!f2o~KfLcB9yA4jeXLd=35J0oL04*M7y Date: Tue, 23 Jun 2026 21:11:19 +1000 Subject: [PATCH 07/21] Fix "Characters (Granular) Rule" page --- .../manage-policies/rules/character_rules.md | 97 ++++++------------ ...ers_granular_must_contain_two_special.webp | Bin 0 -> 2544 bytes .../administration/chargranularrestrict.webp | Bin 5246 -> 2994 bytes .../administration/chargranularrestrict2.webp | Bin 5248 -> 0 bytes .../administration/chargranularrestrict3.webp | Bin 15972 -> 0 bytes .../administration/chargranularrestrict4.webp | Bin 18578 -> 0 bytes .../administration/last_character_rule.webp | Bin 0 -> 3422 bytes 7 files changed, 33 insertions(+), 64 deletions(-) create mode 100644 static/images/passwordpolicyenforcer/11.2/administration/characters_granular_must_contain_two_special.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp create mode 100644 static/images/passwordpolicyenforcer/11.2/administration/last_character_rule.webp diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index d6fc4850d1..05745bd6e9 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -1,102 +1,71 @@ --- title: "Characters (Granular)" -description: "Characters (Granular)" +description: "Use the granular character rules to control which character types passwords must or must not contain." sidebar_position: 40 --- # Character (Granular) Rules -Password Policy Enforcer has seven Character rules that reject passwords if they contain, or don't -contain certain characters. These rules can increase password strength or ensure password -compatibility with other systems. +Selecting the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters are required or rejected, and can even require certain character types at specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. ![Character (Granular) Rule](/images/passwordpolicyenforcer/11.2/administration/chargranular.webp) -All the Character rules work identically, but each has their own default character set. A character -set is the collection of characters that each rule searches for when checking a password. You can -use the Character rules with their default character sets, or define your own. By default, the -Password Policy Enforcer selects the Password Policy Enforcer character on the -[Set Priorities](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md#set-policy-priorities) page. - :::note -Only Password Policy Enforcer 11 and later contain the Windows character set. -Password Policy Enforcer 9, Netwrix Password Reset3 and Password Policy Enforcer Web 7 (and older -for all products) use the Password Policy Enforcer character set. +You must select the **Characters (Granular)** checkbox at the top of the page before you can enable any of the other rules on the page. ::: +## Character Set Rules +The first seven rules work identically; they differ only in their default character set. A character set is the collection of characters that each rule searches for when checking a password. The first seven rules are named after their default character set: Alpha, Upper Alpha, Lower Alpha, Numeric, Special, High, and Custom. -Select the **Characters (Granular)** checkbox to enable the Characters rule. +A description of the default character set appears beside each rule's name. For example, the Alpha set's description is **(a-z and A-Z)**. This description is for the Password Policy Enforcer (PPE) default character set. The default characters will be different if you configure the policy to use the Windows character set. The [Policy Properties](../policy_properties.md) page has more information about character sets. -For each selected character set, select whether they **Contain** or **Not contain** the specified -number of characters. +Select the **Characters (Granular)** checkbox at the top of the page, then select the checkbox beside a rule's name to enable that rule. -Select the **contain** option if this rule should ensure that new passwords contain certain -characters. By default, the rule requires only one character, but you can specify a different value by -choosing the required number of characters from the dropdown list beside the **contain** option. +These rules require passwords to contain certain characters by default. This is indicated by the word **Contain** below the rule's name. If you want the rule to stop certain characters from being used in passwords, then select **Not contain** from the dropdown. -Select the **not contain any...** option if this rule should ensure that new passwords don't -contain certain characters. +When **Contain** is selected, PPE defaults to requiring at least one character from this character set. If you want to require more than one character, select the required number from the dropdown beside **Contain**. For example, you might want to specify that passwords must contain at least two special characters. -You can further restrict the rule by defining positions or embedding characters. +![Passwords must contain at least two special characters](/images/passwordpolicyenforcer/11.2/administration/characters_granular_must_contain_two_special.webp) -Click the + sign by the character set. +Click **+** to add more specific positional requirements for this rule. Two options appear: **In position** and **Embedded**. -Select **In position**. +Select **In position** to specify the character positions where the characters must (or must not) appear in the password. For example, you might have a legacy system that requires a special character in the first three characters of a password. You can configure PPE to enforce this rule by selecting **In position**, then selecting **1** and **3** in the next two dropdowns. ![Restricting Characters](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp) -If you want to restrict this rule to certain character positions, choose the starting position from -the first entry box and the ending position from the second entry box. For example, you may want to -enforce a rule that requires a numeric character in the second character position to maintain -compatibility with some other system. - -![Require a number in position 2](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp) - -Click the + sign by the character set. - -Select **Embedded**. - -Select the **Embedded** checkbox to require users to embed these characters within their -passwords. For example, the passwords "12hello", "1hello", and "hello$987" don't contain any -embedded numeric characters, but these passwords do contain embedded numeric characters (shown in -bold type): "he**7**llo", "4he**3**llo", "23hello**7**$45". Embedded numeric and special characters -can help to protect passwords from cracking attacks. - -:::note -The First Character, Last Character, and Complexity rules are easier to configure, and -easier for users to understand. Use these rules instead of the Character rules if they can enforce -your desired policy. +:::tip +Select the same number for the start and end position if you want the rule to only check one character position. ::: +Select **Embedded** to specify that the characters must (or must not) be embedded within the password. For example, the passwords 12hello, 1hello, and hello$987 don't contain any embedded numeric characters because the numeric characters are all at the beginning or end of the password. These passwords all contain embedded numeric characters (shown in bold): he**7**llo, 4he**3**llo, 23hello**7**$45. Embedded numeric and special characters can protect passwords from cracking attacks because users often put these characters at the beginning or end of a password if a policy requires them. This predictability reduces the attacker's search space. -You can customize character sets with the Characters option for a selected set. - -**Step 1 –** Click **Characters** beside a selected Character set. - -**Step 2 –** Enter a **Name**. This example uses **vowels**. +Click **Characters** if you want to redefine the character set. ![Set up custom character set](/images/passwordpolicyenforcer/11.2/administration/chargranularvowel.webp) -**Step 3 –** Enter the **Characters**. This example uses **AaEeIiOoUu**. - -**Step 4 –** Click **Apply**. +Enter a **Name** for the character set, then enter the characters making up the set in the **Characters set** text box. Don't enter any delimiters, just the characters. For example, `AaEeIiOoUu` for vowels. Your custom character set name doesn't appear throughout the user interface — it only appears in the [Policy and Rejection messages](../messages.md). Clear one or both of these text boxes, then click **Apply** to revert them to their original values. -If you save and test the policy, **vowels** appears as a requirement. +:::tip +You can combine Character rules to enforce complex password requirements. For example, you might need to enforce a policy such as "passwords must contain a numeric character, but not in the first two positions" to ensure compatibility with some other system. Use two rules to enforce this requirement: +- Configure the [Characters (Complexity)](complexity_rule.md) rule to require a numeric character. +- Configure the **Numeric** character set rule to **Not contain** numeric characters in positions **1** to **2**. +::: -To remove a custom set, click **Characters** and delete the information. Click **Apply**. +:::note +Other rules use custom character set names and character sets even if you disable the corresponding granular rule. You can redefine character sets even if you don't need to use the granular rules. +::: -### Enforcing Complex Character Requirements +The character set rules are flexible, but reserve them for cases where the [Complexity](complexity_rule.md) and First and Last Character rules can't enforce your desired policy. These other rules are easier to configure and easier for users to understand. -You can combine Character rules to enforce complex password requirements. For example, you may need -to enforce a policy such as "passwords must contain a numeric character, but not in the first two -positions" to ensure compatibility with some other system. +## First and Last Character Rules +The First and Last Character rules reject passwords that don't begin or end with an allowed character. -Use two of the Character rules to do this: +Select the **Characters (Granular)** checkbox at the top of the page, then select **Characters (First)** or **Characters (Last)** to enable that rule. -Set **Characters (Complexity)** to require 1 Numeric character. +These rules require passwords to begin or end with certain characters by default. This is indicated by **Begin** (First Character rule) or **End** (Last Character rule) below the rule's name. If you don't want certain characters to appear at the beginning or end of a password, select **Not begin** or **Not end** from the dropdown. -![Require a numeric value](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp) +Click the character set names to select them. A checkmark appears next to the selected character sets. For example, selecting **Not end** with **Numeric** and **Special** rejects passwords that end with a numeric or special character: -Set **Characters (Granular)** to not contain numeric values in the first two positions. +![Characters (Last) rule](/images/passwordpolicyenforcer/11.2/administration/last_character_rule.webp) -![Don't allow numeric values in first two positions](/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp) +The First and Last Character rules use custom character set definitions defined by the granular character rules. If you haven't defined custom character sets, these rules use the [default character sets](../policy_properties.md). diff --git a/static/images/passwordpolicyenforcer/11.2/administration/characters_granular_must_contain_two_special.webp b/static/images/passwordpolicyenforcer/11.2/administration/characters_granular_must_contain_two_special.webp new file mode 100644 index 0000000000000000000000000000000000000000..6885d50143a895f994de39d6c8dc16e4503dfbfa GIT binary patch literal 2544 zcmV<|BMM6+kP&iE62><{u=fV^KUkAswt>wv%yHsdr-9G|a#tbDT zBS?jI?hsGD?;(?bWZSlBXMH2KQ?gn5tw_65w*6I#AC4f|wr#pv4>4=3nf-47UW8yUXshfeLNl)g3^E55#v$%B3V33t3s`E|8ofiK|n9bDimwOMojEz#6uHB6xyF z$xLNAk_Js>ID!Ukpw2vYd7=$GG7t0Uy6M!)DpF(yc=R=BI;A%gdvo{t24fz9uJT1v zH)}#&*Bm-JqmkWDgSN&f7W2S`@^9YeJWw?-q(9(7WgwCkOt+Yas3?t22our zmr$#R%2kvKff*^Y1j$hUUaHRic`AnR0OwH zZh4eg8B?T-x5O-Lr98M)Oa3hEhZQs^J1+ddlosp&W6p5|FjN3^4f`oI%gH9$kX6D> zL@0?Qace`#O_D&cHsTECFr|g;E?3AP0b zY(%P0?NL@!)r45mF{Y7=v7wa~M+dG{8huPZ#$H7A5sUmTT{fO3P+>Q~h|b=lq*D6a z&gIs9)|zDRmcD3Ha=3w3p^*q~Sh*P1MtzPBXl(#g04K<40}d$j9Y|V7Dvi#gh}kww zA2PwTfPXO1xwYKU_}Zlze1N*d2DxZCV3F$RBNhk(93kHU^8E+0Mp0^Y;{bXS39lDG zZ3HEl8Ve%6JkRqZ?mWy0PJ0I}Z!8`$PqD`mxX= z&_^^2v*{H^a}A)6W^4iM8??q<_6?3=nupo6l|VXdV`(59P75=}7Kvs>RRUuen;u1K z#&TuWc1Y<^wWbh@Z57I0#2MU3V6^FV>6oewlVwYVMLiHo75W+qDi-Lp!I?=~PXmLP z0U!fa_bgyqAc~r$X2p}(!SPDNK>b$oFc&bk4M%^u7IOMT^%2tzeMD#>tVi5>?@zEhs>kNRdP?TYja8{umA`PM%0c4g?mEC6r5NcAu4jw52YzyZ05$U|C zGjDPL>ORIaT#=jtC(wk+^%ddq5HpPiw5go6xF_MnR=Fdpc3fbd9s|8`R5u_$kU#y1 z#jc^lSV%%P`w;ibT}{CP9A@`PhLZ z?~xEf;$)pz)r1JzHU^77tJ%U0?vblFX2?MwjzwKdKf> zJ;yP*WS{K|4Q6y}8p)E3hU;Afb)wvqXpx-2zCpu;LwUX|36-(aaQ`|yyI%_f^c@C< zc1UPwjRzyM1o~!PYe)?qoEjogufiwj!~xqR&}1E1#fSb}pHJCfQwXm+>49)}HLxK> z)kZo?_d=PxmGhcwu4z!S(eectjfD4h)`}JAfZZ$V)ORa64W|(|CH9rchVmlp;-gvU zxh%o{SByv0-hF#{LmTtW9C+c*5k@cC4x_x;g^Otu9XG-z-1>)@n9BMm-5Ck}D) z&JbumN(Le+r=6Tm?f`CurJzBDe){*vZfTBm4cZy~N;tXAq6YO;Q}_g(aj1~VG+9Te z{%p~*{-TUa+vM!jCkqt~zj{ss>q2--419u49B}fkOOcQyS;vx*5EZZy>pEN}$9CEV zfqA6;C+$B$G+Cu9dL~L2Q`76QgTG2HskK_Ntnj zUn5k=@)8*puvgXG{2HO6$4n~f_4xmasaq!~=l*^Fhc;?;5R5h{VVb>)lH=It_KH!E zFypiS4yaK6Jag=Gj~GBrutC8obvq||uZ9zexqnF<|7Q{HtNl~Nc=y;YQa;(v#P)8v z*>jjbjhy(1m!nNK&0mW_`}*h$U%^DvH0KIeHghd4bCDcp3gKDo$+6Q-vkns_aiF{2jw5lv6P%h%eT@{$8z3 z{2ddLHf1#wd@8aaH5mt(+F2cwbcC09gKLhrDGtGF;`ZxEP&KUOa|{~kE)KmQ1*mgOZfYGALb zxd}$7QPxY8sfE3&<|Y`Sc%$l``I}j_QAx_HVs3(wDAoARJ&(lQCS^#kYPku_Bke!` G=>Py@F|kYl literal 0 HcmV?d00001 diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict.webp index 76001100d04bafe119e198aa0f8990087532b7dd..0c3f9631ab806c7d730c8253ebfe30a9b9f17380 100644 GIT binary patch literal 2994 zcmV;j3r+M=Nk&Gh3jhFDMM6+kP&iDU3jhEw>w*>lHQ9Bxe|0U#7vp=F$XBtiAn6=A zjDxMK;82wf=_a`XYbeaPFTm08j8B*utgQ9_{r(I7%j4tGi0p1jsfOAx9ISlY9=QuM zgR5}GoD8m`Rfo3Ro$7QRo-)jgXWDRfcgiqx_O4D9rW+UvIn3ZLw4`jw;p!K1=mI$D zhG|Q#Mhx`|gKuCfErX@grHtggrL6FmsqzJ?T zezK8Yhadl?{ov!t?`CGN#YJck`TKVYtO8ZcdBI>^bcUI8UbHd-G-1xt4-NSG&`wq|@y@6rJfQa2$r(x!t34)Te9gKJN zv`I3u1{(G{+g^?$!f!y-wLiA$%XtH0_aJ1>L}R}ljBB4psKcvB8W4vo^xL*wXU(#z z7(QUznL(iD@v<_h9^yKj3yrfZAFg*xvva|iVQB>(3~(42m!8>caV6I3qkDQ929i#8 z=5>p^QMTY@8!m;x$rhZ;^-)N9?7{bL3D`M+G9pHSbBlD65C_(H7v)09{6kP3d;4I^ zGBbY3r>daGUqxnEn}o=NLOTZN9vo%{<6V_uW@r1gLSL8fV9txiN<_$+^II%66^9Wgw5t11{0!Nee>C*G9jzthM?WIWO8NTX3#!r9-<>%yOv=m1V~KiZVqj9X7`P zos=ZNg?xIv%Y7yjlQD5i%X*Qdw;Gt8 z%W&e(;5=G+Z~4M*JoZ1ez2Hj?AH80E7;q`klQz18Wu;$)fKS$e26iIvM!70l1u$`E zMHVe^-XECuqJO>2xsQZ;TFQTx@}DIFI0u{>76Zei_0JAsdR_l_@nz^lZ5grS zI4PU~&Ix3Ybf<^){0{RfmYeu8bfUJ5Si$-aBLk%~!YM&auf>1Hm!T82WyA`4E@C9k z1wCSVeO^y|89Gs0Myz0x!AuJ3by9p8I#FB3QvQ?BAxf%Q7Mm}oj{`A(-wR{7c+L?s z;`B*5QV<|R3c?IYd5(-^M9gX1qTV9BP;Fu{>Ovh+9=(G!8z)7hxhXbna5h%pWD7zt zZQJ3>0M)UBF%%|rVsj+v&Bv==nwpIU5jh(|OIq6Jzvehuf#oED9_`Km|vVCVP|j(b0|JD2YY#J~1M6 znw_k)vY0JnNS=cy;o1CH3L5vo!x+~Ou|MJ*uaE{{my#dk?ZnT zx6%ckC~T`hxS^nK8>A=z4~v;Ql9hVZOVg38dL)u`n`*Vmy?9+SS7SnH=4#v!8!>bm z@wFx_*A>NSNA5m5(*!R~U1o0UUUQ|bcV>cUPOGGsCV1Jnt^^`S zi}ZkP9w1lsF@dy1XE)4NCKKhaNY3{WOWt*|=}}b5ySOO0RUjhv^7?I%q5v2cmJNI9 zYu=)!E*MEUwDSR(xf&bFT#X-M1BOlu%v^QDE)i`JF~y`(h6Nv3R$AH2)ff>-5XX84 zo4O>R9L*|Qu4+xu%?-Y*!Y#_kM2HbkYA}1^;G*DGfk3RD8>A=!hJ~fZh=Gxu^7Q$f z5aIAcY{1ZIl+7niO|A)Oi-_c6H<3yi^#ti`iuhWSiYBOfY0@5gz&27j)X?DmQ@=ZgQ15(xMSx!}{T0 ztJSH~2F*LOPfGL>!q|GXCTW>^Bx~{qu@3M|O&=))7lmvlNJL;mLESb;Q3vw04vgft z>(%OwNoH&v{kL9h(kAN^PSXa9e2 z58xlseQSUBdmR6Q|Hngex%Pkk!^1zszEAtV^iSL$>t54X%j*+S zuZ;b4{NLr@tl!`~7x#bspQsn&-^+iteY|j$=>A|{to*b65B9&xUqlb<|CxH7^-KKs zb5#XTx+V>=@oIVt7D{9#=1(<=0;bUK3A@GpMA`dwf$5`jClbkOu{Q9Heurq6ox2j zN!0nj3o}~Jbk-2IluC=5*kBJUi<9xWEAqE*cSgs04&DlE(N$PyLC)HlNSCIHxYt#& z(kkO!R>i2)PMRt7UAas6%qG%xH)`}cz+CofCS2PV#%G}-gXhLX@X_Z_JI>`wA^*vN zjtDsLTNiboqA3AyBD}K5PVn&vN3ejB*VwX0NUM!?TOA^vVdFwhR(Y{`^v&12W7rB|gN^HfLjR%|Ps6ap zTE31DV#5Vwj*(Xy>lh0gWWUcf6A17RCzi442G+pLeu@u$z(|uppWCoY?)9N8=vwGS zL{Ov;rh#K7YEFP5&;ARKszC|-6J!JNf ze`f_1$3m%cIJDrURc)G=+AdoApibQrq8e_+xnVGi`mAPwjs&YuBgVR|j*(Xy*rPS{ z+1go*VLL_2lPw`9?+muDQB1uCIcv8Ph>VRRqRp_^#!r=OKOS00Dz$?hGLdiI!Q)+4 z$4IMUQVsXdY-MJt|V zzk!*hpQvF)Tq2d}^nFNS-ekRUc(5bj`|709(gRs4Sfqyxj6Pt0{%2+Wol9aigbp}A z?j!nRjJ#CjDC3>4a)G`0HxK{pU(B?t?shT)^_BmCukFfE!e#r`ShD(*5O>M7EU{Ir zn&mtT^gJ!GgHlW-{L9+zvr>i2VjR4_SSY~bhJ-I;RR(pxXYyvjd;N4V`rECX&5El3 ztj9FYP$8O;+&QmX+kTR>&?|z-uG3Q;t$f_8e%OQP0I+4Un^(-Q(G-UZpS4ggIx1?q>I_TX>c?AsuXgQ%n}o1aYZmE^EgqqOtn z%a^x#(dU`)nTm5zH@?XMCih5QU{%tOoc#4KEL-p&)4Mm$_Fj1*($+|mIs4}gk3s~* z7{Mc{;+~%Fhy>I;hT1-J(R?2v+g`+WbBjbnD?NQ%8^AE-eG+ou?Q~4;e!(?@ef@mV zh6bUl6MOVF31D-GgMUlJILp8W3|HYZfh`QVQ{T7@lCQwr3pvcA_GnX&QYKTBFZ<#% z;42%}U(X>du#`=K03_3!hzdhZ zbhgzvB^-@%B)ITv(hJC5!#qq6rb2Xz&8+>TOjC5`rXG6BBa{NUWraqn~O21a{|7|Zx^ZCnjAV+TMPxb?LAb8u-_%L1M=HFzsy zR5iR!&6{?6DZvcx(2rG)XH%vAV>qj*_XId4CmOR7^KKEw{YuU3qt=lU&CoqWw_qV5 z83n55rsTMB4ErFdBFmYv6w&+l?!LfeBMZ2Oh^v}~Z6gcksD7cfFqxR!hJT2b6JPsO!jQpSHdPyYED8@NC7PQ*yK-H)7KfP#73wl-Md<1d*u?G#yg1}x; z96M!(wfZ0S!>6i_34e7Rh`>jddx7LJw(FNLT7h=e(P?vc$9l>U0r9<`7*JXL>iggh z6?tDW$3*2BqGdVl3+1qZ3G3{|4-~wtCV2dtVz$904FD{)TtFP`4|ATQFmh-4?`CW- zC-Y&1h>1Ku{aUy_KtPep+mnR%D)U(Q`Vc<*KeTiX;@2e(56g5Uk@V=Rc*jeLzyJFC}aMC%YwmcxilMe=7%e3k!{y27uw7EvB)PDDo+fe7O6-09x#m>&8uF(HeQJLw4@$^R}Vo&Db@3XfF_qG$2ihMBn?G=e2>k4`Ua07GmaHJj| zjm&9h(vxp9PFLhEB98QaN(lp3=e9{?(Uz!d!g&ieqk ze^ho!BMDlfKh}!mz{-|Uhxm8yR-)tE2MAP~_OqzZ0f^&A;z{ThFm^P#;3U%Avg5U+}eU@;! zyKeIeG3zg#sT=VAJ8;MbR~K{^a}Zsfld}GLSj>f?2MZRG9n$%d4$?F^0N2ATc_Gv~Zph61IT-P7Qcb*_4Z^@+eAYA88Qgv^5jV9hJA4gG@x zV8K|qAO=E?^0A3Cm~I1V{0vWS0KjT-p>-bEiE+>))Nf&y-~bDPlG+sLQ3U>YncMm; zwW%BO9=1O<`8xd+uSY)s(jP!HqRBjS#;6?}44FSem5xgicK-zF&^sbrjwuREQ4<&Q z!iElz;|s_7A3ySZ2>FoR&|Dn!xOas-dsaVI{uzqnrV2u9prQ_2TBN3L@ry5$?!<9` zz81`xephhd#np9YVJGu?uy><>ImWvRrM6Kb5m5ME)T-cZVSDWbeSqF_ct+gqo+Eg; zghG(dtc_}Ivs3#iTa*2UFrGFt|N0y|N!QDz>Ycx61w8y=-FIKAj?X=rVE4|xA<4_l zqL}#inWgdY2>^J@p%_PEW$Lg2s<9XFHf{M=^ zA6+7wV*sE?kA+Po(_<^uzm*tvTPcr^d757z0FVcax)FqS5edf{m48gV8wz~{z$rE8@F;hlq`%|5mW%op_LK)kJ;{e|Sw(qMD7rtNMVwR!W9jEQxSM9AgN@ zAaV2&F#I4M{u&Co_02Tx=wY*PB%ZpKJL~|lxq^;!Ums^9poekJa}gbA688=nsnxP251xO%M)mh5H7 zhLoNz%uEMm_nuEd@ysjA3_%<|t5Mt1?S?q~=tuF@m3XiOXrk7O3_HPNOaouq1`CWa zDJm$wz*(5LXqQaI2=-FJ&Kag4V=qq-9Kp$Ys8^iAkN14 zXzDgE!m2ut%py*bhra(?sgUa45`3!M1MI?Qo|SU>IS82`UxyJ0SdQsm993ZZsgY?H zfKV2VIlz-*RSjR=j9d)gfCRTx1L8FF6kCi3P>Soql8q&=x9 z?HzYHbRP~HaD0bEceq4$A<9Ci!qxZ$~kS<7+DM8tNuW_A(ZSYDY0@|)wh?GNgyt|I_CPFT2Q~Otzp6W|w*Q}GuqQO~{V@n|ME=WkMSoDu|C z_MDChyfuEgT_s=#3Vt+tV=3N(J%v|5+T1TN7AvDz>3ERIBD!J({~igmPx6`Zm`y~z zGBRp*+!4nHBN2Cj&iEvEk39RxlY%p;C7g8V3s3QSXZvEFOIzX6(=^Hl7tyNOK`bGs z_@sv?rjGnr&`i)!*buy2Vukh|=SdOh;N!5m-I%2gt?Tr_4X?UOw~WoqTfsj)Od;IX z7lwxqTnI|%D)>X_HXBo4|MZVcz5!mkLzzmSImS*%M!U3AD(*1EH2?4Q1`fR^VSXVK z_wwT6#b(luiR~ovQs3NvZokr>E2c8^^{ugQQygzMI&qI+AqCke<8Fs6jp%@5!WIHg@`!La z@cZCQqmMOsHjwZ_tCQuhofTT>_NOgcYsjr&t{;Xe%C8WFg!vcNxfJEg)^pU`os96UQaQ}gTBjJ>$< ztNG5&n@ki7P}qVYXVo1%cnPCnV`ny&8~gsIz85P~zRAv>6FGYWM{eS4-Sb-~#~980 zqtGAK_t8K-*J8Bn@YQ0|(_=J<{a@7j`rarv68^XrSorj ziO;}XWj%Z#D+Ol)m^?C2?usMQS*RE!Y&d3Dt}$AY&oaiboB@~Y9|Uw9^~+_!PbXM; zCIuz}P|A|I8^|Kv1e{0@qBRd0e=sG@6uEHr8+_v>$3J^>$u+Pctahu!;mR8yC;NUH z(@wQ3|0usI{yqn><-nnin$}YsP?s*hGQ$<4A8mbLdcmNwc9gV{+6&$@1e_!vV@i@F zj>D4jEHT_zWll}+0Xe#sH+PfC#QUbGDvCiNkhCo%B1fs3nyS!psMx$N=XMCN>U-Gp zQeL~owoy775epD!l#+^Z#ilT}%r>r_Y(%-w(bW-~79OJ(Q6_%_Zz#!Fn_GT|?49rm zN1a>|w|<6*>0Og+1L#CxgYyUVUF77 zFh}C_&-TSUkk5dfx0UmXBuaTtUTCZo+LAwurrXCU zsZ2E3ZKU-ZCxX0NQNVDPgBC@G0Qk?Y!G&XgrJQWC^YsMa>sSB) E0R8uDP5=M^ diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict2.webp deleted file mode 100644 index a5e17d4e24211ec6966f45e883cead1c7f7d2ce1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5248 zcmV-`6o2bdNk&F^6aWBMMM6+kP&goL6aWD5VgQ{1Du4rA06uLrmPjNcA|WKx+Q5Jf ziDz#7e3?|}&TpbaOWtSY6rx>jMNaFV-hY|<1OK_{Z|UREUziWmKhzI+ul9epUgrO} z^t1oZ_5l7@{M`(|-FN zRrcH02QU3j>M!x{uAi3vrTeAoC;Fes4>H>SLTJusXR>Y+92Z?+KgV; zc+0a?cy*qe|72?x^xc{Iflc)kH$GwgIat>O({YB@0ICL|0rL*zuF~NOi@^VXNMVzc zyd29qa(Z(jY#hrva(Z(T$Q(9h(j;NoqRhJ(5Xl>`9?Tv9o#t?vbBa67J$tfuz%i2Jyl!_JjqB;86KomBj`4@Jt;d&_&A5u_4{VNYRk$QUdtjon{B!o*@R9P z41456CJ$*$Od6|GIG*8i0H^#M(0c*D%7vln>oAzi$=AEl=9X(42+PesyW}{@_}d9_ z>1cI6@RbYZx_{TLjtgt91+4>DRKOYViF82>UFI?O(%`||R#w)Gu)dbB zc3IPt)0q<}Mfzt|`Y+B(uOlSRFK9xOqJK=8i@fT`qzsBL4u-+Zv!^GgG9};u{{NOB z001EbBsq%FBWO<>_cc?9^cSYj9>stk+4<;*QMyPEDqax4T%r>smwJJDVm_a5qZfp{ z*he-)t1W2YwF!(Gooq_o%g?y>I42xH~7~=Xw@&5&*8$* z`puuqmD?YJg1S{@V}NxLVNMUbZQUX+x>q1*Jw@Go^%vO&38{n*i_@ ztOrGV+^?hGrdC_Ly&{!Y5+sjcZ(mF16qJDmzz3Y)Y2c_(iX{u2iY;2FzpllLuKcaG zFV9M6(7V?K-zFY8(KXEc391hP;>>l0+`5a)R(XZ{DVAo`1sBCfXepZ0fjR%55BwXv zC@is7;>nw?^X)nf8QWW2I8oHkQc8P`!r0%-%}ogSfHTF%f8Phly^`&~bPdfn@6Vtj zRpB|Zgz%0v+$p$^K?XSABIj&a@!Gi}3XBnD(;ea0C^Nx71x9&S|0LYE&gsUv#w-5c z4tFk8llx-0hdt)8UIexQmz&QP{hTc}_`@c*b$CDTJvy5w@PB!G-Wl}5mj<<8 z`|18Z%r(swe~rNq>P?=nrxed!a^j6MKQH=sSxmeNP0O|cD$_ZSgSDg{>7Z_s`2c5Z ztLg(aP6r8qi9h;<4uKH0_HbMO;j_7~xC;ON9Gi9ed@sojL$473Br44Bs_kY{X&TBp zJ5t#3k8?`qK1$t12b*AW5nx=G&+>(T;J%xBgbb{0@nA!F)u}lMZT2DqtwgJ6; znNK%*=mcDbdMH{o$mK~0GpgyKy{-aXSJ#|NX3dCI=JcmV;ka`@>?jr9@_7`c2#TjId=%$V3L~oukde%NaX}kWYb_&xmgVe|v-b zH|2s$`6J5^ThwH&CNls&)^0KAgd6-|kC{)7(o85}Jst#iTjEVE?4$`QdiIo`c-I}c zU-;```Tc7xMzvA&3tjG~Q&BS%u@Ao~*~B;CB(_4}511~Whyw>S z(3wN>O3kq8?kCTX90>M#U^TsuihGl)V?oKcM?xip~J{k=Mn(Iy?Q(lMYuAiV8n zW&H);{g6Tq5ZSn$L>(_Ax6J^vw0G@anhu)lzaJYwX-?%G0Pj(aW>NTFLd$b;%}%|z zDDlOjOYX3iWD?wOQH7Y)pe(JmgO-Aq;{%S$rXr5_Z1wk=_lm+C^v>DD;qEli!jCdS z)2&OeIqWRN8#?MI*3~5Jw$Zw!96pkuRyMmS(%28{JU^r_;%UrL#iViZj?eU&RulLS z7YN{$8Go^Aj(~Tl#;KB>x@l4O>$*%mS!HqV&F0H?3H9V%@Xuwm$#Ouc| zN?>8pau?x7>g|)NPeTTSqw@LGW!@b;VV5xYq&COK0!x~b z7~GCe@6*=F#T7dLdm!PxVQ*mNh0h?$4Mrt#C#sO55RqfRr;>4AThYjyYo+;a5{P02 z@O;J2$`YA+E)Dk~MBXQ}Vyd7U#76?3+=XO*S0w7fa?^GvIS*qxJvk{Kt7Az4oGMOc zx3WW0QS4+mzUw2%{Cj5v&>=d49qnPmH{s#?>I^t8<-;mNIb=||s zFENhSfy0KDL1v)qrmvCeFYzMV9StouC=#zGJHREK`9LOrs1as($WbW_B5@9ojsIyG zJAeQH001E_H0MpM$oX{pd?Ys!PZJe@ut@QjA~5&SIe>#rhJ;Z}z4w4u*$7h|Xu!+c z>1)Z~3-4crAl_qCX?r1^DeS6hLJ__WroxW)AZ6XaszlDC?8B&Ae|$aI8OAn_c$P;;6B; zEcP8CG8+xMyQvcNHURJQH;_u4pTrup&PuhEdBuG^5#SWfT2F2sgm|ofRAQ`N7#eAF|>BTkFDjI#az-wgCSBP6Wb-$V-9cmxGWLB<46gZi5Aqa8AFzB&fgan2%3GYyXN=FyfrGkkbH>S zpZO7YfKB(*JO|NZHCh4!b#rBJ^KQ!}{B3z@zQ^t0^Jvvy9_bPp3dHP!&*V}V4nq0Q z@98qctaoStglXQH;gt>Rh$i5cY|d#Y3>;53bo98!S@nBbi$37fsl@`>^X^RB>a{Dk zP^~iGzlQ`h)3P-7RYhjiSNG<8J!r4Ys^F5kP{@55vc80stkBvyJb4&&V+noYJ>Ofs zh}Np!?V|ZnX+EYr?yEP?%2os=orsW4f{8ZOR-qw2Z^H^YKCX{}A^; zpY68oYPNWoKAX8I?+E*e82zu6lceYjA&*#h{J?L%R+=H{#mz66G+>{Zqx#b>qdQ;f zE*O?25xI|6FO5Rj)(Ma`3}4WhB5~CDGfX9JpdK3m~$~m{=Tarf&C03?Lv|AEDoiS zO3LKaEqw)0vsG-P5c+ARX5Uq*UAl#7mhy=gKq{OXH~M#nBH?5jxci2^Put*-g{nUK z)e2L7&6EZtukVO)Y~5}8e@ETTq%aXDtgfMa?E17gr2=xx;8MI1lrbJ?jfLXR-Ykmi zTB>0aDZJjgt~Y%>c5VLz7P{cg#TlATA$SnO^;YmDjm(yqw@d804VG31 z5))x7L9uR7;g9-dTVvrbiS_u?5?E-}{M8qjuEA#C{yz3LL3E%hk2)|HM#G{YTXK|C#moK!dGycOXK-5AEqRz z!J2(S3DJ}LqZ)Ux*`WZ#9p0z4ckjWs^ESgwlhBX2wvl-;C}79ej}+ptOvqd+V5zCB z(4`RQrch24sA2d@okJ5au0NLy=DMe{6I|5H6nG*)@0bOC2aD51#uEF(2upMPSuap+5jE-e#x&-oC7@oG={-et5 ze=@E3U9+`yE@lyEae2n;5n9S!!PZ3MzDeTUaK~TBV!;JSu7D|aG%&9_M5rjl+LKI9 zOO#WWV`^(?ab$SoaboTd=9IWK$f)Us8+8?A&G$w+TrkHic|ES7 zJ8K^_&Fvm#45&i{_UuY!c)16?*SN_|w>_+2FF%k3Uoxvbls>S9#eXihvoRu_mP)SU zfx2w)osmkVb<6+wNJvqqkzY0nuPe@h{W_^=SM@7mg6L0U1-c@+nD|@=8M7-^(UxZh zkoAS$r_^1UJ65-*I+q~B{n{ML;F)LE>5{+t9;=5rQ&~5&x8;O0Xjz9J^}yYE;w0k; zdS%d8+sRZ+C0Q5CORkM~59QZaA5~3*5A#Iv&Quvpsv%yXqk=%bf@q0mQ;aoRq^+4{ z_@PNM7?+evW9K<+2fOfPcuZp)G?MD|xE(vsM16}G5m75I)m>1>j%Tg{D=iR!Z}`wR z`R&rp9FNkntCpggY&)xllIcY{O_aP%7D8|UC1<_A6uo6z`>M=tFaV+wrQ;GTdgm{8 zcx38o2}`2pn~XHid7d>U(Thim;hzmv;CXn7Z~h)9wIZuD`pT)Vf0(m&>IWU1a$(a~ z-K9xh*K-s<3rL(V;(x;2&-Bvw5~X8@J+yp><;JhPZoqo!1hr7nd`Xj~up^t6!4kX+ z6CxN8518)3jcs&{P_G*y!+c!)mA!3<$!}10V z_zR-8F1nksO6QQ-y2e!%6KId(Y7&p2DSYbtH2^$at%;9aY z1J`uabTE9L%=>kft4jEl}ieenw=%ZLhjo~ zlAVf?sQ_;{Q=93ZaR)sgtD;1mhC0}n6ZylQ4kZX{+65iVC29bx{p2FAGK3u7v{W{u z71pEow=o;lI<;aci{*EqmhNv+nZ6x8wx<+7Y~`txm&-VpaYFw{3V+D{;BAypvguh$ zx<3T{S*oTXuU8M2e+ndO?v-xWK=%wc()ol)2a0-NuVSAI-c>aQ9~ighD#te*UFd!; z_f<%CW25!zKihTTu%bpfNk!Vh;mmpsiV&|cVal-b_@@kOYHm%6$$v8pDyiL69xY&40#k{OlkA00000 G0001^{amF0 diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict3.webp deleted file mode 100644 index 8133221e52528ebe4acf93a0e2abc31fc5cc7693..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15972 zcmY*F@yosf!9Js3~v|D*SVdbOe+QOw9mub- zv=0%Amm#BeSl^nT{WDO2;OOM^xXUm<@dp8){epJ4!CqZXiEKl_gO%{S1y?*qjD`Qh((eJOr+`w}~z>)Cze zv-){@E&q}$20(r1zXGiCcly=*d|%;y*M{t}elLF4zRoJ~$9(_&a(lVG=YQhw^CJ6U zxYnP`4cr|Ccz)TxgMa0|+r8Xg=XU09e~SQ`u4NVhvw+QKkZ0i&{v$vuAP_M8{Wx3t zwtKC=?YH{__)31Kc&dFO*yZo?+XR5WfPT4sFudp9^>z~+_yN9Qf4F~2-}p)Os{n<7 z(jVmq&@0sU)aTnLz#%{BPhxKnAoYjjTmQPYF?I?t;5Q8*`Eh#j`=<~8Q|v2X+i%+M z2_O#mr){4CavcfU34Xrk0H*u^s5&2d>-|>M?jtUp)j``zukw4CNGLE*I9vmT8Nybi zU)(P;2}P1qb)GE6tQu2q$XQZ~VrME9WRzHy@^$6@WLx%6^8hGY(9HF#Ohtk|lP3!9 z1ob<+2is1CG;<_9Wbs+)Ajs+6L@**<7}XL%c@X@y)~-p9k ziNuv2H92wRmbXL;Cq1}!yT-{sScjkyfbe1OLxROl^YS9nO;|YrVuQ|*rd&GS3|AI~ zb}C0p$6b3#_B%8@iBD_X++y>Xke5|qARt$Sy5VrsEsH6A&UQL3S`>TJ?rk_oE1stC z{lHc6zO>X7u7N6_S(POYOe{)?b(ziEkD;_z9}RI56$Y^d9fkV@*W7OtaqCgI}iB( zA%pfy3z0vi;Qn-T{(s5oRwKKjF6()e5X=}cy}4@*q6X*(V({dAaPt4?rRH4RLV^&j zJ(;kPwi@?onN2&sOWCPVU&@@}EB_2iZQ<=WBoU2eKsdK2_zR(eT!5~N!O?*&mImqB z7rWru{V)MRMLq25fEFPqL29r6D2QXpaqn`Lu+@CoB3L6tikx0xwexXAI!sszQz2Yw z?{Gu{w;VZKHJGNBPaHKf!0M?Jzs8+A>BD#QMBV?ZgK+V*H`|5bdziTwB57VN7uoWt zX_b-YBHl*+1Qm{i60gz`+aN_Q_x~ajcN(RU9-&1mker}uObQ0-?g$(IYgncviJ6LW z5W(|&35H=AryyvxRwAHbRIu8Id;ecLarvJcDQ}Bh+;Uf3>Z<+c8LDq4WzrI2j7b!M z=HslH(7M-oh#PG8pSk{44jHZcBp0G2T%!673gICa^GzXUy!~0W`-cKH?tE;KwWPOD zSGs?z(1pdk4)o*e&SotoMmrLhx60nar36Z5U$)c)m;U$^CGhs;M()3yajAQ)gp$1Z zody92PRZM_^TL;;=bVKQPToWyjTEWlga0jof1v~ilymCf(D)0Dxj4zwgR^#|irY8S)B>1++LvF?Y3-~{m zV;>u0K^56$)RKWE6!XY{1E0j;?8((4%dOQqfw&LbQCjENg^vM|xDMwj=PyOou99sG zBpkI;9{d+iZ#FT(SI&oFu10MN=}(P+x%Gb#O6;c0cQ^F8!%Aq9*xUVX2K}Q=p3q*= z1sWlHr!2%~d~P`!YD1UvA6C5Cy36vKuZ1rxQ)KW&!z;QIyZw;O!5VM0IOJ{apid!Z zU}mV$`}Y5(lYd77gn%Y!;cVCM50y!;|LTHG&%_dzX3kO%75!oWl59r=L%-1P%7nSD9(6qoIi(! z&$*7OM>tJ##5F*-fhxO2l7fdP9XgNTf1KUln)5W(YsQ`x#a1#Is+;$QS8*l)tQEO9 z8<#Cw+AfsHWFYGHgq8bG{Qmc~|Hn(!|Iy+9+UZ{~2>|^7CXqnJe}x3PE{pCIB?H+N zpff)NMrbiktw=aHbJw+w0j|#pEnMD3 zvJk5#p>O?$C|3dO1rX7_8jkubV<10kDd-_fkiTqI5MLE}m3}cRadK*)^g=pPSqbW? z%BF0tCp*=Zo6pBrPu4zT8MeotZ4DZB!i)(If=*!$+H1BdVAd{l`FtsqL#e;H?nDWO zo9?EJK=^@H|B*U+)wUK}nZ^Vbc|iz4noGrC4hlvP557=u8u{a;xb*fb0>83%9`Xm9 z`!N9ywAz}%s)C7<>k~l`NCHKc+XnVR5q(AtgYIonOb+Ez;?YBaxU5dSbd(T+RHRCI zLDd`9gw8cG85ci1TU4ob?5QXUzV*7GI_Am&yP_{a3SYhXr&nsX4~|Xj2lntncbA;w zK?J6SGi>&30{VDvok7wO<+JMO5H=T~c|tFPB*dZ}(Lm!!*LJHY*RUOfBa_`(A{=o6 z4r>=KGJiA!T`q-HbgR4jJ<=dLF4i5^_J@anCNj*d_|M9%ulx}WnqE~GE z3v<--e5gg8>#D}AB$9hl`Tzp~1&A^md+JT^w*rEbtdAtba^K>i@Lxq}j04~tu@~;L ze9_l)pjn28*z)8P*Ml%|lRCQGdo0#lrvuKfRl=|9v{IGban0LyI-V(u4XM27m>G+6f3*SX~g z_B@Sbo9f`qy@yXOvvo3MmD0I1%SU*(Kzm%1xn_rmFcFOd!Qr8!UG!srml*H~mM5An zpIcvJHiz@=qKx&ozjUnEnCzu;92f3|gXmO-azWl?z(fV*CZgE55D}yQ zWVyNfWmh+KExkDUcN1JsPQoj&MCvI1=mj~#h+@1W0eAN8T#OX1x?Y=%HB1n@#;{=9 z^m0MIg+95s7@Q71tqMbS>eo{zOoA^|J9m#eR0e~-9Z`L7^qV}NpZ<1)|ElJhzVdGX zTq&ea3p~20;Mlw!m?{RX9X8rl3dL!XmL7I?2SY%h}}zWf5gNo zvTYG>3*b>Q2-Zf}aRHQuD}rp-HW3NzCRAXK;98 zS*hlm`_oP1&HR$2@A!DpLoe?!!)!59?JH9c1PuV(C)psOjLJY$V}r?1KRU}{?pjS0 zFP1g<@>Z~Pi&3!~X=N>2AXRcTV-jzYHFGp2^sjdIr)VG%KrN=df*6fA4<0$mT)ksp zx3I5Sh!A%=me(gd%_=O-vQH=RYgV;Y9EB$_n^Zk80g!*%z!j(-G{aOOaOIB4&4Vy_ zjL1h9IoP;29-Lj1`yMo7riN}rU!iU_p$dyqa zFb(mceKFa{N$iWp5ejmI1CM6QcvzF)c3+mJB60c(6B_&jdki13`90=iMl98Ho@D|4 z24f?K3a9XMZ+y`Not1thH0TVn7GRi@U6<`Yh9DWzD*Rge*vTMyq{1PfZeL-)(pTle zW8q#-IDw~n{s4Ub;XaWr9-FB|eihY8_yN~P_kC|^QS+U68yFcY6LQly*|(aD%UVjt z6^kCcPCS_+Dp{s&aCp_8v8YiIq;NQaY}xD`i-vUF1+`r(?tS>#DU!KjalKYe#BWR? zHmbPf@3$bRS5ZubGf=iWG+T3s)%6|Jml`Zy{!`~i)X*<|ZKn_aii4<_MjPJPaqDlT zy5DoLhiuJ=zR@9Wnjai81Y%cXJ_VvbOC6RdG=z>gjuf}&sz1N3VZCWLH5^U}QRP(! zakVaGBnL^&m3&+m9bj5Ia-IfFXJhEPU|&`-b=dUMttX}MM!$l^=HoQL&9tdo*_F^* zZt(bES{stJqzkbH%sli8n(n$E=oPN@MtC#lPX0AJ6nwXVp3m3N93r^W<=ot1qH z`Loj`NhJblK5c(B&?HnhA3np(-!Bxn8=fQ>@0q!4)$H@_;$5GJ6ZNcbmw`s1_|$=t){7$+B=+V`qHxyj2e zX@_x?L9%JNxAJ$PXI^0xI=>Xq+d+&aCYV$Uf5m1NZkwo3LI}GvQFLdh;ul?_)^N9_ z#{@9vl2CHfCj4qFYl6XPc3%pUNGHhvt9XaEzWx7dYZ7g>$*4rZZVM(7GrY&9k#(ruc z#U-tm&E?ox+Z8-?Vd-sw{jql(F_Ui0B*W{`zQ+qh)FgND-n zGk4f&yMt(zy8{xGUYS9R%11`>pC+WL#=KAgM)wAr-)?q4vAAEspy8)3t8qx;LU~48 zGzE-&+MpbW=!uBUTXce^RGmx;4TAJ9h-6*CPK}n+dvIS)PD&rOg5R~gB1hV4Dw?jB z_BzWZDJ zzaNCIC9e5S{76M2E9hBSRLJ=2QFkEYDrvkAPn*v?L%4oT74hP8Dbqjf;}k;KQ_b}} zG}H&K<9;>4x_xN$aBm|Ps^;^dX;b|{;aic+m0YMo8Pn?E?;Dw)@gt-uP#Gc-fm5}R zyGuj7i&$?F(y4MD(9&7#twT>rL0}j3oTKfeLDjZu-;!;u-1A=EiP=?G60%uXKee5% z3M!(#1;7A)^XBLm8gOrycTbDbP^B^wq!|c!GC$dJ!>$%EpA=!ZiY^oXQww5FE@Cyo z-c1l7H(%{Kd=@z>_$V5O&R({I3=q2KdNrJTxTMNi2MN6RKzwc)cOZQJK90MwjN~JI zP41#_P5_sdOK&3=mULRS4;lbI)*G-dXlb)KFEWn%q6!|S?JBL+_U$!0VlNW-%U z;v%L`ELZch9zNwqNlBIgvX}WKdpw=E=(-k)&tW=pyB6?!6=a@|<$gw!3JEzgd4W=a z28@92tV04?)ifgz7DU*^agZTFr>BMP;UTxy2Ft#|6@GKhvBA)N`Rq({J8RpW6m<}AOIHz9Ru-R|-ngk+X4km2@K z;hJX{498CBQ_x<+i8wU@Z?XtQ$Bej<9g)EJ4=C30@4ph1KOWPM(VDeQP^EW$iVg+> zEr!6`x_1nbhNT`FkDd1k)+0+{z90>eh`s@fa)(6OaRw$T4}$Ee*W*Fsc0_nr8!m!( zf-ZoGSc@;SQOLnCI1e`oR!ne>RH%&Q;phlpa_N`3Fp@(1x|zI3geU%akkL906UyGv zoW?)ili2YL!r*sG{K=RH6{A_lTVQ5c3yO$yb3!M*Y*(*zj3b5*IlOB_oaJ-gO{hd; z$REX#@Hmu?3kP6#YSEcn z%dIrMm-T%~R(r++vBlkd1{Il-7jxuLry5Q7FB^!pYhX6Qd>5=^O^}J<_GvXd2(lee zG?|N_Fvn+W7{Q&>*#_!5Cru%PysZUtUaYk%rKpAR=ak~Jdcat2RtlN^MVIy=f97*Z zBNu>B6TF#~Ny&2=&aSjGc>~*4CukEEi^aK%F;5sELdB#L*aDD4AXyNv(+=}?2xfwb zJ53#ca4av928ooHNms>shDJSvXgNG$Rf@TBjKE8%U{Dbsex(bGomIH!Ftv66 z89h*0j@_Mx!2E}mF6Gr29EMl$%XwIrR<0e*bCMPj;n3#~yau2{2=(}-{9l;gmCSq| zvn6TFbK=GIuFg+oi?^0qOpNX$F_&(;Y(C=}1Z@1etkHJx8a{lfhsEQC5kDdAcM>LbEBT-6W!qjBntrv|6@G-WlNk(y2&H53FAV!n$hZ9z!L^pL_&ehnFyA z#VuCyWthmQL}I^l*xgyjupLJr@Sp(2V;wkC=xy5g+6BD#m*@192|a7%IsOEDCgp5% ztT-2nsx^S=psk|9?}_rd^#M562?`&wCO%GElD*%!gulvLC!s|E4MH)E|AmV{-pw$O zW^9=B4H!|tmBeY0{YO*wgl%D6om~Kl_3RF0IOrJ+{XuXf?1&-OX`L)rJ<irLfVny#XfWqV>4BzimPewep-ycMw#s54|_vmt@-{ouGQEZ0s^4hK527 z87L!)35az{B7f%OivRnCvp(GWwM^op8)dx1P*Sl{&BWea17Xh+nlZeNR>~GeN%`L_ z)$114=9JYPbVhJ??q}!Y4y`QEJgAQ-W!W*24L(1js}eSZ#s0LlOvZ)YhTj#xxSn3C zS~DEzF4$`|^KY#6`(uzRxQ;rd%Rs-9a&BjY(h-9+Nn(LqJX)PDAw#37(zt4+)OXKRE;SZq>`S#p+a#CCUSl zLVzXW#5T99i@tk2GKeog^o_>03i@7S2|rJtg_`0%kYPa(w*A&oTlK14DcxJxJyHev z>7Ph-y(sHAMSs_csoeMI5J9wXLxZk?kxhbSH4iYxx^yT&4vBPE*AKLw9^pxGBeYod zF+%sKZz2@g!%KTH;~WfV?vTvge^!18V;R{#Z(eQ3E2FWv3I6(#s%~=yPcPH%JEr=m z9|INkU52N6+VdbJz^_k_Vs?lBuJ`8Qcmc{ekk1hL8%#@`tm9#1o6^bZc;;MSZ_7|} zV$0s}*UI<^6!KEG5zqC|ppEmUPaaIpyNPry8C1ZpkHWRYcQezxGeApcL8{LM5+l4Q zp3`H2bTOk;CXsmy?F1t-L0JSocl{*d8gZ&7mE%(_cIi^7Ui!SJ*Tr=bKL#ua6f{8v zQ_1ldp^;&`+|KUuKDqHoS_s7*t)u7}J@x2>j#&t47>SB_ZlNv-=SJzeNV_eVeS5HhMyS9U$v0(> zMT|!coKuWyO(?a9^zD-Ux^d?}^6ym6-;>&BiPn6}pTT#zn5 zstn%^xU0ueol{o4KvdIdi=M76YJm#*^+>h13`Q@%1~ChnV`7D2DT~hUee+d(S7r2H zvYulLa+w`Ki&(KJyB(cTU!Is2nVD)KDZf20@Rl_Ci}=Y@%Wpk zUCO?~3AA9$7%OOA4Cu@rFkPNinBbXtaFZB8p->o97O1A6L;jy*4c_lVfa8a4@h#tTL{Q_z*c4lk7W$BX-y^LazKRs4_7uWWy5Bc)xl z@95PT;W!|~T(gSW-^N$1{DkCRsv(MTmcknSX}yn^F!QpPIjaKk)C-%g9UeuUU+fL` zF4RPC=i=zbMOp4|?d8bQ8&Lz7n}N@79!U3blG>F{`h5|e+3Uj(O}C*$Ye#%Br9Y|8 zhtMjRjHa<-Ilua^VpUsq9cxo@E9MR6j&ddZ&Z0o4Q~7>C9l#wsN26*w);_%>O~T@* z37yTucsME+53h5{a!j|8JVs-FnNsmUdew?S)<=bJFmwXV8_}qN3!pN=ZM=@??Q(5PIfwb zxeGCe&AI>y?E}M}iLkyZA9GO#+^8b=iqvO7#;$ftLl=OpJ+kj;uOK)A^C5OFmA8*} z{tW|0)3>6>vmY~sHT%?Gy;3pk81dWqKzTnuzNZW(gEG@4U#LYVO;sw5`%SAie;b|K zCn|(8Zm6sLd#}I+Rc#90-Rm`wp&o-cESta5N}(W2Z{-x|{yZy++^0eRLLgqNtaL4r zBBYVfyo62wqH36^&edZ*5<|eXW4W(H%V=(Q(WKQz3=s6|SnMyo`Fj*}P0<^e`n8an zW!XKHc)5m*#dq_ujTu&Lp1V)ovnCy9SNU%4LY39?_V)6uKWbBdaKyy`+GV@~7kn76|KBbI_D?Oi}J2s>()t4TfJoNO93cRKD=c z?q_^itw7|r?#stU&0(Qosru*g=A9zuo64bg_3CNiA*zR#3 z&iU*`e$3OvSudoGAOj2xu&p|@oUum``5SYiV5LQYIC5{&U^y#cQMMtWr{hbK=~epf z5+A;Z3}XyKHF0WY@J)Ru5vJB|9qkhpsy4WIZ%7{mE{mOXEV{~vM(cfk7QN?73oZOZ zd%2~Z2eB8)$jQqtQ)lxYJKeu-X!ARn>uFdR453KgAAwqJcNVD4`G&U?-;I^DdI_TTeI~;Vd_EL`_RK zr)QeQhLNBv<7ceKrm9=;ov;PL%*{|Ualnb@B3oCzbmJY$d`Wa-1w(xiR15!79gp1Fky~q z+PUhf%mu(@UhfvK*06MXhKqA!!a@7UJv(#IAIQOQd5r5}IyTLmK1w%Ae(NhMrr(O1 zg61(yS2RayR>*t7l2P!teK^NYtN|w_unM(g1F)Q$hAA-*v=(=M!y?Gr6*N4v?pQ~x z$?J%jzT*kQUejH+UY;#c33SGlzh0TyuNyfkA675#|0Q3U!;0Kl6G(Ov16}7;wnW{F zK6+Iv)Zvyco9VUTmX2)pqSsqo-EKp4+lk)fJUV z#1(CO-!l2^zm-`YBmA*3*=7aXlaMkl+(6J9V_6O9 z4u02xj~34?F2RqGflceh*vOhG4ucspkp40-VYTdG-qq!?g`>Rx37ySxuKk+Z$4EV})@TIQT5cuxExlOy@XD2*v260l_(DS&{+apF*+ zaETh0JJ=_WLxZlCS@^qGY3)d()-VY?3yvife!7+6eku{lF6N8dV#27^&j({!9q#u2 zgZTWHkbz|yP`(|*nT0@{&=mIYcJk!7D27{O;}jhNPGygysL3DuW!8{`-{^n;kWr7Q z+d5BWzk0q&pwaZ&DK+^60arnu4u7V*U;L3T8W6$GsnS0jCxd5VB6hv|PbJC|KD~OcW11tQxJsgEaB(hBU4$&{U#D8P(Fd$1RBCXf90L0W=d^m z182HcmgpB^Ny?Q;p+8+O*^dyrYjOxeo}Myir;+-TND^lxV+H$64sMpnb=zkhpGt=E z@@3do(o^?+x=c8YOkBSMw6EbC-f~e=Z1wU$Jk1Kf<}PuC|C(((wP}W!&|kyN+LFn+ zoT7|T@RF&g&YVVD|#PS=k{E~ZC{~?5=jLDs1=z90fi3U6UHBMx! z1eY;Rq9pk=BMD`o%J3F!ov4RqO?hq|&Wi*)!zt{?b`IN!$-9MfMDF*{13kOXfrYu@ zIm!Huxt)C>7E(yH`qdVJ7+V6pU(A-PpVS*f$yfioO~1^&e1&k`tF0guVO%yg)RsM2 zZ}4D~FQvo2`2w>KIf^$8WV4{(S`R?f**aB`Qh#!Xz}){=d~V3Q=oRu_u!wG@WD=FS z{4$!)3}Z|z`7y9$|TtTPZE7Flb8_fBrpmCcWryirxfj z!QsLBxo7rk!4f0jBpRjPoxTExa~VH30psrNBqe(lKOz}_bC`;R+;2^iz*KFZicn~n_BRZJloNl;M6Ve_ zOm0VB{Y_G5MPTL&>G>qB=uQ_lHz?blbHHF&wPs5xKF0k~yskTY)`2>TR=(KHe~!a#c+7`b{AbJ z$C}$JV)ZT)GhF8W=#g+iv6rp1#2xle|7M~nTon})Gjn6u%LtGTg~aTiLXl7Dc!%Nb zg=wFmR(pDTATYu688~4oDTH8m{tT9?oCkZqGO$5vpi`rQ$Fm3ZDp0}7`8uw~1(!xd z6+})ob}#%6qrjZcD0-zayeoPA)CeMf z2K^|yzP(WWawP=2Vj68%A->|w1viZ4yVKfYSh(aDVqv34j8WMGfi%3hSckN1hNq9W@eIzLyv)O`u-fvNNRCzdEfFok)f*ko!nqJElS2j%seu;v<-BN-V{{@#L`$ zpIFXvER0f4IwV@Nx?zF(L!=79J3Vk#{JzuffmG?s{n&v1Wj8x6kq`LjYj#<3*v@A%AYQ-7(Igf8^Uq%O zqNmcX2DA%=FSiERlpV@_y><>J zy*3#vH2&LDPAD*GW*-vpFTMNbsjkxS58{2`Xm*oQwx0IFaK%ZjKv)Ok*L!#nU`=AN zt9h~0m3!tKv#b-Gk+ZPX2-Hd2pmp>c3aQT|O6EF$VfovzcuuLG?|Z|c7xB@v1*_%g zXR)kSFkmfa-5#nIFma|>=6wQY=Wxi&+TAoLMDP`Suf4(Jtds6P6e~Fl<+|=QfbWw4 zx{B+$15+)_Fvg%iwSqfZN|M3Bz$~GZ&v&=&x{hm>M=E0;*!j`u{;T!r>+IDG0b1*C z2V^2@}S~gS?Pkt33V90{{BNK|;)N=IQ69@p&Wt zSTY5p4+cE_!nvD;VBOj!fH?c4z(Q{Q5-XF(8PnOj%1?3sR%5#F^Y-|urCRfh4IkA% zjtb7Y7?*Z?HugpXc*$5!O%8f=rs%_GOh%;AY9@rO zF07o5d`+t%BE1Q8v|8hLwt+p%`RwD&6{D%;a`wF8om5U^&q^V16%7xf#8$8!nMO}y z@mXelN~ZuKO)?%?HYTCD9P@BMV{`-Vk;C3OLH;VEH-?F#W6K>H1EAw{T09kn&t?%N z0<{=i1?la6V{1Eyruby((c4;CZ8w$wjA9BL9V~C!!bf}Sy*98&8?iVc*i9jd;pdgu zn!qxuFa`%0emOn^2PW5ndC_)HhOYIMLwkaKY@lK~jETN8F7i=ScDwdIWJ_@Fz(EKm z)CZ=zuA75Cdq^u2Og7_t%9YrCf*9jiitnTG5X=h?yu{TKtDtbT^(K`5kU`ylwQ0K) z5-Mzc!%g#Q3$ZoRv1hB+8r#Nl={gagm-U6#ohdEMINR;VCfuAUG4!cPo zGz@82L2Z&#$V%bMzQ2P9>6^QtBIwJGc$f!#`fbWP>P2Xsm@d~e9xDr@{XR-=?3K@y zXip4jj%8)?3_Q#*j}dZx2d(5u&mFk&Cp&r3U${UKaj;vA7aflzoMIq_&hF>1Hhtgz zW*!y-*&cmK+-8bN3(k@-b>iH}g-S?;>|*JFO#F2Og}7gnUs-g<7g^O2z_NN%UCfW? zEvB#>R}`AQm_N`O68#PPSM2m%Qh}w>-&QCPN~_9d8e59{k`5$GsHzY@)-umt_f|@` zU$%~BK1dz>YwjiI)}A3dN6FOiMeHSVyg<;#OglX^Tv(D1uqNcXJ)X@O{DK%L&6GaO zEA<+Gt?LF4eu;Asz8RAneT&N%PM7jU3wV=&=4hm$(876hQyzxQSKK(pX8g=%cdU!M zb6LV!yqU^>jB6(M8Gl|SR0|VR-4~@S9{r|S=?VS|7AM(ZlmMS~)^y@qGRK zD@ld2cV6dQJWY8O1Q{MN)mEzrZMyccsyB5P`JF;OCISt>lke`-wc9JSz2bOD>`iCN zZNGO7i5uaR7wqqoia+ImvFfPcl?utI`6_8ecx+a$Bn@$#qHBXa9F!a&1u6d8d|_@v z%QC^_dYwAY7;!HKv+uBha>LB@^B`JbLUqL;F=7(9=3n;l-mH9x zo2IMj)%aeZe8h6f5;kr5r_+lH?HIBX{3Gz}Ee8&}Jo$zq)Z5TpCzKI)C#fIsMR22n;&C;X7N* zb)gvVb&1)h;9>?sdLj_-W$w!BDk2#Lg1qpADcU)z-rA7SF=By5kGvT2T;;}FN#tLH zvm(gMZu=Ty1U@dWK@EGyd?z5XL6*L-zK6E{bdx|R`kAi-l|{+blEm$-#q|XxICj)L z%&i=6cITBUEJT{ZA0xpNWlg&4uKt-7jDxGRgnE9tvngOTSpKjfPH6Cg8oZk+jm_hc z=q+clvs_8;($t3wQv!oG<;n%SN(uQWvl6^<_9?V^4hClR@^x`0-w9i8D zm_8rCs3zivQt;CxTeoDbMQ{4hn);RyjR`bP5n17_YZnfq+qo zUv1)!Xz=TKq)4hCAF@rhQcGYysC%ahd^XOuLsCqqsf54G=>)cZoeke}zSD`v)PeG4J#SX;Hs|t)22q)eP2oXk;dO zK3U4sM$fGsq0zepDh>t(q;Ut2V51W+va@nlEml+Q|*N4mxMY=q12zBClw0ys%8m%`#j{38bYINa-U+2r~vbV z2Y=|mrk6PCSR3T_Fw1-KwYL(bbxo%Y3`ZFf3C%QEyh#x|*Wh#`zF+g@1N)icF|_R( z8JvloX1%LVIquuOHwSJ=-xYltIP!KNP~7~G;QC2%M1y;*%3lk7Elnm)*aBYLf?>7C zlTe`o$jqQu>{FTJ;OeGE3W^O%v_1n>CiTQHFAt-UNeo46F7uQ%)QqdoE7l?cp%!E5 zEu_^fJY#h8@4FdXWjJAyAg%+c3r&L1ROIo&%UH1OGB zcn_>TzZg={fu)iaQ&6~|*LbZHBqP-EQ(G`tH*LY&$8}LqFOR|Z?ER~R10L^>8NYL( zHXlTXBlJPxFFH_2;RSKc4E}(49H9X5;w>+9YJq=7T{qq4*mEIlD?@c4Yq$%Bo387F z=UtZPOCNxhtd%>jO~fN=)@M-$_o&(N0?PRWb4;Ip6t^6imJOA?=PdM60i3%AEI!Zm z)rxH6#WpuR_j>W5>nf3yt^|DMIf%U{65XPzfxRKcHz!)W_EK&ZAnK|=3M{j$XO_Jg z!50qsq0kB5NH=(XedRN&%US+)l^}@NbiTy!DG(b&+oq>fM(<%BW6q@agMVS2_|env z6@GaAOQ;=xj+qC2G15m%2@G<|#`hr*@wzC4Kzts2?ELD-rpp8M1q${jmop~{?4OxsTl767~ zIdXqO9@F7AOAQ%8edRk9eNa+nH5mHi@)wRF?iZRLU+wem8l=!2l-kJ@Daa*W8!ljQsF9Ofc+^f&L!*GeS#Yw97YN6`{s0Wb!DuUC`rf3fGeu}hdn#vG zmo{zV;$=%|-^SPFED*DiC5-GhQBYkRr%$=ns8~SUd zF}O{q5L`c$2oXn_HcnaPBfPM>bWN8_69r%r3{l47r@RgJ^7j`kXesgH!CFK1l6xg- zqWeUmCd+r}76kE!YLjpo8%7PJ-d(}%c9(T}a4wR1&?^qy<@`w!^GMjga#qd(27FXn zTb(`>9tgJyHu2#K0oK!Z=8QUWy*FdMU%zMG(X+{2|7vA}S{am8wCIu+*o@n}r}$Hy zCkWqrfXRVxY`1f633F$sxO_scvfq6aS=mp=t=7~Sre=pl@qwd+UE7Z=Y2+W*B5nB6LYg^eSPtU|ioec_eDWRUp!(FZGs|O4D%p0Z zJSd_(rZz6Mlh=d$2sxnRO!#HHk3Y}T*(%I3N>W)xVQZHBEr~O;D$@Gas>GL*TlH>I z7m@mmoQ)TlWp8X0*g_ti4J4Q*XAG=2i%Jom0pVF>JB^j&Kb;F4%p(vDQ}zc^cZ@4O zP~V!tDQGFVl$jQhI4-!^IO%p6BBQ-Sf@=-x7acn1=!v1$P6JzG)1YW*VTU7&gf2#A zd@DpbQ5PS7x%}7;K$G zPJ&JT(`%vhL?@^H1nba{Q%XXsgM0zwo%2Xdr^eR~N<9K9sS80uD08E2ei-jtNKR|7 zb?Ll^61BBOyG=|G;N_!y4|^mYSX4S6~FB&?WH%(y)@G-^3KVsVfaadz z0v4mI%x}t}_TpnK(Y4Yy`Rx~Ka@ne@^bTr4f6P}p=|id1Sjk^pc<{yyxJ{cs@Tb~> z_U1wwYQSkftNC2`|@N_l>Tu;~`PQ zJxtIa^si4O%hI5fo9rNm#A654DwBD4_CTR@P@J9ukoS>gPdCxYJB$lSltK=nO*fUM z%=OqqHjTXu1NKPkn0l<3iJGleDG+endtX={+#u*9E(Rs%MrkiT?&0#PI_U@WRvM`0 zxn+9@&gHLQAiUd&3n=j{}gxvp`JL*_Vf6X0SMG@@&4?%+$*r`pIwB# z=@`Bl8ZbhwrB<@773x<4KtL?733=GWs$({nq%>;Y=iGr|Y)*F_szci-0cyGSY5(NP HKkfejW-~$U diff --git a/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp b/static/images/passwordpolicyenforcer/11.2/administration/chargranularrestrict4.webp deleted file mode 100644 index 25d57993aa24b3ac7ca208591ea692c26f14a3c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18578 zcmb5V1CTFI(U=t%%*yDlR+bVMkCp@i(hw6?R9ECA^8csLs1KY6OcMmE2EuR0o*_j>QcObPjBObR zA7y3#Ws6;rLzCtTyp37$uzR|)3ox5Z`Qjt_qWrq0N8o+h_^7#J0AN;9ekL6H_YMg1 zg#s>~fIpTlnE))WHe0W635tkpfLFkW-|#?5Km}m?2Kp=IBjD%O2Jt(80&x6IK5*|H z7;yg#1bAN)SaP`2ukBg>w0I-jAiU8}daHht=qT9r%MWP3lRFa_1GGO8z7zg+m4fsc1GCmZ*1=;{TfVO{(Z2469BD^!W6fpZq z2jl>Xet5nku5a5A=LJRq8vxp$1VF+EVWY#bz_P$TAOOGuIQ+W(*DRg_KYhJFdw_>m z@$VSG8;$h}UZ;>Z%`y=Rwu{|Rjs1zf>(AL9Ucvlt@M3Bc-oXH>l}tbef0gHAM`8MJ zD!McB7HL>-Xxqi$Oa;9v#l|lW6r()dCZ=B>${vFDnnBLoc!aY|I*ZQhZDBoCHwdcd zFh(bx49Gc&dX~`QdUW=?LD<#r)FhBl7tnJj)G=;{a$8?kYgbuBz7o|C(nbWF!o4zA4Hro4% zRCtPCR($@E)jby~O#&;XkJIS)H6+9zSKzsTG)39nbQ9P z(rzX6U+64pGU9&CE|S_O7;%t#tN$;g{~90=WboaC!92X4OD+RcdogefBkF93o~Q9u zBpELYQqSduvig@9M7ls;(a&yS2G-ay?H5Q(H6WE5c`8ud&EO%7go_bouI5LvRDuFn zYb9VB_y2UpnQU{+FAbC;{=@uV2lV`R1!^$)~zNusXB#4;Ik4a&m37 z$uh`dp6=xirIH}CQ{>=wu9leXCaN=Y(V>d*!potUP}Rw;NCHlW2(H08L1+_vY5#r% zs%j9hgxP*p39Dq1vhal}li808keqk>42I+-&jt;P_%5R)KAw; z^JXd~t%3tq6~r~*VMslMZWm0?DTcPE6iCNGdU^Iq`b6VsHCrKfAIr`mjgI-U`fu(H zd#wIaa~Z`CXnPE71_@ud$WD5p5*GzaoY#X&xv=kIS&h6bopz+^lC+0N_2r;?P32Yu z+m>>Z^7)36jC>};AeIhZVSk^lDk zjQMVRN(`|tp^ybbmxZf8Po83~N z)%^V*JpLD1oYWw@FkHEY&S4-fsns9n53x zqzFWd>7pusV1x&Mb}v&U@)2gBI5(N`{{lvXh~qUkcTCnG9krkXM5@hC1!}e_NK|gL zO~qkkbF+@xndGNCSZh-c#Gmilk1%Mc0!8~mJVdE@@=!vMcV1&u@`kod2hmX>h4YGQ zJ5|$!*lxZYb}0RC_%uYJB@g_u7_>!uDp|D|_azk9N5xFT079OS9M(6 zMB9R7x(WoZTgY~7VeRIv{V6%|Uhd|wnf`dmYU?L~LX)8zA+KyP-Ti{-J2+isfsBS= zOSq9IKR(!j6{NNN_vW~zGAnY7W77Xh z*4ck7?mND1-YSX%ju9$0bc;@ZA`u4_(v*io?(f}#R@TbVh0J4x9&r`b9Mh$#h|^?# z5#{OQ8nuYPGTLwu9)wLG1wdB#Pb8{9ny#BZ+k*)(aNnl>XZlg2dG+-GGGND4sUfTX zd-bQyW`c&jmdPpE|Ba6aE1Ey^>=-&kKu>4bXQB+-OR=qD&e!LVm;QNc52@?DsQ$h##%Ugg#9vAjWRD?3w5$nEHq2QE2bYBuX&C9=(FUd`z z3ohNiz_}EzXFB9Y37uiYukSnUzY3v$F%W#?i=0gae0QVQRq8Srl_3~b%8P7iC;XZB zcqUdjIy}5`j{KHYvaj%VrR(2u_J3A7|9cGI3j+NBI)gKwC()iOwGkgDlCUe)IySvN zEC8Of=M1>dkFPgyfW=44Pg;duLKboGYs3b&$Ap?inh&0frlhdk`R4O|<|=pOkH@~* zA1T-2#n~h*IGAO9wa`SH-13xk(bJ5-f^?pu^n9zBqjgC;^r!w6KFMIBw6^h8k^~$n zs4K{t0$2Tz#R3GYr)#al)U9L7>O4u(vwHB;eBYpK#W3)G0J%xH1<%X(?8g$n@Hr9^ zL+4-|86!&P)5;x!6~rXa_H1l1V%{Qu>v!<%T6F_f5Mz~MPFf#a;_${nc4tHa-nF*) zcrwaamQET_6~54*&qWTrQllhO7pQS~D~cQ!$5K;8Ad&7Ysrp8(dswaq8B5W6MiY{* zFl(`0Cdd10$?p=n?J=XF(`jR>{Eon>EsG)vX=)3Lp5oI%enGV9wh;)02LMO;FVzV} zL^UTOinK3^Q_mQ04EA-xWIZ)r^XE;YX33ysb;i6j%q{9wp-ek1>+ELvnMMdGykeph zVnsEGoG_+i6VC+CTGt_y- z%g=T@p*Rm4q+;ohc>Amt_7e;FbUAzPaU#hYLn?E5-UXbLH*r|aD>aVHAdrVR={jzN zNbJW{Yz5(;#Gw^Ueb!Cu9IO@SIfb9TWwsK-8!wR%UGfj^8g;0ioy2z1QT=wn_wU*e zAqbV=L*A(9pSy7mzK~sTin4%3=HoG=PKKiOgCr)8D?U2<}qq-r09Bd}}sAx88Ntja3k__3Y7n~HN}J`0yhUHCdGTXyY= zQ`*M-OK~@(79nbZei`HXT*yb62(tA`6G`o7f%E$ynJ)`bc7yiB`WyQ`t?rOyK@$y) zM-{n={u*416ZQpt2c*X}^bWl15L@}u@Z7-)so$&rR^q6&e0$R8*CMPM0lor^ZMvyd z81aQ8F;XNkEP?fL0PHD`Nptr@jh{IFOA)eT=C4HX+mrE7Yvf!;`wKUy<7tJ<(1hI; zf7f4u;?ozazT%fXw#w&K^#l)*i91?6uOEUA$Fb2AlpieUb1h)KpqH#4H5IRggaNmK zKVppx{+j~?5aI1FcQ2~I1#;_7cGWX*u5oQFMCTADn73jQF12pHE)G;>3fhW4y_tT` zulwnikE~d6@$y}!Y(0PVdY9s*Z%gyKf{xXh-U}$@YhK@{{jY3}>WJ$68b6RYO=8r` zeH*vGtg+~1I>y7cLqLN}K+`CLk>Bw+wV#DLESO}11f&p0`LQ9_Y>ezTcN1BUjAzwA!&}He|B7p>_ z?Ofou24hu*c`40;C9Uwf)5x;J{xm?lOZz3bgyFMSO%VB92q#*sN%E$UQ%N#G8eSbd49@>^^$AouVIzT;T^} z^?48P6`=IumRmww*{QCz3?Na2CK1kLphbFEy8dn=0JUNWJI4;Di7MgrlqloN{}UaA z(B7PX03sy0bA8wN;B%iA==+4+{1&r@s1RY@Ro^HBY1w=inhVo3~(_tB9LfLr^!l+FQe$k9!y%V7nqRA zc4wN+goXe(hMhfg4{3x6g^G~V{7CED=E&edFBfg@m?s+UV&p`nM23dfP{Yiagn7ET+72bM*m z?}y^%G=rm|z0TH<88_0jv#hyCu2o^jJpSaY(D9Zlz?ND!M8oKm&*Po|Sn01Mu-R2L zmj(;+#rtgsRod4`xfH0bpHRsehHLt`Dm`a|#2qeQ09pteQS?s=a!_~U;YF&yu zR3tPpJ8QzVT}pY(SDhh8d3WuyS@$#P_XDe0mB`OCm=oAXY~quI&TH?+%{7@fHax1p z4s8@`vo<%Wz;F`EgP)p1Q@SOkYOo^GE^D`QW;!fRWSb~*UaqJQ4qic(ubg$V$GNX$ zxF!NPkNHY_s_IW(V0oZYV6ui)6L7b)Pft#8gtPLJ>f|`7VRBo?hrY)XG9uZhf zPcbT2iKP(Ij7?)EjB8KvTNw4O3%TvBW9L?*T3_{e#YbGK$euf{#_4#3RM5O>{s5$o z)JMb~{Wn?y11(U6^dv^l{nthpy?u!d61NQd)?`65zF8FZiWw0 zOkl6DaoY{UO02ttjUWfc z-p!x7_g)7iTH4Z!T|J~dbo6Dm}vIZy$iR@IVLh>6Jl~mr;3Hgy^bd z3GcIj0bTM(!MUiY&uK^|9{J7YZP5Py!7JWr~FJ^@)$)KMbu$ zQRLn4R*O;hG@s>>7FVfwJ+yE1_z#*~%kD=q685a7(J^>^SDZwFkR|yQXk2&vr?OQ~ zN?i7I2lw5o)81$CCRdQ?P`BmR%T$~gR4Bzj#kvks)l89UD0O^HpIZL~E6F)zB%5g;B~7R=C|0)^~cKu zVx+bPPTLFgDCQcpRvk#74H+!H~VaWQ4tME4Qv8mBz>#mw|R88JT;iZrLHgA z#uOMrA!Dky`|!xg^>9SL_3fE)pok5%tB6im=2SL&6#IR7flD=obLJ7Pv?YC2w4BP2 z)Qo@}@lx`!OiT4R2Y%+c6T}%_n%UX7HFR*oc9+M@KGhn|rVf4FtL14gkx{|iuG8x2LTz8>vF!4|5o0(-)gbdhW zOTS!stGDlME`au)wTe{A*kHp|Ivs_waY_XhM~nTCY+D2^Z9K6amoGr3*moS0OT5Cz z03ZChYQK<5YZ6+V5pnl2I+bioBNJQ5ekSz`Qja5gfV;@Wn;avI<3X`;zHND1!%mrO zUBQ4ldGjgcD-=n|D$2`Q&?8s5=y8&lTyQc}5^oY3^as`tou59Eo8V+hR{yxnzRz%N zlfvgic8;i~CzbM#i@qh%W~-R4@r`m-cC+_}^RIb?cZOc#NsdX#X{-IF&pgnWQ8qMD zh%Bp%&6njbKe04m{O6(8oMrNs5;6mhM+2{Fkd${qX%CyUS&^r-&>TtEz;U`11xR+; zy)cye-4sY4Q4W$XP<@GLjfoH&oj1s|VA+kuznlsA!FKKVIkEupsl`}O9KYMj4*%Ak!Juc z7f>qMU+ypi2^q~l0bSb$IjQ}TXUP~kX=c7pdS9%7#%ZKK;e}~!Z1YJNHmMR-Rv_yV zN#l`5Bql*8QZKkj67PBI!8wFZ3*EXxYaNSRr>=#U^U`-Vguz88DZ%wfwqK1nRM6$S zKpi35ujQb)9ANvV`tp%vT5M=(uEV~Y@G0ny3X zovuYny9#ZJ_NfZZI^z0S(w6n17|1Vvs>v~_Cy&yno{wbgc z*i+C+Ho~-VP}NfkXMcZAX@AuZ4`JN=`G9W09u2Zswi~TBi8sT_eQMOlyU(dr5AELH z0*}dry<%;`0Zi(09qHfKP@uy&&L8rHdHX!3`QIB&Tsbx&NfFSBy7oDX+Kv@YZ?dM{ ztA|=`Wh`fnBKjE~m@MO5 z!k8l#!3O%~TlHl|tT+0+MDUqR9If2QN) zJQ3+3o}MtW+HI5qXPnyzaZ0C($OKLujKJ<`7MnPUdVEj3yz0`gl~aK^U$M+ZL^{5i zu7d9}4u<a`V2~oj0r)msD?Q0&pRmS8H$6np?u^itd752q z3@lMHRw%wDo7T;^S($gcP*C^B9;4HmN>c=Kh|R<)NFw-Hn73lAfag+U;;NuvN{c@q z+6p^*;6OiKvCT}+;ww+#w!Is}C)udbH>29O)g$WEA`b@Q=i>~k19LKyid1H1a0HNo zRJIU4hI>b2=65iOCt!p2kg%`aIetu$UBfDdTJG7y>tB)ru&2tAHm%;5b+5-2l$5T37wOy1HU?zLy)|Iy&!N(+&TvSc#QfP--rbt|EArv< znn7@iPjAqWql*-EQcu0tUuOtPMUd%Us_|)>o^MY1P8nxqeSLBg_7RWMjyk=A;4=t% z`8x?${CCC1(ct2OxD}ZXL|Br$`Znl#b2ha8uC!33*4MUXMuWL)n(9v+7*xYvH)4tA zxL_0C9o>$+&onn_#?m8;L!_4OCO9k@s%eXf0X}X~X#6f~kJ9m&K%lh*#Ui@>Q+BET zR^%#=7ATbH# z8c3nk!7fKdtq(Aae2}-cc)*!uiB^=%Fx8k6=A%>Z>p)UU(auik5qHN8|kzmt;@apoQE>Fhh8ia3IWY6B1<~3u} zntq0lC~6Up)3bT@Fx}#uDE;xqgO}GX0q-V9sBzT*mq}dwkPN+z*?ti1RZnKE70moG zypgH-S>I;82=Pltc?W`~C=67Dxi*6ql+RQ4u^msH(yWPGd7f$}3FK5X99do%uz=%A zH;KMo@AJTb8H!ZThXIiuEv4(UAGLqU)+W0wi zoL`HGjg&(KTGS`%K18jOy)&7(#hnZP(mK^YQV1i*0!RW$-cr^?U>Z#7|M~80f?ot6 z6515zBMUxHu)lbf#DA>-)v&lg$(N^pl;>RhV0^TZiZTc#bk?&Zdr>ag=JVJe|3Obe zKh3?9ZtckolTkJ2o1sYwOAXo?bzovKHrkHdF*YBj8oE^)YSLg6DY<>oPky1iM@LG? zis5}_!Lo{2Esrub6tSoi1$PP5=#UY;=UZf(4or^}#!EO;p+6vyO+jrUCBC^2t>lXZ1lcEk+0uMxye)k5fSb~pIUqQ zULY^xRKX1z)S zRZeZbeCD;x7^_20?7T~Xvxr{)O*H&4^S~QsFxD2H;p>CE2{lBiPFCZfj`$o>Hxifc zFi1B_mKlJRoU@&(68EoEgBeoi`qR}*NzF96L_lge$f@p#18n8@OE`?(oi1^Ik(ANC z$cltNKb zpmWU(ObjkRsJ-U>1{d_DPqr)Eof8;q2D0m~@{W~+Er_IT7}eKZlB;kGZb+Or5&Qcq z8=9>z{Q80Og^LESGKwXMDNp&z$(@{3YK$h-0g%a@zHUsa`W2mx+R^S}-l{8s9{qii znDJR{V#zl6TCq1Ip|LdRdemqn!{;* z)BH!L1_JA9K{XS*bVi#H_ir%D7*zalzhY7cTlhF2ZUN1(QvUfV$OUN;*h$C_*AmVM zq&)X>G5sXwil!0Zo+tX+KB2nTAL^063IusBScokJh`u!7fC|HKdXHthM zU=}-bmTnMq4Eyk6ncUo}n%7#;luJ9lS;P|u?_7=g`6dPU5?LhXpAeT?Xq`?A-z@y% zjV0)Kk7QaoIe_1WE4b?J-8 zONAc>)?$ZU+^SvDk1G)IveNEG)G1nRqJGnNRyPxDl_8%5IjA>EJ99RJ0!w5KRgrf6 z(#dNb_HS2xS%yEe+N6PaChw~jK--^qU(d;m*somAdbB>pK9N zbkd~e2xQgq=k}H#jYn;&C)2d16FBbeggNqKKr0!ZH(Vf~xPH zujeYeW`}R&8cLBg+S?Btpyq`qtx1w;3oD0-BI(;&=gMH8a7_X^9#;nzGfNQ~npmpJF=1B(b!y~Zts?2_O=oI;U zXm)yH5VVW|e(xe;R)Lf+n65U|wl0CG;fhY!!Tz*Y9Jm zU3wNcAX*;Mwmdnq-~J^FW`@fayp{dG@671^-W15neh~`gzfwm+`ogGTo48i&IAd43 z4#b4IsJLgCMV1ID1a18)H$p(jqyMF9UC%SHBCYC}>{Vhz?CNSJqKO$d(ET|7jn+X~ zx1;E%P;{=U?XuCYhKW1IyJe?!tb=&A!d*kqQ$aP-9n)`+Ntyc#=bwI2)&oOV*|5e+c4S@anjn%FGKvaAa z8Yg#@&c;pde~k7U5~=I-->dNd|LsB(!hh-N6nGJ(Jgf<*9|1_ zAwxYDTHl{5i-V`&kQXW-sBnl}WNz}HTU@>h**w{FcuZz@5XGD^luJeLz(ZJb3SGKF zRMVp*YKA|Tnr1xF!*%8O?yjW!N&#gw%^`a|5>tQE!6z%Rw|f}G4ln^EK}s4^^#wM; z1GiUghH4PM&YP>vV7uJb68{o8Y|%$}#y9D~RNPqT56UcwF_ z1}xQW{SLAEX$E8W=%*q_U}r~}rMDexsD{8i5KB5!NgIBnoKf~73%qFCate59ih=Wj z01uFEG?sf2uz=@FdALn8U0MqMV_(HMK>9+r%cP;0^YC}i&-~0A-0~TN>AmK1eM}&- zbW)UR@q`UL;76UlH4Arw+JO5=hGihdO#*{My?9@S4ngP|@iu^RwGYzIxy)te$o~B? zz*QJUM3~!~fJeb;U)J*$9l=D00Kl zgjM;Oudo*Yx>tzWbcEu!&`%jtMNRCy zMCdat9nodwNoXUg^!{j*!!$=K_2?0wy;g7#3qPf7WWaAaW=MJ65B@hoOU4TOd$ryn zbiw?c%g`DKKv(xI^aOAZW*q29iyp4DR>aS|T6CqHx>S?-HDRpCYdWrUgpJq4S-O95 zlJbstybR^GRoP2=c?#Sr0V}R_2U%rvGFW-8eC-y&vYCd5;|fK@$O z-1?6iOLz<<3D)UJ+-sgU8g60VtK=it3i$62+VHw6@_2CVEu z&5W#P8Vc0CPB%1bW;iq3P|9`KU>jp4F1Ne58YAYWq_T1!^y)7ytSN&_erX9ZUW}=A z#3vpHDxd1k2i}p2mOTcZt+3OhqMga$WM7W-m|mhRXB^HU+-+yzJ$6vttI3w4_if(r zaR-Dy(J2zpu{G`f7fP+(JZu8tc@3YFza;!aQzAgWhU1S^H4XY74%t-g(5{lXC50}X zq3SDvJa*<`u<7P9F<%`K`q3(+@!Wc)l}Aq>L=?7<+@lT$lERda=GA#suS42FUk_T> z9XmX#i94-vP_y`%8~u?&7{25ng4c zX!S^0Y1Nq$JKeHljEV_2g3%XNp?hvLudfr$D)5jAdgBpj3hRiD&9!4F@fPZ`e|_d3 z%JHPRfLx8G{}}IBK}s4HGVh?)I_MpKD5^U%6psYNF1K==l6i2z9X?YE*#L`RZ4C9t zfYmmm^?z>sQ#i|LG=9OaAfBzT^SP!j$*xF_1ha0@Qce9DtqratkyxLZX;ZhOXm>ux zM-*6=ht(@2|EZ!&Z^LCI8ZQ@M^pmiZ>mlnAFX2$SR^LlqIyH=S{u^qc`()gnVv$)- zBZntJNGGm$geY;?Pxs}2KX?=!!r5#E3oX56U~5#_;+!pqs~r$70p7yy+JmR;UBjvQ zxW>w7Gmq79$=lGaqbYRkoCrg&S}P@wOWUNFvmY7kQzu?;0!u8!i>|oWh8rMHN_Y- z@98Sadf**uVJXyD9!FlH8s~Uz+hM)RT{yXSGd~seZ@TwU$YHi9MJoKR>)*R?MFifv zcm$h=^6F;BN$w=QY(-zBi8U}Uz8M;``7aroC8|XvR?h8a3rCVB`T_6m5fRzKk5}_# z`|?s4xG^kSznFlW&gTb2v5UImcmG?9kVN@;@xyABZE zI3_~X@>(4MS#w%lswJRa-Q}lh8z%+SfI5o&t7-xJCG~}-(ymwti>`KqDe=1pJjdQY zof8CWYh%(osLlb+$ueyH@ULap5f+YAl4#nalQrqq8MCv`$;q##@s2F4)sCK@B_70A z;7N_<-zI)7dn-6g;vXS*^G@c1yirRjN4J<*bVrQLL!LZvy81|_DeIX*&c?~oAxI3xC@q{}bzLN6Jsul`xlc(O!JoT+D%$1A6_3LK?|t0U)>uPu8g z6yx!rs`;d^s8_7H_86*Srp>qGW;=HmQ_MB@?t|H1noxphDAG8s17$#b-}N&cs+E7N=DP|4IE|rps_q^yD<831zpd&v zomKmNQs22T0v-K^YIz>JWf~nRXQ~KVtop>V-mP&g&`I|jOgw{Qzs8`-VUgbsq9~|; zhUNX+-=R+>KS8~^&YmF;0h}tJmJTqu@XAcjNC+fPC^25qWt%&vx3HT)A6@cX6j}@m zMCnYIl|0t1Ry7_uqg2dHE=mVhm~nvQ+&oIW9@Bl&*b+D`@otk}nA%T3GL^sb9A?VW zmNN2fH)1WQdBziMg?DhT0eU1EZD4z!p0Xg7y_QB{pCv^jd&!8XvhH!x4PWhRwxgtT z=;=+7Z?rDh`W!O8Hw|8BeBRKVWlCou5<_qfT;L%X4iZ7-FW8+m15y+2>qiuOR|5PG zeeq6)ztu5D@kTMc+dhUoY9*LPeE)6{5YlCW7xC?0Twk1-{pQ@)R)P(lMZKyPbY!$2 z|9tV3LP>Bi@;7IT4~7abfIHHAVJdVB)ko)dxXd zXz!fZ_Opn8YfYKKWM+D+weFF2ENd7$CDYqi3@Zv*P$*01G0Rb**V+%?O!&?94!F5^ zYx&XtpA7~KnB>p|%Co90Y7z8>^<9%m_kW$w z-@TprJ^`n>-~qf4ofKm{Q42CAWh_2i_P^FiYvJpNWHDzYGW9>@N_=C403^}KUs~8D2{)7A zyGt`Upb!%?E_i*ba|tvPpzlddrY?t^EP2yx9K z!yVxLb>iOOH)eFC6JpCOA6>kN%W#oqjwB~YDvkoL;=glbvaOt~C-ON!bK*>F)TvV& zM(7DeVa<<&I}hO*jK<~ZKC{$3If1-~Lh)TU9E3(geUX8|HSARWnpz`1m6bJgfoO~q zC0!SDKy=&43>=y3Be8trhdAi&p<)?mD5k+1>8x%VS<^)q-)m46~EVtHo#rhMV%(is&0J#S)6a?4} zXU|xnq^Ca|g_-@fUWrmA($1;&f2~wM&nOSTs&;^W4e%218m1V4lC8i%1K$8UM*t1? z3;Oo*Ha^eNjAG{+C@0-C9qdR_XH)8Lg+MORcAg;nF#5OEcoYXXj8V7zD=Ce7yNb|eUr^@8D6E0B|y zY;(kuHZyV`s&TKX&AJ?Z#owucms%ypgx3ynlh80}yJd5l0I@80QogJmm3R~y!d#RB z4W?eh{E&|>v^GNSXSW=3_V@Wx6Q~tmi!13&NcQYW*AZ19?A*3x7|#C`T>i5=R(R`Zby^}p9vjA z9U+$`)DSN+ZA!dqe-GW$L;T5toX~(ZkzH6Ff2&1%N=&+Xe;}pEy@h&-BtT)^xz8r- za+#Wzk{~{*+Qwg%Tt-pKb?#|ub8K-)Th}(oYE5 zJ(0sh(Xtuo%ky+Xv$C-ohqqm$R4;1a6~DjWPF*#~aYr z{9V}NHDkbpKfY2MU{Z;>7PW9D^L6N~nCr-hVj!t#*TwW3DShpS-}=p5=sD%*aw4vX z0k5Kw#uykz_V&OoD~RAoP0l+_c=2oWX-;mP`uP^9Ag5lvrz8DfvxYW>N7JI`hH&I( zoM{qBcdww`p|M8TP3RD$=iN=M)L`-_$QSg$&}QyriAYrm^D$q9q8jc&BXyy(iX93Ig$L8E%JeAGLkhI11PP+-INRySUG1O2wca174IZZ3h%~jufj3Eqj}}3<3&z~K{7^2F0kpLL7f3#?gXjpvMC0= zqx_oX004=?yz{zD#Dn;yv^Rx-Fe>=#s*-2Po3Tr%jX0CKJ6>4P`GPA1*4jI${BKR~ z0w3+TPd<_bUQ3jmZi{%Ah~N60eZHp0G^6-vXHQ??h^ylm^0$o{i1-|5>y*3bwLWid z26G4SclBfB)HvfwbM z>#z-Cg(vtu+H1OT2w4 z?fi2V{zNq6Fc8+u-Z)0xk%f$XN4qwX1PD_8F?HQj#spB7q?7qjx$gU8ZRtVxKQ?-! zs!lS*PoSwTkYGXH`j-auI_jkl+hB;dsEQRqkuuC^hqUKMCpY5|m3F-N78`zR70}T~ z0f4;^345&S6hQ0Th2B<_!IXanfq%T9a=Iw}I< zg*&Yn&sb~mSZ(RVuOcuW=?k1gu9b}6;d~!Gy^*GusOfNx>N*y2`hZ||bwHN|%uF7L zgQnvFi}E>%rgk2O3pl^w?n$u*oY1cd?UeG^vr$e4jL_+lCmLM1itd)9buNrp~Nm&c*VC_yyHyo^#q2-95q?i4{2X1 z7(vq2bec^Xff|MsQ#|CdTc+I)0s4vrJ{cu6jCXz8tjWS?3H{h=FrE;5LILq?n_in< zohUJQGnJ1l`3N`pg(|`4LJ5x7m48MTmHmDlSU4d|@==``wGrUlIR6Bx$C%2u`%Yhc z3Fh(EM@H}Pl~WK(4t!eV_uYI#K&t3~KYhecS5kN{xc(B@5hY%84tNK-~^0ZB~y<2m-&zUA&Hss{W<5n8?mQUN0?^X%}JNiHYKnzPn?9dP*#9T8jDQ!T)j!%#{i)wJfXgB**RKz+$fkmE3%PYR-n+>@YVDx2cG0jKW zngc;KY#{JJYtw!epLpULA;XnoPS7$*DFVQ54RE{stkJGl%TSeuBJc!#wWmab+@Tl3 z7d=>OZfoQ*Uxj1m<5|Fe%0Z!`>2q)wX0XXmA$^rD`8?p$j+~ovK6%*Nt#^U0$E}Gr zJRFU)BGMYE>yw~uf{g|!8{89BiVhOOCX2t2bL_K3IV2&^pJ9=qP4h# z;PAS$wfa5a;l?++TgWd$#P;on@??4dE!63=2i09Em7dgkF7m0lTctR4|4slY&~ZE% zzK-0%4golX`h0wOA=#wNR7K^D=0SQM&|S8L%q4!F;NOioIpwAlO=U6p1d_dC_Ot7r zirzn9(|$MAW$Ybm6G2yX3|4Wj5=8jt3sS~)x~?H~PuggNIvZ$aw-byHz9S`BRcsve zst~%=Gaer_*?E&WGK{2d7$0$0C-eSLgE{E$$5~IttUE#>T zuDsbURr?EW9?#492#9S`82nXUE^3v-T1Co_OkpgW}$s$#Pn zbA}$wVH9ySSj?=b46WuMbx^u?)Z~13N{@vC|o)%>Z?!OrIjaFAcuZ51gH!P18 z=e|l(1n?X9{tUG3n3I(eOvdn85?Cy;v1pMJgF7*$lajCSf?b3peOpUFWyBkj^C=D# z8Efb~@%mJOs_9$H9snSOeWvE)N??v?pMyvSZ=Hg_l%XYjPz+?#?K|Uc1ea5s6iE=Wl9qOqb?{Dk<9nb{ zx^P$kF+xawW$Hp{0=&?s0o@Bei!hT9! zE(2Du?Cc!2(drqVVVW$QSXUU&pTgCF-J1Xg{)XBXeaXN80N=0B?^Hn%y=hp8NRsug zXJVa6Rjj<-;NS*heo?tK6%{SvUAqGWvSUYmITRbW-*WPLDPmk2(^YBRbj?dHQzwl? za#`0@2kWcCzk_?Uil;G@mwJOafpTaM<=UMEG8?J6#hz$)?1NeAxiICyg zu{^l`^*UrQji7o+1Yr3(|wz({NM2_TtEtQSKv-7~(E za|4-VwuEVJ6;kt5JO*|jN&#SaSD&uJhN=T|K{kU6BwVfezh2C@sGzLuGdZN)(ZA(p z6j+)@uTW7v=v4J_DtU#rMqaPC!R|-`h+}hKg`mCkP@^o9ugm?%9bW-<8J5ONk=Ec_yuB2xk$ym?M^5@VJ5>7Y+h z1fp~IkEer|U>45~W)xnpLOn&(@tD0lYhYfX;oG$Mlx9BJo-d&Go!ubbl0&=YJGA#? zvsa!2p^5GMAOG_y9&$t2-diGlG9ccRs8PYxva_Yo9#RGrDcR|oy(2(`^d<;e>x70r znE{bx_?naS?xIqV><5KBfrhDAfS%vlIxez(HnX)o#j`uI%Ds8fF1WUmwMqW)nV3cu z1}p!DqJ2|RxJoDyS>YKI_^JMgMSH@)R~%)X$&7}$N969)P4UY)Qx+hT^@q3 zF#GA;2;qS$yqYh*)w%*s+6U;&kmDp}xpqCawa>WUSA+ke z+qB3s>qed(VT4*4n~1X zOrIlgm~&6Jjy5X7#N4eEpO%Y5%BHZ!h7pvNr5muD-j2QBrhIm5%vt;}I0U4p%e{W? zD4+Y{7RT7xjnCjbbk0Uxa!hfM$`l^$W)>4POB*-?omIBYI9l*pbz+Hgt^8dq6Kwvd zY+!D?tHSFbF+31*<$Y`6@;AblEX!di4x!#6K^RC)Jc-bQb{9%wcrK8M2_=#|P zrDG#gfVGr`p{FR4rQ4k?+9aN^{x}g}{ZE9cp&xDI@|A}@f+I@OpvR7F;*?+`?+mza(&fvz*v@UV-s{HIk`rg0D?`~oX94vjaag9p}rpa2FsI)CNU zr`K!cx1G`jQV3oixON@D0SeQ{{d-`u32oWo#B^1pzA zQ)cEJsPmyrU8PkVEn%Vw&7kPSDu*3S%o841wzVB^&M0cd`fqF7#t<^6+BRZbb_6je zP~-QXz^-juRkNPI7f(9Cxf!>CxGV0^07az)cegK~fhg{zjQ-1lWLrv@x$-KwkTYCg zK(p~34|e-X@}DICNs@$#f5(Q3FO)w@9AdLTsd9(0lSP)s`dj{UGbsbnAhEJ7uo`oWhzBYKDcGm>n4 z0B__*Ip*O&5;4=42T#P|;7dmXUxj!Xc=mW5dmxNuVBZFHi02`~%YN|%0O9~d5M#SM z_*R^Y29biySKtlljocv4=d}aET4;E$fKL`76zAr?5zV_$G09$$`j_{BX)ZOg%3Ll#l?>x}DpexIz>g zNWSYL#o&#x`HD%#i>PbqttWOL~43=q}& z4yHNl!4vZoyw@;ijd`dN1Caq*U&Az4EpE`xbVKV+P4lrq+Lx_`>nNC}X}XD!bG9?h z{Qyu%`{0Hy$>s$94XyYzcoX-b#9p`#pZ__F!|i59f13l2lK1B$0PLB6J_3IK(T7nV zz4|r4ZeL0MljJ{1{*&ZC7u~^3Fe!`!I#W-Z5hU!m(P3oBITxs{oSeLgAyrLi5v6lp z8kf?jjJ%y7%bHVTe3%Mm2GEtd@1o;^;M>k)LC;ZPBA5~~Rj13${A=EMAa7^>&>~95 zyhf=i2I#3gxfohp{15 zSj1T%EjR&43ax8iV^-9uMa$4iO)Wd)8Y-WZCS~SNmDfQzeNw|0Q}u`Cz9^FUF9_3t z*fX)5yyYZ>);F&y6w}aBwU0w#OKDT)7VEP`u^x#N-)p&?c&D8CMTgcmubPJD>OOQSZOSZ{06Um7e`3VW z=Y{D(#vwO24Tue`Z(dUC;i(?VVcCHE;2;$!nmk!q4IG_<~Xt!!{IvFHpU zTGulq*0_cyLQ1O4{0XyzP0|w|cD{$C!)`3>C^EFZdDY~d5l52Dfkfk2e}*BmG%7{u zL;~&LygMd3{521Fi09q5l8lc-OThcZ*%yh>BG5OlSMtw@gNeq4L|YiKHKQn#h|LKO z#;&LWqy(8vBUWrP$!Wq4T}D+WMlrSev-?LWyJ-7aD;?xWpXgBGuMFa8^*8%Dgl|g_ znHK_DXhy{7$@7zkHrZ&$%h}&7qr_Yo+VUz=IU}YK|D#5K$~=V>VrxoKmFP4XM-|T- zRxx=}br2(E3|sqQb6^7-a@atC*MyG_{GAwL^v(s&lS6zN8X`IfaB|a=O~A6E?|cC| zLyXo=UfNViW_KOOJFxvbF7M?cJ(IyGrnl%Eb+g3K;{1Sz7J_6iF0|#_O7D6)EJMf#*w5G`QS4T$f}rZwm&uC`l>7s9JXjY6X@{VF>Q5a0xi0ZB@&P&h0S* z_QXSTK_n)&1ScPPDzN%X_!Wz2sy32Ya=du(^=JRI!Y2>8(A&dj6OvirD3R^ekNG*5 za{faQ8y=Nzh(LEJ_b*;rMsHeCX)$cpj57ULQR(QbjbYnAnp*R0sN{I(G~o(L_6jQ; z8y0i}5mMwdUcB^#TBoUXLjQq*c@P4Nmu~pHGA&KZDw7Q{F^EoZfweqTVEwv3J05&L ztL-4xF#z!OM<{^qcV<}Oy)!J!AHZ9x^w4T{@)CV5e}Iu*E&W0C-5!(d+=L9@_42R@ z?hLFsb?#uaS-~2&@2PS|`v*yT|30EgFEL0f2 zg*}iR_7MA7Z3jcSK*iyLQA`9NrG#v0)mA4Dxxf+jI8#c5GK7y-B`h2Xg!ysC1N9Vg z(7i1khYP(g@n5I2PzA^$N)LnoKe1?Eb+nOON?)V>5z=u~{Yhu%XervtjgkW^ZKsmT5AT(hU(x z6jps#trSJ;gpD1WLsnY6bVHiQjgbJxjiV}B(=dWZrY-jn%EfXJ`&n%V9SnRwkIwnF z1Vktoh*n_{94%tByC^kyDNu`COluUHTlI5URG(^tuZ#R%V8JIsF&I5Qy5 z4hMxXfrEPM02C_M7LZ(j`zyGy>*XOX!H1y7WWezYS1u2s=k^HPg3gXD@z5-=ma}l= z5}9Oq@#CyDN~{&lUe*5Wp==k(_L@l34d$Haf@TDr#Y`;hc5^CV(r`_+3Pcw|=R#^Iu)wu2#mfC|9LP0hY154qH{V@uUQN-n~gksE;Q zu!k}@GluZF1Kl!8oEiQtohkkRis4KNYiD@z4_}Oy(*bahT))_Rg;^^?;X3&BG|(== z2PdsEs}a~)XVtn{=qT&!>LGB{0pHK*q*dk!4Jl|>`vXK`VoNCQYt~ng<;A_~7ma1EcqKFZ*ic#OHZ?y@g8AYCkgG+?)UlL1zOoQkxH}1PtSZ z-JQx`P@1Ey39XO^;h(Q*Vh}%F3P| zPSPr?N3l@wEu4kLpnwH&7-|JgvJl8TLPY#+!ACLSj{{NlD#Mg5f_9CtT5g? zG`-||8O%9xNXgvYU}9|cmRB1uX&Nr0>-536aZ_ua9}!?7Hlz|)MU2$2wf$FE)@9L0 za`f}z9=HJdr1A=@OjcY%flr42DN7VswJC%8cS!VPwZO7!2bL%ZM?yDJL!u2QiQTt5ZS?L9&-BwBc1#i(IG*O-f7rSbZmY z066>st#ptty#T=X^GkZ18Fd1X{mv}v-7bKWn+T9pZKd3Oi*SP2(422vs~D=h(ajH3 z9vvj`#gTy)S_qQ8RG|&8S89+ws8SkY5A~g>TFbI}Woe~@eCdS%jo#|$?Tuz#BrN7QQ6NnD2Z(bW{jv|JXHf7S}bx>-b z5~siCmD)W|@Ui!c^R|!>TGzZ@SyNk#ZK&Fmx;wiQ@;WH7Pl*$-Twcr7MgB$koSalC zq4mw{a~h)YeR!m_DYLq~4od4&Vg zk}bpC33(lq(x*fWfYmDpdy1&w$5vlXVrZT7(zujHW#sJy3D)|H-KZ`;5P7Nk!*Uhu zV^nCOKm0YvK1SP9!f2o~KfLcB9yA4jeXLd=35J0oL04*M7y Date: Wed, 24 Jun 2026 11:10:46 +1000 Subject: [PATCH 08/21] Remove quotes around example password --- .../11.2/admin/manage-policies/rules/rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md index 5b1c430430..b197e02d26 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md @@ -21,7 +21,7 @@ Several PPE rules have **Detect character substitution** and **Tolerance** setti ## Detecting Character Substitution -Character substitution is a technique that some users apply to improve password quality. They replace some alphabetic characters with non-alphabetic characters that have a similar appearance. For example, "sold" becomes "$old". Many of these substitutions are well known and do little to improve password strength. +Character substitution is a technique that some users apply to improve password quality. They replace some alphabetic characters with non-alphabetic characters that have a similar appearance. For example, sold becomes $old. Many of these substitutions are well known and do little to improve password strength. Some rules have a **Detect character substitution** checkbox. PPE tests passwords with and without character substitution when you select this checkbox. This stops users from circumventing the rule by substituting some characters. PPE detects these common substitutions: From 63a5370e603c0ef2090605093e12a98fc265ef38 Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Wed, 24 Jun 2026 12:29:33 +1000 Subject: [PATCH 09/21] Change headings to sentence case --- .../11.2/admin/configconsole.md | 14 ++++++------ .../admin/manage-policies/manage_policies.md | 22 +++++++++---------- .../manage-policies/rules/character_rules.md | 6 ++--- .../manage-policies/rules/complexity_rule.md | 2 +- .../manage-policies/rules/maximum_age_rule.md | 2 +- .../manage-policies/rules/minimum_age_rule.md | 2 +- .../11.2/admin/manage-policies/rules/rules.md | 2 +- .../11.2/admin/settings.md | 2 +- docs/passwordpolicyenforcer/11.2/index.md | 4 ++-- .../installation/disable_windows_rules.md | 2 +- .../installation/domain_and_local_policies.md | 6 ++--- .../11.2/installation/installationclient.md | 4 ++-- .../11.2/installation/installationgpm.md | 4 ++-- .../11.2/installation/installationserver.md | 6 ++--- 14 files changed, 39 insertions(+), 39 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md index e41f97a5ba..818641e3b3 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md +++ b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md @@ -14,13 +14,13 @@ Use the **PPE Configuration** desktop shortcut or Start menu item to open the co When the console is connected to a [domain configuration](../installation/domain_and_local_policies.md), the configuration changes you make in the console replicate to all the domain controllers in the domain. Active Directory (AD) replication propagates the changes at normal replication intervals. The console applies configuration changes only to the local computer's registry when connected to a [local configuration](../installation/domain_and_local_policies.md). -## Enable and Disable Password Policy Enforcer +## Enable and disable Password Policy Enforcer Use the toggle switch in the upper-left corner of the home page to enable and disable Password Policy Enforcer. PPE is enabled by default, but it doesn't enforce any rules when first installed because you haven't defined any policies yet. ![Enable/Disable PPE](/images/passwordpolicyenforcer/11.2/administration/enabledisableppeconsole.webp) -## Get Help +## Get help The Help menu contains the following items: @@ -29,11 +29,11 @@ The Help menu contains the following items: - **Export Configuration Report** - creates a configuration report in HTML or text format. Netwrix Support may ask you to send a configuration report to help troubleshoot an issue. - **Open Property Editor** - opens the Property Editor to directly edit the configuration, including settings that aren't exposed in the user interface. Only use the Property Editor when Netwrix Support instructs you to. -## Set Global Settings +## Set global settings Click **Settings** to configure [global configuration settings](settings.md). -## Connect to a Configuration +## Connect to a configuration Password Policy Enforcer can enforce password policies for [domain and local](../installation/domain_and_local_policies.md) user accounts. Domain configurations contain password policies for domain user accounts. Active Directory stores these configurations. The registry stores local configurations, which contain the password policies for local user accounts. Click the **Connected to** selector to connect to a configuration. You can choose which domain controller to connect to when working on a domain configuration. PPE always stores a local configuration in the local computer's registry. @@ -45,14 +45,14 @@ PPE stores domain configurations in the `CN=Password Policy Enforcer ,C You can distribute local configurations by exporting the configuration registry key and importing it into other computers. The [Domain and Local Policies](../installation/domain_and_local_policies.md#distribute-the-local-configuration-with-group-policy) page shows how to distribute a local configuration with Group Policy. ::: -## Add a Policy +## Add a policy Click **Add policy** to create and configure a new [password policy](manage-policies/manage_policies.md). -## Check for Compromised and Reused Passwords +## Check for compromised and reused passwords Click **Password Scanner** to check for [compromised and reused passwords](compromisedpasswordcheck.md). -## Check Your PPE Installation +## Check your PPE installation Click **System Audit and Support** to [review and troubleshoot your PPE deployment](systemaudit.md). diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md index f277165048..e9ba288b73 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/manage_policies.md @@ -4,7 +4,7 @@ description: "Add, configure, prioritize, and manage password policies in Netwri sidebar_position: 20 --- -# Manage Policies +# Manage policies Password Policy Enforcer (PPE) can enforce up to 256 different password policies per domain. Password policies are collections of rules that users must comply with when choosing a new password. You can [assign policies](usersgroups.md) to users directly, or indirectly through Active Directory security groups and containers (Organizational Units). @@ -16,7 +16,7 @@ PPE adds the policies you create to the policy list. Use the buttons above the p ![Dashboard with Policies](/images/passwordpolicyenforcer/11.2/administration/ppedashboardpolicies.webp) -## Add a Policy +## Add a policy 1. Click **Add policy** to create a new password policy. 2. Enter a unique name for the policy. @@ -32,15 +32,15 @@ The policy editor opens. The policy editor has many settings. The following page - [Messages](messages.md) -## Edit a Policy +## Edit a policy Click the name of a policy in the policy list to make changes to the policy. -## Test Policies +## Test policies Click **Test Policy** to check if Password Policy Enforcer's current configuration accepts or rejects specific passwords. The [Test Policy](testpolicy.md) feature is a useful troubleshooting tool when PPE isn't accepting or rejecting passwords as you expect. -## Set Policy Priorities +## Set policy priorities Policy priorities help Password Policy Enforcer resolve [policy assignment conflicts](usersgroups.md#policy-assignment-conflicts). If more than one policy is assigned to a user, and PPE can't decide which policy to enforce using the other conflict resolution rules, then PPE always enforces the policy with the highest priority. @@ -52,21 +52,21 @@ Select the policy you want to reprioritize, then click **Higher** or **Lower** t The [Assign Policies to Users](usersgroups.md) page has more information about how PPE assigns policies and resolves conflicts. You can also click **Test Policy** to quickly see which policy PPE enforces for a particular user. -## Export Configuration +## Export configuration Click **Export** to create an HTML configuration report in `%ProgramFiles%\Netwrix\Password Policy Enforcer\Report\report.html`. -## Policy Options Menu +## Policy options menu Click the policy options menu to perform one of the following actions on the policy. The policy options menu appears as three vertical dots (**⋮**) to the right of each policy in the policy list. ![Policy Options Menu](/images/passwordpolicyenforcer/11.2/administration/policy_options_menu.webp) -### Copy a Policy +### Copy a policy Click **Make copy** in the policy options menu to create a new policy with the same default settings as the existing policy. Policy names must be unique, so PPE prompts you to enter a new name. The policy editor opens so that you can make changes to the new policy immediately. -### Set the Default Policy +### Set the default policy Password Policy Enforcer enforces the default policy for users who don't have an assigned password policy. Click **Make default** or **Remove default** in the policy options menu to toggle the default state of a policy. There can only be one default policy. @@ -79,10 +79,10 @@ Netwrix doesn't recommend using PPE without a default policy because it might le If Password Policy Enforcer has only one policy, and that policy is also the default policy, then PPE enforces the policy for all users. If you want to deploy a single policy gradually, don't make it the default until the deployment is complete. ::: -### Rename a Policy +### Rename a policy Click **Rename** in the policy options menu to rename a policy. -### Delete a Policy +### Delete a policy Click **Delete** in the policy options menu to delete a policy. Password Policy Enforcer displays a second confirmation prompt if you try to delete the default policy. PPE doesn't assign a new default policy after you delete the default policy. You must set a new default policy manually. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index 05745bd6e9..f9c362f47b 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -4,7 +4,7 @@ description: "Use the granular character rules to control which character types sidebar_position: 40 --- -# Character (Granular) Rules +# Character (Granular) rules Selecting the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters are required or rejected, and can even require certain character types at specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. @@ -14,7 +14,7 @@ Selecting the **Characters (Granular)** item in the rules pane displays the sett You must select the **Characters (Granular)** checkbox at the top of the page before you can enable any of the other rules on the page. ::: -## Character Set Rules +## Character set rules The first seven rules work identically; they differ only in their default character set. A character set is the collection of characters that each rule searches for when checking a password. The first seven rules are named after their default character set: Alpha, Upper Alpha, Lower Alpha, Numeric, Special, High, and Custom. A description of the default character set appears beside each rule's name. For example, the Alpha set's description is **(a-z and A-Z)**. This description is for the Password Policy Enforcer (PPE) default character set. The default characters will be different if you configure the policy to use the Windows character set. The [Policy Properties](../policy_properties.md) page has more information about character sets. @@ -57,7 +57,7 @@ Other rules use custom character set names and character sets even if you disabl The character set rules are flexible, but reserve them for cases where the [Complexity](complexity_rule.md) and First and Last Character rules can't enforce your desired policy. These other rules are easier to configure and easier for users to understand. -## First and Last Character Rules +## First and Last Character rules The First and Last Character rules reject passwords that don't begin or end with an allowed character. Select the **Characters (Granular)** checkbox at the top of the page, then select **Characters (First)** or **Characters (Last)** to enable that rule. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md index f8562f22dc..1787b24d88 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md @@ -4,7 +4,7 @@ description: "Configure the Characters (Complexity) rule to require passwords to sidebar_position: 30 --- -# Characters (Complexity) Rule +# Characters (Complexity) rule The Complexity rule rejects passwords that don't contain characters from a variety of character sets. A complex password takes longer to brute-force crack than a simple password of the same length. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md index cf982a430e..b0fac029e5 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md @@ -4,7 +4,7 @@ description: "Configure the Maximum Age rule, the Standard, Transitional, and Wa sidebar_position: 10 --- -# Age (Max) Rule +# Age (Max) rule The Maximum Age rule forces users to change their passwords regularly. This decreases the likelihood of an attacker finding a password that is still in use. Only [domain policies](../../../installation/domain_and_local_policies.md) can enforce this rule. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md index 8c390ec065..2284f7988a 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md @@ -4,7 +4,7 @@ description: "Configure the Minimum Age rule to stop users from cycling through sidebar_position: 20 --- -# Age (Min) Rule +# Age (Min) rule The Minimum Age rule stops users from quickly cycling through a series of passwords to evade the [History](history_rule.md) and [Similarity](similarity_rule.md) rules. Only [domain policies](../../../installation/domain_and_local_policies.md) can enforce this rule. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md index b197e02d26..e0f9335d89 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md @@ -19,7 +19,7 @@ Click **Save** in the upper-right corner of the policy editor to apply your chan Several PPE rules have **Detect character substitution** and **Tolerance** settings. Understanding how these settings work helps you fine-tune your policies. -## Detecting Character Substitution +## Detecting character substitution Character substitution is a technique that some users apply to improve password quality. They replace some alphabetic characters with non-alphabetic characters that have a similar appearance. For example, sold becomes $old. Many of these substitutions are well known and do little to improve password strength. diff --git a/docs/passwordpolicyenforcer/11.2/admin/settings.md b/docs/passwordpolicyenforcer/11.2/admin/settings.md index 7c15ca2eba..3932032975 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/settings.md +++ b/docs/passwordpolicyenforcer/11.2/admin/settings.md @@ -65,7 +65,7 @@ The PPE Mailer sends emails at 2:00 AM every day (local server time). Check the The default Google OAuth2 timeout is 60 seconds. You can change this by setting `Configuration.GoogleOAuthTimeout` in `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPEConfiguration.json`. ::: -## Mail Service +## Mail service Install the Password Policy Enforcer Mailer Service on one server in the domain. Use the settings in the **Mail Service** tab to allow PPE to locate the mailer service. diff --git a/docs/passwordpolicyenforcer/11.2/index.md b/docs/passwordpolicyenforcer/11.2/index.md index 430ccc1a98..f02ffcc679 100644 --- a/docs/passwordpolicyenforcer/11.2/index.md +++ b/docs/passwordpolicyenforcer/11.2/index.md @@ -10,7 +10,7 @@ Netwrix Password Policy Enforcer (PPE) helps you secure your network by ensuring A typical Windows network has both domain and local user accounts. Password Policy Enforcer can enforce password policies for both account types, but you will most likely use it for domain accounts in Active Directory. -## System Requirements +## System requirements - Windows Server 2016, 2019, 2022, and 2025 - Windows 10 and 11 - 50 megabytes free disk space @@ -21,7 +21,7 @@ The disk space requirement doesn't include the compromised database. If you want ::: -## System Components +## System components ### Password Policy Server (PPS) The Password Policy Server is the component that enforces the password policy. Install it on all the domain controllers to enforce a password policy for Active Directory user accounts. You can also install the PPS on individual servers and workstations to enforce a password policy for local user accounts on those computers. diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index 9d375cabfc..058c11e02b 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -4,7 +4,7 @@ description: "How to disable the Windows password policy rules to avoid conflict sidebar_position: 20 --- -# Disable Windows Rules +# Disable Windows rules Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules. diff --git a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md index 18c81ad302..2ace694a09 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md @@ -4,7 +4,7 @@ description: "Use Password Policy Enforcer to enforce domain and local password sidebar_position: 50 --- -# Domain and Local Policies +# Domain and local policies Netwrix Password Policy Enforcer (PPE) enforces password policies for both domain and local user accounts. @@ -14,13 +14,13 @@ Local user accounts exist in the SAM database of workstations and servers. The w A typical Windows network has both domain and local user accounts, but you might not want to enforce PPE policies for both account types. If your users normally log on with a domain account, you'll most likely only enforce password policies for domain accounts. -## Installation Differences +## Installation differences Install Password Policy Enforcer on all the domain controllers in the domain to enforce password policies for domain user accounts. You don't need to install it on read-only domain controllers unless you're using the [Maximum Age rule](../admin/manage-policies/rules/maximum_age_rule.md), [Password Policy Client](../admin/password-policy-client/password_policy_client.md), [PPE Web](../web-overview/web_overview.md), or Netwrix Password Reset. To enforce password policies for local user accounts, install Password Policy Enforcer on the computers that contain the user accounts you want to enforce password policies for. These computers can be workstations or servers, and they can be standalone or domain members. You don't normally need to install PPE on the workstations and servers in a domain because most users log on with a domain account. If this is the case, you'll most likely only need to install PPE on the domain controllers. -## Operational Differences +## Operational differences Most of Password Policy Enforcer's rules and features work with both domain and local policies, but there are some differences. These differences are due to password filter technical limitations, and also because some information isn't in the SAM. You can't use the following rules and features with local password policies: diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md index 7868ceb0f9..cc316e74a0 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md @@ -14,7 +14,7 @@ The Password Policy Client doesn't store or send passwords or password hashes ov PPE only enforces the [Similarity rule](../admin/manage-policies/rules/similarity_rule.md) if the user changes their password from the PPC, [PPE Web](../web-overview/web_overview.md), or Netwrix Password Reset. ::: -## Manual Installation +## Manual installation To manually install the Password Policy Client: @@ -41,7 +41,7 @@ To manually install the Password Policy Client: The Password Policy Client runs automatically during a password change. There is no associated desktop icon or start menu item. ::: -## Automated Deployment +## Automated deployment Use a software deployment tool or [Group Policy](installationgpm.md) to automate deployment across many computers. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install the 64-bit Password Policy Client: diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md index 3d1ad1c506..44b28e2e94 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md @@ -8,7 +8,7 @@ sidebar_position: 40 You can use Group Policy to deploy the [Password Policy Enforcer server components](installationserver.md) or the [Password Policy Client (PPC)](installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. -## Create a Distribution Point +## Create a distribution point A distribution point can be a UNC path to a server share, or a Distributed File System (DFS) path. To create a distribution point: @@ -48,7 +48,7 @@ A distribution point can be a UNC path to a server share, or a Distributed File 7. Click **OK**. 8. Close the Group Policy Management Editor. -## Complete the Installation +## Complete the installation Allow time for the GPO to replicate to all domain controllers before proceeding, then restart each target computer to complete the installation. Windows installs the component during startup, then restarts the computer a second time if necessary. diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index 2755c6d175..6637cbea9d 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -4,7 +4,7 @@ description: "Install the Password Policy Enforcer server components with the Se sidebar_position: 10 --- -# Install the Server Components +# Install the server components The Password Policy Enforcer (PPE) server installer includes the following components: - **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. @@ -15,7 +15,7 @@ The Password Policy Enforcer (PPE) server installer includes the following compo The [introduction](../index.md) has more information about these components, including their system requirements. ::: -## Manual Installation +## Manual installation To manually install one or more server components: @@ -41,7 +41,7 @@ To manually install one or more server components: 6. Click **Finish** when installation is complete. If prompted to restart the computer, then restart before using the installed components. -## Automated Deployment +## Automated deployment If you have many domain controllers, use a software deployment tool or [Group Policy](installationgpm.md) to automate the deployment. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install only the PPS component and immediately restart the computer: From e001b1191aa2e9d51a67272eb7f78ab554d36f9e Mon Sep 17 00:00:00 2001 From: Tonio Pirotta Date: Wed, 24 Jun 2026 13:53:06 +1000 Subject: [PATCH 10/21] Fix "Compromised Rule" page --- .../manage-policies/rules/compromised_rule.md | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md index 16e62e619c..d704f78f07 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md @@ -1,26 +1,17 @@ --- title: "Compromised" -description: "Compromised" +description: "Configure the Compromised rule to reject passwords from known data breaches." sidebar_position: 50 --- -# Compromised Rule +# Compromised rule -The Compromised rule rejects passwords from prior breaches. These passwords shouldn't be used as -they are vulnerable to credential stuffing attacks. +The Compromised rule rejects passwords found in data breaches. Blocking these passwords reduces the risk of a successful credential stuffing attack. ![Compromised password rule](/images/passwordpolicyenforcer/11.2/administration/compromised.webp) Select the **Compromised** checkbox to enable the Compromised rule. -You can browse to your compromised passwords base files or enter a path into the text box. The path -can contain environment variables like +Password Policy Enforcer (PPE) uses data from the [Have I Been Pwned](https://haveibeenpwned.com/) service to identify compromised passwords. PPE creates a local copy of the database for better performance, and to ensure that no password information leaves your network. Click **HIBP Downloader** to open the database downloader. The [HIBP Updater](../../hibpupdater.md) page explains how to configure and use the database downloader. You must download the database before you can use the Compromised rule. -:::warning -%SystemRoot%. hash files should only be read from a local disk. Using shared hash files -degrades performance, and could jeopardize security. -::: - - -See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) -database usage. +After you download the database, click **Browse** to select the database folder. You can also enter a path into the text box. Paths can include environment variables. You can configure the Compromised rule to use up to three databases if you have other compatible data sources. From c9e961349579ea2e281d3272a416cc256a46300b Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 04:01:40 +0000 Subject: [PATCH 11/21] fix(vale): auto-fix style issues (Vale + Dale) --- .../11.2/admin/configconsole.md | 2 +- .../11.2/admin/manage-policies/policy_properties.md | 2 +- .../admin/manage-policies/rules/character_rules.md | 2 +- .../admin/manage-policies/rules/complexity_rule.md | 2 +- .../admin/manage-policies/rules/dictionary_rule.md | 12 ++++++------ .../11.2/admin/manage-policies/rules/history_rule.md | 4 ++-- .../11.2/admin/manage-policies/rules/length_rule.md | 4 ++-- .../admin/manage-policies/rules/similarity_rule.md | 4 ++-- .../11.2/installation/disable_windows_rules.md | 2 +- .../11.2/installation/installationgpm.md | 2 +- .../11.2/installation/installationserver.md | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md index 818641e3b3..fe291d3963 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/configconsole.md +++ b/docs/passwordpolicyenforcer/11.2/admin/configconsole.md @@ -12,7 +12,7 @@ Use the **PPE Configuration** desktop shortcut or Start menu item to open the co ![Configuration Console Dashboard](/images/passwordpolicyenforcer/11.2/evaluation/ppedashboard.webp) -When the console is connected to a [domain configuration](../installation/domain_and_local_policies.md), the configuration changes you make in the console replicate to all the domain controllers in the domain. Active Directory (AD) replication propagates the changes at normal replication intervals. The console applies configuration changes only to the local computer's registry when connected to a [local configuration](../installation/domain_and_local_policies.md). +When you connect the console to a [domain configuration](../installation/domain_and_local_policies.md), the configuration changes you make in the console replicate to all the domain controllers in the domain. Active Directory (AD) replication propagates the changes at normal replication intervals. The console applies configuration changes only to the local computer's registry when connected to a [local configuration](../installation/domain_and_local_policies.md). ## Enable and disable Password Policy Enforcer diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md index cf1787836c..efd71724ad 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md @@ -75,7 +75,7 @@ program when password is changed** text box. The path can contain environment va `%SystemRoot%`. Every computer running Password Policy Enforcer should have a local copy of the program, and only authorized users should have access to it, or any of its components. -The user logon name and new password are sent to the program as command-line parameters. For +Password Policy Enforcer sends the user logon name and new password to the program as command-line parameters. For example, if you add the following commands to a batch file, Password Policy Enforcer records each user's logon name and new password in a text file named **passwords.txt**: diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index f9c362f47b..4a30a26e6f 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -21,7 +21,7 @@ A description of the default character set appears beside each rule's name. For Select the **Characters (Granular)** checkbox at the top of the page, then select the checkbox beside a rule's name to enable that rule. -These rules require passwords to contain certain characters by default. This is indicated by the word **Contain** below the rule's name. If you want the rule to stop certain characters from being used in passwords, then select **Not contain** from the dropdown. +These rules require passwords to contain certain characters by default. This is indicated by the word **Contain** below the rule's name. If you want the rule to stop users from using certain characters in passwords, then select **Not contain** from the dropdown. When **Contain** is selected, PPE defaults to requiring at least one character from this character set. If you want to require more than one character, select the required number from the dropdown beside **Contain**. For example, you might want to specify that passwords must contain at least two special characters. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md index 1787b24d88..f1a5039345 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md @@ -16,7 +16,7 @@ Select a number from the **Must contain at least** dropdown. This rule rejects p Select the checkbox beside each required character set. Password Policy Enforcer (PPE) has seven character sets. The [Policy Properties](../policy_properties.md) page has more information about PPE's character sets. You can also use the [Characters (Granular)](character_rules.md) rules to customize the default character sets. -If the number in the dropdown is less than the number of selected character sets, then users have some flexibility in their choice of characters. For example, in the screenshot above, the password must contain only three of the four selected character sets. +If the number in the dropdown is less than the number of selected character sets, then users have some flexibility in their choice of characters. For example, in the preceding screenshot, the password must contain only three of the four selected character sets. :::note This rule uses custom character set definitions from the [Characters (Granular)](character_rules.md) rules, even if you disable the granular rules. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md index f6dcc5a249..bfd302d19b 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md @@ -93,7 +93,7 @@ Password Policy Enforcer performs partial matching even if Wildcard analysis is word "password" rejects the passwords "My**Password**$", "**Password**100", and "12**password**34" even if Wildcard analysis is disabled. -Wildcard analysis should only be used to limit matching to the characters at the start or end of a +Use Wildcard analysis only to limit matching to the characters at the start or end of a password. Enabling Wildcard analysis slightly increases search times, so only enable this option if the @@ -114,14 +114,14 @@ computers sharing a common Password Policy Enforcer configuration. ::: -Click the **Sort** button if the dictionary file is being used with Password Policy Enforcer for the -first time, or if words have been added to the file since it was last sorted. The Password Policy +Click the **Sort** button if you are using the dictionary file with Password Policy Enforcer for the +first time, or if you have added words to the file since it was last sorted. The Password Policy Enforcer Configuration Console will sort and reformat the file so that Password Policy Enforcer can use it. Sorting also removes duplicate words, so the sorted file may be smaller than the original. Click the **Messages** tab to customize the Password Policy Client rule inserts. If both Dictionary rules have identical inserts, then only one of the inserts is shown in the corresponding Password -Policy Client message if the password is rejected by both rules. +Policy Client message if both rules reject the password. ## Creating a Custom Dictionary @@ -137,7 +137,7 @@ The custom dictionary should meet the following requirements: :::note If you are using a custom dictionary, use a different filename. The default -dictionary file (dict.txt) may be replaced during an upgrade. +dictionary file (dict.txt). An upgrade may replace it. ::: @@ -149,7 +149,7 @@ dictionary file. Copy the dictionary file into the Sysvol share on one domain co Distributed File System will copy the file into the Sysvol share of all other domain controllers. Configure the Dictionary rule to read the file from \\127.0.0.1\sysvol\your.domain\filename.txt -The path above only works if the computer has a Sysvol share. This won't be the case if you are +This path only works if the computer has a Sysvol share. This won't be the case if you are using a workstation for policy testing, or if you are using Password Policy Enforcer to enforce local polices. If you are using Password Policy Enforcer for local policies and want all computers to receive dictionary file updates, then use the Sysvol share for file replication and a script or diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md index 352ba2f307..2e2e6a5f54 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md @@ -63,8 +63,8 @@ Disable Password Policy Enforcer's History rule if you don't want Password Polic the password history. :::note -Password Policy Enforcer doesn't store passwords in the password history, it only stores -the Argon2 or SHA-256 hashes. A salt protects the hashes from precomputed attacks, including rainbow +Password Policy Enforcer stores only the Argon2 or SHA-256 hashes in the password history, +not the passwords themselves. A salt protects the hashes from precomputed attacks, including rainbow tables. If you don't want Password Policy Enforcer to store a password history, then leave the History rule disabled. You can use the Windows History rule together with Password Policy Enforcer's other rules to enforce your password policy. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md index 3d80353498..fe24af3399 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md @@ -7,8 +7,8 @@ sidebar_position: 80 # Length Rule The Length rule rejects passwords that contain too few or too many characters. Longer passwords are -generally stronger, so only specify a maximum password length if password compatibility must be -maintained with a system that can't accept long passwords. +generally stronger, so only specify a maximum password length if you must maintain password +compatibility with a system that can't accept long passwords. ![Length rule](/images/passwordpolicyenforcer/11.2/administration/length.webp) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md index e980c94507..e66e977091 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md @@ -14,8 +14,8 @@ similarity may indicate that a user is serializing their passwords. For example, Select the **Similarity** checkbox to enable the Similarity rule. -Select **Current password** to apply the similarity rules the user's existing password. The Password -Policy Enforcer client must be installed on the user's machine to enforce this rule. +Select **Current password** to apply the similarity rules the user's existing password. You must install +the Password Policy Enforcer client on the user's machine to enforce this rule. Select **User display name** to reject passwords that are similar to a user's Active Directory display name (full name for local accounts). diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index 058c11e02b..14c12efbc1 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -26,7 +26,7 @@ To disable the Windows password policy rules: ![installing_ppe_3](/images/passwordpolicyenforcer/11.2/evaluation/preparing_the_computer.webp) :::note -Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the steps above to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**. +Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the preceding steps to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**. ::: :::note diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md index 44b28e2e94..5894352226 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md @@ -6,7 +6,7 @@ sidebar_position: 40 # Deploy with Group Policy -You can use Group Policy to deploy the [Password Policy Enforcer server components](installationserver.md) or the [Password Policy Client (PPC)](installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. +You can use Group Policy to deploy the [Password Policy Enforcer server components](installationserver.md) or the [Password Policy Client (PPC)](installationclient.md). You can also use Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools. ## Create a distribution point diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index 6637cbea9d..f26a27a5c1 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -7,7 +7,7 @@ sidebar_position: 10 # Install the server components The Password Policy Enforcer (PPE) server installer includes the following components: -- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. +- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. - **Configuration Console** — Graphical and command-line tools to configure PPE. Install this component on any computer that you want to configure Password Policy Enforcer from. This could be a domain controller, a management server, or your computer. - **Mailer Service** — Sends email on behalf of PPE. It is typically installed on one server in the domain. From 97c1eacd9ab27b2b5b50d1bc8f4b2d8b17106bdb Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 04:26:09 +0000 Subject: [PATCH 12/21] fix(ppe): apply character rules review feedback - Match H1 to control/frontmatter name (Characters (Granular) rules) - Change 'revert them to their original values' to 'default values' - Add blank lines after Character set rules and First and Last Character rules headings - Align character set names in policy_properties.md table with character_rules.md (Lower Alpha / Upper Alpha) Co-Authored-By: Claude Opus 4.8 (1M context) --- .../11.2/admin/manage-policies/policy_properties.md | 4 ++-- .../11.2/admin/manage-policies/rules/character_rules.md | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md index efd71724ad..3ccefa76da 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md @@ -33,8 +33,8 @@ PPE's default character sets are: | Character Set | Default characters | | ------------- | ------------------------------------------------------------------------ | -| Alpha Lower | Lowercase alphabetic (a-z) | -| Alpha Upper | Uppercase alphabetic (A-Z) | +| Lower Alpha | Lowercase alphabetic (a-z) | +| Upper Alpha | Uppercase alphabetic (A-Z) | | Alpha | Uppercase and lowercase alphabetic (a-z and A-Z) | | Numeric | Numerals (0-9) | | Special | All characters not included above | diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index 4a30a26e6f..a7d7f2b687 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -4,7 +4,7 @@ description: "Use the granular character rules to control which character types sidebar_position: 40 --- -# Character (Granular) rules +# Characters (Granular) rules Selecting the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters are required or rejected, and can even require certain character types at specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. @@ -15,6 +15,7 @@ You must select the **Characters (Granular)** checkbox at the top of the page be ::: ## Character set rules + The first seven rules work identically; they differ only in their default character set. A character set is the collection of characters that each rule searches for when checking a password. The first seven rules are named after their default character set: Alpha, Upper Alpha, Lower Alpha, Numeric, Special, High, and Custom. A description of the default character set appears beside each rule's name. For example, the Alpha set's description is **(a-z and A-Z)**. This description is for the Password Policy Enforcer (PPE) default character set. The default characters will be different if you configure the policy to use the Windows character set. The [Policy Properties](../policy_properties.md) page has more information about character sets. @@ -43,7 +44,7 @@ Click **Characters** if you want to redefine the character set. ![Set up custom character set](/images/passwordpolicyenforcer/11.2/administration/chargranularvowel.webp) -Enter a **Name** for the character set, then enter the characters making up the set in the **Characters set** text box. Don't enter any delimiters, just the characters. For example, `AaEeIiOoUu` for vowels. Your custom character set name doesn't appear throughout the user interface — it only appears in the [Policy and Rejection messages](../messages.md). Clear one or both of these text boxes, then click **Apply** to revert them to their original values. +Enter a **Name** for the character set, then enter the characters making up the set in the **Characters set** text box. Don't enter any delimiters, just the characters. For example, `AaEeIiOoUu` for vowels. Your custom character set name doesn't appear throughout the user interface — it only appears in the [Policy and Rejection messages](../messages.md). Clear one or both of these text boxes, then click **Apply** to revert them to their default values. :::tip You can combine Character rules to enforce complex password requirements. For example, you might need to enforce a policy such as "passwords must contain a numeric character, but not in the first two positions" to ensure compatibility with some other system. Use two rules to enforce this requirement: @@ -58,6 +59,7 @@ Other rules use custom character set names and character sets even if you disabl The character set rules are flexible, but reserve them for cases where the [Complexity](complexity_rule.md) and First and Last Character rules can't enforce your desired policy. These other rules are easier to configure and easier for users to understand. ## First and Last Character rules + The First and Last Character rules reject passwords that don't begin or end with an allowed character. Select the **Characters (Granular)** checkbox at the top of the page, then select **Characters (First)** or **Characters (Last)** to enable that rule. From a1529b06418b68e46a113da27247cca1d5abf6e4 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 04:36:48 +0000 Subject: [PATCH 13/21] fix(vale): auto-fix style issues (Vale + Dale) --- .../manage-policies/policy_properties.md | 15 ++-- .../manage-policies/rules/character_rules.md | 8 +- .../manage-policies/rules/dictionary_rule.md | 12 +-- .../manage-policies/rules/history_rule.md | 78 +++++++++---------- .../admin/manage-policies/rules/patterns.md | 12 +-- .../admin/manage-policies/rules/repetition.md | 8 +- .../installation/disable_windows_rules.md | 2 +- .../installation/domain_and_local_policies.md | 2 +- .../11.2/installation/installationserver.md | 4 +- 9 files changed, 70 insertions(+), 71 deletions(-) diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md index 3ccefa76da..c27ef2df9f 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/policy_properties.md @@ -60,14 +60,13 @@ products) always use the Password Policy Enforcer character set. Select the number of rules for **Passwords must comply with** from the dropdown list to specifiy the required compliance level for this policy. The default value **(all the rules**) requires users to comply with all enabled rules. Choose an alternative option if Password Policy Enforcer should -enforce a more lenient password policy. The Minimum Age and Maximum Age rules are excluded from -compliance level calculations. See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. +enforce a more lenient password policy. Compliance level calculations exclude the Minimum Age and Maximum Age rules. See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. When setting the compliance level, consider that some rules may be disabled when a user enters a passphrase. See the [Passphrase](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/passphrases.md) topic for additional information. Password Policy Enforcer accepts passphrases that comply with all enabled rules, irrespective of the compliance -level. This ensures that passphrases can be used, even if they don't meet the compliance level when -Password Policy Enforcer is configured to disable one or more rules for passphrases. +level. This ensures that users can use passphrases, even if they don't meet the compliance level when you +configure Password Policy Enforcer to disable one or more rules for passphrases. Password Policy Enforcer can start a password synchronization application or script whenever a user successfully changes their password. Enter the full path to the executable in the **Execute the @@ -88,11 +87,11 @@ This script is shown as an example only. You shouldn't store user passwords. ::: -The command can now include the [USERNAME] and [PASSWORD] macros. If neither is specified, then the -command is executed with both parameters to maintain compatibility with existing programs/scripts. +The command can now include the [USERNAME] and [PASSWORD] macros. If you specify neither, then PPE executes the +command with both parameters to maintain compatibility with existing programs/scripts. :::info -Use the [USERNAME] parameter if the password isn't needed by the program/script -so that the password isn't unnecessarily sent to the change notification command/script. +Use the [USERNAME] parameter if the program/script doesn't need the password, +so that PPE doesn't unnecessarily send the password to the change notification command/script. ::: diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md index a7d7f2b687..a26d44aa79 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/character_rules.md @@ -6,7 +6,7 @@ sidebar_position: 40 # Characters (Granular) rules -Selecting the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters are required or rejected, and can even require certain character types at specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. +Selecting the **Characters (Granular)** item in the rules pane displays the settings for nine related rules. Unlike the [Complexity rule](complexity_rule.md), these rules offer granular control over which characters to require or reject, and can even require certain character types at specific character positions. Use these rules to increase password strength or to ensure password compatibility with other systems. ![Character (Granular) Rule](/images/passwordpolicyenforcer/11.2/administration/chargranular.webp) @@ -22,9 +22,9 @@ A description of the default character set appears beside each rule's name. For Select the **Characters (Granular)** checkbox at the top of the page, then select the checkbox beside a rule's name to enable that rule. -These rules require passwords to contain certain characters by default. This is indicated by the word **Contain** below the rule's name. If you want the rule to stop users from using certain characters in passwords, then select **Not contain** from the dropdown. +These rules require passwords to contain certain characters by default. The word **Contain** below the rule's name indicates this. If you want the rule to stop users from using certain characters in passwords, then select **Not contain** from the dropdown. -When **Contain** is selected, PPE defaults to requiring at least one character from this character set. If you want to require more than one character, select the required number from the dropdown beside **Contain**. For example, you might want to specify that passwords must contain at least two special characters. +When you select **Contain**, PPE defaults to requiring at least one character from this character set. If you want to require more than one character, select the required number from the dropdown beside **Contain**. For example, you might want to specify that passwords must contain at least two special characters. ![Passwords must contain at least two special characters](/images/passwordpolicyenforcer/11.2/administration/characters_granular_must_contain_two_special.webp) @@ -64,7 +64,7 @@ The First and Last Character rules reject passwords that don't begin or end with Select the **Characters (Granular)** checkbox at the top of the page, then select **Characters (First)** or **Characters (Last)** to enable that rule. -These rules require passwords to begin or end with certain characters by default. This is indicated by **Begin** (First Character rule) or **End** (Last Character rule) below the rule's name. If you don't want certain characters to appear at the beginning or end of a password, select **Not begin** or **Not end** from the dropdown. +These rules require passwords to begin or end with certain characters by default. **Begin** (First Character rule) or **End** (Last Character rule) below the rule's name indicates this. If you don't want certain characters to appear at the beginning or end of a password, select **Not begin** or **Not end** from the dropdown. Click the character set names to select them. A checkmark appears next to the selected character sets. For example, selecting **Not end** with **Numeric** and **Special** rejects passwords that end with a numeric or special character: diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md index bfd302d19b..488895646a 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/dictionary_rule.md @@ -8,7 +8,7 @@ sidebar_position: 60 The Dictionary rule rejects passwords that are vulnerable to guessing, hybrid, and precomputed attacks. These attacks can crack weak passwords in seconds, and they can be very effective if -passwords are based on common words. +users base their passwords on common words. ![Dicitonary Rule](/images/passwordpolicyenforcer/11.2/administration/dictionary.webp) @@ -89,9 +89,9 @@ wildcard template formats: -Password Policy Enforcer performs partial matching even if Wildcard analysis is disabled. For example, the dictionary +Password Policy Enforcer performs partial matching even if you disable Wildcard analysis. For example, the dictionary word "password" rejects the passwords "My**Password**$", "**Password**100", and -"12**password**34" even if Wildcard analysis is disabled. +"12**password**34" even if you disable Wildcard analysis. Use Wildcard analysis only to limit matching to the characters at the start or end of a password. @@ -115,13 +115,13 @@ computers sharing a common Password Policy Enforcer configuration. Click the **Sort** button if you are using the dictionary file with Password Policy Enforcer for the -first time, or if you have added words to the file since it was last sorted. The Password Policy +first time, or if you have added words to the file since you last sorted it. The Password Policy Enforcer Configuration Console will sort and reformat the file so that Password Policy Enforcer can use it. Sorting also removes duplicate words, so the sorted file may be smaller than the original. Click the **Messages** tab to customize the Password Policy Client rule inserts. If both Dictionary -rules have identical inserts, then only one of the inserts is shown in the corresponding Password -Policy Client message if both rules reject the password. +rules have identical inserts, then the corresponding Password +Policy Client message shows only one of the inserts if both rules reject the password. ## Creating a Custom Dictionary diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md index 2e2e6a5f54..366cb1d0c3 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md @@ -6,8 +6,8 @@ sidebar_position: 70 # History Rule -The History rule rejects passwords that are identical to recently used passwords. Password reuse -should be avoided because it defeats the purpose of regular password changes. Password Policy +The History rule rejects passwords that are identical to recently used passwords. Avoid password +reuse because it defeats the purpose of regular password changes. Password Policy Enforcer can stop users from reusing passwords for a specified number of password changes or a number of days. @@ -23,22 +23,22 @@ changes. Choose the number of password changes from the dropdown list. **A password used in the last** option to stop passwords from being reused for a specified number of days. Enter the number of days in the text box. -Choose an item from the **Hash function** dropdown list. Argon2 is recommended for best security. +Choose an item from the **Hash function** dropdown list. Netwrix recommends Argon2 for best security. The Argon2 option uses 100,000 times more computing power to create a hash, so an attacker needs 100,000 more computing power to crack Argon2 hashes. Argon2 increases password change times by 400%, -so a domain controller that can handle 1,000 password changes a minute with SHA-256 can be expected -to handle 250 password changes a minute with Argon2. All numbers are approximate. Use Argon2 if your +so a domain controller that can handle 1,000 password changes a minute with SHA-256 can +handle about 250 password changes a minute with Argon2. All numbers are approximate. Use Argon2 if your domain controllers can handle the load. :::note Changing the **Hash function** doesn't modify existing history records. It sets the -function to be used for new password history records. If a user has Argon2 and SHA-256 hashes in +function for new password history records. If a user has Argon2 and SHA-256 hashes in their password history, then Password Policy Enforcer calculates both the Argon2 and SHA-256 hashes during a password change to ensure the new password isn't in the password history. ::: -The History rule is normally not enforced when a password is reset. Select the **Enforce this rule +Password Policy Enforcer normally doesn't enforce the History rule during a password reset. Select the **Enforce this rule when a password is reset** checkbox to override the default behavior. You must also select the **Enforce policy when password is reset** option in the PPS Properties page to enforce this rule when a password is reset. @@ -46,16 +46,16 @@ when a password is reset. Click the **Messages** tab to customize the Password Policy Client rule inserts. :::note -The History rule isn't enforced when testing passwords from the Test Policies page. +Password Policy Enforcer doesn't enforce the History rule when you test passwords from the Test Policies page. ::: -Password Policy Enforcer updates a user's password history whenever their password changes. The -password history is updated even if Password Policy Enforcer or the assigned policy is disabled. A -user's password history is deleted if the user doesn't have an assigned policy, or if the History -rule is disabled at the time of the password change. +Password Policy Enforcer updates a user's password history whenever their password changes. Password +Policy Enforcer updates the password history even if PPE or the assigned policy is disabled. Password +Policy Enforcer deletes a user's password history if the user doesn't have an assigned policy, or if +the History rule is disabled at the time of the password change. -Password Policy Enforcer's password history is stored in Active Directory for domain user accounts, +Password Policy Enforcer stores its password history in Active Directory for domain user accounts, and in the registry for local user accounts. You can create a new Active Directory attribute for the password history, or configure Password Policy Enforcer to use an existing attribute. @@ -72,28 +72,28 @@ other rules to enforce your password policy. Password Policy Enforcer can store up to 100 password hashes for each user, but it only stores the -minimum needed to enforce the current password policy. For example, if Password Policy Enforcer is -configured to reject the last 24 passwords, then only the last 24 password hashes are stored. -Reconfiguring Password Policy Enforcer to reject the last 30 passwords won't have an immediate effect because only 24 password hashes are stored. The full effect of the new configuration is realized after users change their passwords six more times, at which point Password Policy Enforcer has 30 stored password hashes for each user. +minimum needed to enforce the current password policy. For example, if you configure Password Policy +Enforcer to reject the last 24 passwords, then PPE stores only the last 24 password hashes. +Reconfiguring Password Policy Enforcer to reject the last 30 passwords won't have an immediate effect because PPE stores only 24 password hashes. The new configuration takes full effect after users change their passwords six more times, at which point Password Policy Enforcer has 30 stored password hashes for each user. Leave both the Windows and Password Policy Enforcer History rules enabled when transitioning from one to the other. This allows the old rule to enforce the policy until the new rule has built up its -password history. The old rule can be disabled after users have completed the required number of +password history. You can disable the old rule after users have completed the required number of password changes to enforce the new rule. -As Password Policy Enforcer is limited to storing the last 100 password hashes, it is possible for -the History rule to run out of storage space before the specified number of days. Use the Minimum -Age rule to avoid this problem. For example, if the History rule is configured to not allow password +As Password Policy Enforcer is limited to storing the last 100 password hashes, the History rule +might run out of storage space before the specified number of days. Use the Minimum +Age rule to avoid this problem. For example, if you configure the History rule to not allow password reuse for 365 days, then set the minimum password age to four or more days. Even if a user changes their password every four days, they can only perform 91 password changes in 365 days. ## Creating a New Attribute for the Password History -Windows stores a domain user's password history in two Active Directory attributes, but these -attributes can't be used by other applications. Password Policy Enforcer can store the password -history in a new or existing attribute. A new attribute is recommended, but you can use an existing -attribute if you don't want to extend the AD schema. An AD attribute is only needed for domain user -accounts because the password history for local user accounts is stored in the registry. +Windows stores a domain user's password history in two Active Directory attributes, but other +applications can't use these attributes. Password Policy Enforcer can store the password +history in a new or existing attribute. Netwrix recommends a new attribute, but you can use an existing +attribute if you don't want to extend the AD schema. PPE only needs an AD attribute for domain user +accounts because it stores the password history for local user accounts in the registry. :::warning Password Policy Enforcer's password history attribute is confidential to stop @@ -101,12 +101,12 @@ authenticated users from accessing the password history of other users. See the [Mark an attribute as confidential in Windows Server 2003 Service Pack 1](http://support.microsoft.com/kb/922836) Microsoft article for additional information. Confidential attributes have additional protection in Active Directory, but they aren't as well protected as the Windows password history attributes. -There is a higher risk of unauthorized access to the password history if it is stored outside the +There is a higher risk of unauthorized access to the password history if you store it outside the Windows password history attributes. ::: -Follow the following steps to create a new Active Directory attribute for the password history. +Follow these steps to create a new Active Directory attribute for the password history. **Step 1 –** Log on to the server holding the Schema Operations Master role with an account that is a member of the Schema Admins group. @@ -128,14 +128,14 @@ Replacing the last parameter with your domain's DN. ## Using an Existing Attribute for the Password History Password Policy Enforcer can store the password history in an existing attribute. The desktopProfile -attribute is well suited because it isn't used by Windows. Other attributes are also suitable if -they aren't being used. Contact [Netwrix Support](https://www.netwrix.com/support.html) if you +attribute is well suited because Windows doesn't use it. Other attributes are also suitable if +they aren't in use. Contact [Netwrix Support](https://www.netwrix.com/support.html) if you would like to use an existing attribute for the password history. ## Password Histories for Local User Accounts -The password histories of local user accounts are stored in the HKLM\SECURITY\PPE Password History\ -registry key. Users aren't granted access the HKLM\SECURITY\ registry key by default, so a user +Password Policy Enforcer stores the password histories of local user accounts in the HKLM\SECURITY\PPE Password History\ +registry key. Windows doesn't grant users access to the HKLM\SECURITY\ registry key by default, so a user can't read the password history of any user (including themselves). This is also true for members of the Administrators group, but administrators can change the default permissions. If an administrator accesses the password history they might be able to extract the hashes for cracking, @@ -143,16 +143,16 @@ but they can't extract the passwords directly because the password history doesn passwords. :::warning -The password history of a local user account isn't automatically deleted when the user -account is deleted. If a local user account is deleted, then another local user account is created +Password Policy Enforcer doesn't automatically delete the password history of a local user account when you delete the user +account. If you delete a local user account, then create another local user account on the same computer with the same username, the new user will inherit the deleted user's password history. The default registry permissions stop users from accessing their own password history, so it is difficult for the new user to use this information. They could try to guess the deleted user's -password during a password change to see if it is rejected by the History rule, but they would only -have a few attempts to guess correctly before the old hashes are overwritten with new hashes. The -user's current password is validated, and the Windows Minimum Age rule is enforced before the -password history is checked, so every compliant and incorrect password guessed will overwrite one -hash in the password history. This information applies only to local user accounts. The password -history for domain user accounts is deleted when users are deleted. +password during a password change to see if the History rule rejects it, but they would only +have a few attempts to guess correctly before new hashes overwrite the old hashes. Password +Policy Enforcer validates the user's current password and enforces the Windows Minimum Age rule +before checking the password history, so every compliant and incorrect password guessed will +overwrite one hash in the password history. This information applies only to local user accounts. Password Policy Enforcer deletes the password +history for domain user accounts when you delete users. ::: diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md index 21c61034be..a40ae605d5 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/patterns.md @@ -29,10 +29,10 @@ instead of "abcde". Choose a value from the **Tolerance** dropdown list to specify the longest pattern that Password Policy Enforcer allows before rejecting a password. For example, the password "password**wxyz**" contains a four-character pattern (shown in bold type). Password Policy Enforcer rejects this -password if the tolerance is set to three (or lower), and accept it if the tolerance is set to four -(or higher). Choose the **Auto** value if passwords should be rejected if they only contain a -single, continuous, character pattern. For example, "abcde" would be rejected, but "abcdz" and -"abc123" wouldn't. +password if you set the tolerance to three (or lower), and accepts it if you set the tolerance to four +(or higher). Choose the **Auto** value to reject passwords that contain only a +single, continuous character pattern. For example, PPE would reject "abcde", but not "abcdz" or +"abc123". Select **Reject keyboard patterns like "qwerty"** to check for keyboard patterns. @@ -47,5 +47,5 @@ Select **Detect key repeat** for repeated keys, based on the **Tolerance** value Select **Detect key skip** for skipped keys, such as **qetuo**. -Set **Tolerance** for the number of characters in a keyboard pattern is allowed before the password -is rejected. +Set **Tolerance** to the number of characters allowed in a keyboard pattern before Password Policy +Enforcer rejects the password. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md index a265c33dfc..d7fe12bea6 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/repetition.md @@ -31,7 +31,7 @@ instead of "abcde". Choose a value from the **Tolerance** dropdown list to specify the longest pattern that Password Policy Enforcer allows before rejecting a password. For example, the password "password**wxyz**" contains a four-character pattern (shown in bold type). Password Policy Enforcer rejects this -password if the tolerance is set to three (or lower), and accept it if the tolerance is set to four -(or higher). Choose the **Auto** value if passwords should be rejected if they only contain a -single, continuous, character pattern. For example, "abcde" would be rejected, but "abcdz" and -"abc123" wouldn't. +password if you set the tolerance to three (or lower), and accepts it if you set the tolerance to four +(or higher). Choose the **Auto** value to reject passwords that contain only a +single, continuous character pattern. For example, PPE would reject "abcde", but not "abcdz" or +"abc123". diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index 14c12efbc1..6226ef3879 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -8,7 +8,7 @@ sidebar_position: 20 Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules. -PPE has its own rules for password [history](../admin/manage-policies/rules/history_rule.md), [minimum age](../admin/manage-policies/rules/minimum_age_rule.md), [maximum age](../admin/manage-policies/rules/maximum_age_rule.md), [length](../admin/manage-policies/rules/length_rule.md), and [complexity](../admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration. +PPE has its own rules for password [history](../admin/manage-policies/rules/history_rule.md), [minimum age](../admin/manage-policies/rules/minimum_age_rule.md), [maximum age](../admin/manage-policies/rules/maximum_age_rule.md), [length](../admin/manage-policies/rules/length_rule.md), and [complexity](../admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. Netwrix therefore recommends disabling the Windows password policy rules while you experiment with and test your PPE configuration. To disable the Windows password policy rules: diff --git a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md index 2ace694a09..a30e8c97dc 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md @@ -31,7 +31,7 @@ PPE stores configuration information in Active Directory for domain password pol Changes to a domain configuration automatically replicate to all domain controllers in the domain. Changes to a local configuration apply only to the local computer. If you want to use the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 11.0\ registry key from the configured computer, and import it into the other computers. -You can also use Group Policy to distribute a local configuration to many computers in a domain. This is only necessary for local password policies. Domain password policies automatically replicate to the domain controllers because they're stored in Active Directory. +You can also use Group Policy to distribute a local configuration to many computers in a domain. This is only necessary for local password policies. Domain password policies automatically replicate to the domain controllers because Active Directory stores them. ### Distribute the local configuration with Group Policy diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index f26a27a5c1..b2123339ab 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -7,9 +7,9 @@ sidebar_position: 10 # Install the server components The Password Policy Enforcer (PPE) server installer includes the following components: -- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. +- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. You typically install this component on all the domain controllers in a domain. See [Domain and Local Policies](domain_and_local_policies.md) if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. - **Configuration Console** — Graphical and command-line tools to configure PPE. Install this component on any computer that you want to configure Password Policy Enforcer from. This could be a domain controller, a management server, or your computer. -- **Mailer Service** — Sends email on behalf of PPE. It is typically installed on one server in the domain. +- **Mailer Service** — Sends email on behalf of PPE. You typically install it on one server in the domain. :::note The [introduction](../index.md) has more information about these components, including their system requirements. From 2255892324c6bb742be426011d8ff0ed6ad39772 Mon Sep 17 00:00:00 2001 From: Dan Piazza <220388267+DanPiazza-Netwrix@users.noreply.github.com> Date: Wed, 24 Jun 2026 09:08:02 -0400 Subject: [PATCH 14/21] docs(changetracker): rename integration overview_1/2 to splunk/vmware Renames generic filenames to content-specific names so URLs reflect the actual topic (Splunk, VMware) across all three versions (8.0, 8.1, 8.2). Updates cross-references in each version's integration overview page. Generated with AI Co-Authored-By: Claude Code --- docs/changetracker/8.0/integration/overview.md | 4 ++-- .../8.0/integration/{overview_1.md => splunk.md} | 0 .../8.0/integration/{overview_2.md => vmware.md} | 0 docs/changetracker/8.1/integration/overview.md | 4 ++-- .../8.1/integration/{overview_1.md => splunk.md} | 0 .../8.1/integration/{overview_2.md => vmware.md} | 0 docs/changetracker/8.2/integration/overview.md | 4 ++-- .../8.2/integration/{overview_1.md => splunk.md} | 0 .../8.2/integration/{overview_2.md => vmware.md} | 0 9 files changed, 6 insertions(+), 6 deletions(-) rename docs/changetracker/8.0/integration/{overview_1.md => splunk.md} (100%) rename docs/changetracker/8.0/integration/{overview_2.md => vmware.md} (100%) rename docs/changetracker/8.1/integration/{overview_1.md => splunk.md} (100%) rename docs/changetracker/8.1/integration/{overview_2.md => vmware.md} (100%) rename docs/changetracker/8.2/integration/{overview_1.md => splunk.md} (100%) rename docs/changetracker/8.2/integration/{overview_2.md => vmware.md} (100%) diff --git a/docs/changetracker/8.0/integration/overview.md b/docs/changetracker/8.0/integration/overview.md index d77bbdd6fa..442529966e 100644 --- a/docs/changetracker/8.0/integration/overview.md +++ b/docs/changetracker/8.0/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.0/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.0/integration/api/overview.md) - [IT Management Systems](/docs/changetracker/8.0/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.0/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.0/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.0/integration/splunk.md) +- [VMWare](/docs/changetracker/8.0/integration/vmware.md) diff --git a/docs/changetracker/8.0/integration/overview_1.md b/docs/changetracker/8.0/integration/splunk.md similarity index 100% rename from docs/changetracker/8.0/integration/overview_1.md rename to docs/changetracker/8.0/integration/splunk.md diff --git a/docs/changetracker/8.0/integration/overview_2.md b/docs/changetracker/8.0/integration/vmware.md similarity index 100% rename from docs/changetracker/8.0/integration/overview_2.md rename to docs/changetracker/8.0/integration/vmware.md diff --git a/docs/changetracker/8.1/integration/overview.md b/docs/changetracker/8.1/integration/overview.md index d5417dbbc2..a98e6da6bf 100644 --- a/docs/changetracker/8.1/integration/overview.md +++ b/docs/changetracker/8.1/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.1/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.1/api/overview.md) - [IT Service Management](/docs/changetracker/8.1/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.1/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.1/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.1/integration/splunk.md) +- [VMWare](/docs/changetracker/8.1/integration/vmware.md) diff --git a/docs/changetracker/8.1/integration/overview_1.md b/docs/changetracker/8.1/integration/splunk.md similarity index 100% rename from docs/changetracker/8.1/integration/overview_1.md rename to docs/changetracker/8.1/integration/splunk.md diff --git a/docs/changetracker/8.1/integration/overview_2.md b/docs/changetracker/8.1/integration/vmware.md similarity index 100% rename from docs/changetracker/8.1/integration/overview_2.md rename to docs/changetracker/8.1/integration/vmware.md diff --git a/docs/changetracker/8.2/integration/overview.md b/docs/changetracker/8.2/integration/overview.md index b64d428077..d153c1672b 100644 --- a/docs/changetracker/8.2/integration/overview.md +++ b/docs/changetracker/8.2/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.2/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.2/api/overview.md) - [IT Service Management](/docs/changetracker/8.2/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.2/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.2/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.2/integration/splunk.md) +- [VMWare](/docs/changetracker/8.2/integration/vmware.md) diff --git a/docs/changetracker/8.2/integration/overview_1.md b/docs/changetracker/8.2/integration/splunk.md similarity index 100% rename from docs/changetracker/8.2/integration/overview_1.md rename to docs/changetracker/8.2/integration/splunk.md diff --git a/docs/changetracker/8.2/integration/overview_2.md b/docs/changetracker/8.2/integration/vmware.md similarity index 100% rename from docs/changetracker/8.2/integration/overview_2.md rename to docs/changetracker/8.2/integration/vmware.md From 5f09c35827912312be1bf5c0cf54c7ad2355bebc Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 13:22:44 +0000 Subject: [PATCH 15/21] fix(vale): auto-fix style issues (Vale + Dale) --- docs/changetracker/8.0/integration/splunk.md | 95 +++++++++----------- docs/changetracker/8.0/integration/vmware.md | 40 ++++----- docs/changetracker/8.1/integration/splunk.md | 95 +++++++++----------- docs/changetracker/8.1/integration/vmware.md | 40 ++++----- docs/changetracker/8.2/integration/splunk.md | 95 +++++++++----------- docs/changetracker/8.2/integration/vmware.md | 40 ++++----- 6 files changed, 186 insertions(+), 219 deletions(-) diff --git a/docs/changetracker/8.0/integration/splunk.md b/docs/changetracker/8.0/integration/splunk.md index 737a0744cc..c2d4e1fa4c 100644 --- a/docs/changetracker/8.0/integration/splunk.md +++ b/docs/changetracker/8.0/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -38,15 +35,15 @@ The Splunk credentials are updated. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.0/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.0/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.0/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.0/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.0/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -172,30 +163,30 @@ section in topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.0/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.0/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.0/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.0/integration/vmware.md b/docs/changetracker/8.0/integration/vmware.md index 23ebec36d4..b6cb2da30e 100644 --- a/docs/changetracker/8.0/integration/vmware.md +++ b/docs/changetracker/8.0/integration/vmware.md @@ -11,8 +11,8 @@ tracking templates to ensure secure configuration of vSphere clusters and their ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device @@ -24,8 +24,8 @@ proxied devices. ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.0/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.0/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.0/integration/vmware/devicediscoverygrid.webp) @@ -75,13 +73,13 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.0/integration/vmware/devicediscoveryform.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.0/integration/vmware/esxicompliancereport.webp) diff --git a/docs/changetracker/8.1/integration/splunk.md b/docs/changetracker/8.1/integration/splunk.md index 9e5a1ed70d..1b5012ee1e 100644 --- a/docs/changetracker/8.1/integration/splunk.md +++ b/docs/changetracker/8.1/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -38,15 +35,15 @@ The Splunk credentials are updated. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.1/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.1/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.1/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.1/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.1/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -170,30 +161,30 @@ To discover devices to match change events from Splunk, see the [Sync Service Administration](/docs/changetracker/8.1/integration/itsm/syncserviceadmin.md) topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.1/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.1/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.1/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.1/integration/vmware.md b/docs/changetracker/8.1/integration/vmware.md index 8c5ca7260a..a383ed7413 100644 --- a/docs/changetracker/8.1/integration/vmware.md +++ b/docs/changetracker/8.1/integration/vmware.md @@ -11,8 +11,8 @@ tracking templates to ensure secure configuration of vSphere clusters and their ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device @@ -24,8 +24,8 @@ proxied devices. ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.1/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.1/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.1/integration/vmware/devicediscoverygrid.webp) @@ -75,13 +73,13 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.1/integration/vmware/devicediscoveryform.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.1/integration/vmware/esxicompliancereport.webp) diff --git a/docs/changetracker/8.2/integration/splunk.md b/docs/changetracker/8.2/integration/splunk.md index 951d256861..7bca12ee6b 100644 --- a/docs/changetracker/8.2/integration/splunk.md +++ b/docs/changetracker/8.2/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -38,15 +35,15 @@ The Splunk credentials are updated. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.2/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.2/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.2/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.2/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.2/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -170,30 +161,30 @@ To discover devices to match change events from Splunk, see the [Sync Service Administration](/docs/changetracker/8.2/integration/itsm/syncserviceadmin.md) topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.2/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.2/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.2/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.2/integration/vmware.md b/docs/changetracker/8.2/integration/vmware.md index 1173382edd..50224e9ba5 100644 --- a/docs/changetracker/8.2/integration/vmware.md +++ b/docs/changetracker/8.2/integration/vmware.md @@ -11,8 +11,8 @@ tracking templates to ensure secure configuration of vSphere clusters and their ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device @@ -24,8 +24,8 @@ proxied devices. ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.2/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.2/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.2/integration/vmware/devicediscoverygrid.webp) @@ -75,13 +73,13 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.2/integration/vmware/devicediscoveryform.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.2/integration/vmware/esxicompliancereport.webp) From 0ec7ac949a15ebb8651f3294a8d78b86a4601e36 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 14:07:39 +0000 Subject: [PATCH 16/21] docs: apply fixes from PR review Correct VMware brand capitalization in integration overview link text across Change Tracker 8.0, 8.1, and 8.2. Co-Authored-By: Claude --- docs/changetracker/8.0/integration/overview.md | 2 +- docs/changetracker/8.1/integration/overview.md | 2 +- docs/changetracker/8.2/integration/overview.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/changetracker/8.0/integration/overview.md b/docs/changetracker/8.0/integration/overview.md index 442529966e..baec72fa7e 100644 --- a/docs/changetracker/8.0/integration/overview.md +++ b/docs/changetracker/8.0/integration/overview.md @@ -12,4 +12,4 @@ Netwrix Change Tracker supports the following integrations: - [API](/docs/changetracker/8.0/integration/api/overview.md) - [IT Management Systems](/docs/changetracker/8.0/integration/itsm/overview.md) - [Splunk](/docs/changetracker/8.0/integration/splunk.md) -- [VMWare](/docs/changetracker/8.0/integration/vmware.md) +- [VMware](/docs/changetracker/8.0/integration/vmware.md) diff --git a/docs/changetracker/8.1/integration/overview.md b/docs/changetracker/8.1/integration/overview.md index a98e6da6bf..bf59c7a354 100644 --- a/docs/changetracker/8.1/integration/overview.md +++ b/docs/changetracker/8.1/integration/overview.md @@ -12,4 +12,4 @@ Netwrix Change Tracker supports the following integrations: - [API](/docs/changetracker/8.1/api/overview.md) - [IT Service Management](/docs/changetracker/8.1/integration/itsm/overview.md) - [Splunk](/docs/changetracker/8.1/integration/splunk.md) -- [VMWare](/docs/changetracker/8.1/integration/vmware.md) +- [VMware](/docs/changetracker/8.1/integration/vmware.md) diff --git a/docs/changetracker/8.2/integration/overview.md b/docs/changetracker/8.2/integration/overview.md index d153c1672b..233d09d166 100644 --- a/docs/changetracker/8.2/integration/overview.md +++ b/docs/changetracker/8.2/integration/overview.md @@ -12,4 +12,4 @@ Netwrix Change Tracker supports the following integrations: - [API](/docs/changetracker/8.2/api/overview.md) - [IT Service Management](/docs/changetracker/8.2/integration/itsm/overview.md) - [Splunk](/docs/changetracker/8.2/integration/splunk.md) -- [VMWare](/docs/changetracker/8.2/integration/vmware.md) +- [VMware](/docs/changetracker/8.2/integration/vmware.md) From 02242d923e2af3a85fa1ec7fd900461c708f6186 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 14:07:42 +0000 Subject: [PATCH 17/21] docs(changetracker): fix VMware brand capitalization Correct 'VMWare' to 'VMware' (vendor's official brand capitalization) across the integration overview links and the VMware integration pages in versions 8.0, 8.1, and 8.2. Also fixes the PowerShell module name to 'VMware.PowerCLI'. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/changetracker/8.0/integration/vmware.md | 10 +++++----- docs/changetracker/8.1/integration/vmware.md | 10 +++++----- docs/changetracker/8.2/integration/vmware.md | 10 +++++----- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/changetracker/8.0/integration/vmware.md b/docs/changetracker/8.0/integration/vmware.md index b6cb2da30e..6328ffe2a7 100644 --- a/docs/changetracker/8.0/integration/vmware.md +++ b/docs/changetracker/8.0/integration/vmware.md @@ -1,12 +1,12 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi @@ -19,7 +19,7 @@ proxied devices. - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation diff --git a/docs/changetracker/8.1/integration/vmware.md b/docs/changetracker/8.1/integration/vmware.md index a383ed7413..5ab67fa3c7 100644 --- a/docs/changetracker/8.1/integration/vmware.md +++ b/docs/changetracker/8.1/integration/vmware.md @@ -1,12 +1,12 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi @@ -19,7 +19,7 @@ proxied devices. - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation diff --git a/docs/changetracker/8.2/integration/vmware.md b/docs/changetracker/8.2/integration/vmware.md index 50224e9ba5..6cf2bd1920 100644 --- a/docs/changetracker/8.2/integration/vmware.md +++ b/docs/changetracker/8.2/integration/vmware.md @@ -1,12 +1,12 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi @@ -19,7 +19,7 @@ proxied devices. - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation From 09f677893e9d929a0921fa0e0d291a496670134d Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 14:13:55 +0000 Subject: [PATCH 18/21] fix(vale): auto-fix style issues (Vale + Dale) --- docs/changetracker/8.0/integration/splunk.md | 2 +- docs/changetracker/8.1/integration/splunk.md | 2 +- docs/changetracker/8.2/integration/splunk.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/changetracker/8.0/integration/splunk.md b/docs/changetracker/8.0/integration/splunk.md index c2d4e1fa4c..6170e51fbf 100644 --- a/docs/changetracker/8.0/integration/splunk.md +++ b/docs/changetracker/8.0/integration/splunk.md @@ -31,7 +31,7 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates diff --git a/docs/changetracker/8.1/integration/splunk.md b/docs/changetracker/8.1/integration/splunk.md index 1b5012ee1e..dc956c1068 100644 --- a/docs/changetracker/8.1/integration/splunk.md +++ b/docs/changetracker/8.1/integration/splunk.md @@ -31,7 +31,7 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates diff --git a/docs/changetracker/8.2/integration/splunk.md b/docs/changetracker/8.2/integration/splunk.md index 7bca12ee6b..172b6d349a 100644 --- a/docs/changetracker/8.2/integration/splunk.md +++ b/docs/changetracker/8.2/integration/splunk.md @@ -31,7 +31,7 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates From ba5b506cc96222a31447e7ffe258c8019883e7b4 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:04:04 +0000 Subject: [PATCH 19/21] fix(vale): auto-fix style issues (Vale + Dale) --- docs/changetracker/8.0/integration/splunk.md | 2 +- docs/changetracker/8.0/integration/vmware.md | 2 +- docs/changetracker/8.1/integration/splunk.md | 2 +- docs/changetracker/8.1/integration/vmware.md | 2 +- docs/changetracker/8.2/integration/splunk.md | 2 +- docs/changetracker/8.2/integration/vmware.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/changetracker/8.0/integration/splunk.md b/docs/changetracker/8.0/integration/splunk.md index 6170e51fbf..813abf434a 100644 --- a/docs/changetracker/8.0/integration/splunk.md +++ b/docs/changetracker/8.0/integration/splunk.md @@ -112,7 +112,7 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.0/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.0/integration/splunk/group.webp) diff --git a/docs/changetracker/8.0/integration/vmware.md b/docs/changetracker/8.0/integration/vmware.md index 6328ffe2a7..dd98c5cc96 100644 --- a/docs/changetracker/8.0/integration/vmware.md +++ b/docs/changetracker/8.0/integration/vmware.md @@ -83,7 +83,7 @@ no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.0/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.0/integration/vmware/devicediscoverystarted.webp) diff --git a/docs/changetracker/8.1/integration/splunk.md b/docs/changetracker/8.1/integration/splunk.md index dc956c1068..a0809bae30 100644 --- a/docs/changetracker/8.1/integration/splunk.md +++ b/docs/changetracker/8.1/integration/splunk.md @@ -112,7 +112,7 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.1/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.1/integration/splunk/group.webp) diff --git a/docs/changetracker/8.1/integration/vmware.md b/docs/changetracker/8.1/integration/vmware.md index 5ab67fa3c7..0ede1a0b47 100644 --- a/docs/changetracker/8.1/integration/vmware.md +++ b/docs/changetracker/8.1/integration/vmware.md @@ -83,7 +83,7 @@ no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.1/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.1/integration/vmware/devicediscoverystarted.webp) diff --git a/docs/changetracker/8.2/integration/splunk.md b/docs/changetracker/8.2/integration/splunk.md index 172b6d349a..ef799e5787 100644 --- a/docs/changetracker/8.2/integration/splunk.md +++ b/docs/changetracker/8.2/integration/splunk.md @@ -112,7 +112,7 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.2/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created earlier. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.2/integration/splunk/group.webp) diff --git a/docs/changetracker/8.2/integration/vmware.md b/docs/changetracker/8.2/integration/vmware.md index 6cf2bd1920..37cba26df2 100644 --- a/docs/changetracker/8.2/integration/vmware.md +++ b/docs/changetracker/8.2/integration/vmware.md @@ -83,7 +83,7 @@ no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.2/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.2/integration/vmware/devicediscoverystarted.webp) From 8160cbe4dbc2d008eabb9781377b9523c497aea1 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:29:02 +0000 Subject: [PATCH 20/21] docs: apply fixes from PR review - Add missing terminal period to the device-matching :::note in splunk.md - Spell out Structured Query Language (SQL) on first use in splunk.md - Define Center for Internet Security (CIS) on first use in vmware.md Applied across Change Tracker versions 8.0, 8.1, and 8.2. Co-Authored-By: Claude --- docs/changetracker/8.0/integration/splunk.md | 5 +++-- docs/changetracker/8.0/integration/vmware.md | 3 ++- docs/changetracker/8.1/integration/splunk.md | 5 +++-- docs/changetracker/8.1/integration/vmware.md | 3 ++- docs/changetracker/8.2/integration/splunk.md | 5 +++-- docs/changetracker/8.2/integration/vmware.md | 3 ++- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/changetracker/8.0/integration/splunk.md b/docs/changetracker/8.0/integration/splunk.md index 813abf434a..996604cd92 100644 --- a/docs/changetracker/8.0/integration/splunk.md +++ b/docs/changetracker/8.0/integration/splunk.md @@ -36,7 +36,8 @@ Change Tracker updates the Splunk credentials. ## Policy Templates Use policy templates to configure what to monitor on the target devices. Splunk requires a policy -template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +template that defines an SPL query. Splunk's SPL query language is similar to Structured Query +Language (SQL): it's flexible in defining the data to query, how to filter it, and what transformations to apply, such as column aliases. @@ -145,7 +146,7 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Change Tracker ignores events without a matching device +match a device in Change Tracker. Change Tracker ignores events without a matching device. ::: diff --git a/docs/changetracker/8.0/integration/vmware.md b/docs/changetracker/8.0/integration/vmware.md index dd98c5cc96..bd3cd5ec7f 100644 --- a/docs/changetracker/8.0/integration/vmware.md +++ b/docs/changetracker/8.0/integration/vmware.md @@ -6,7 +6,8 @@ sidebar_position: 50 # VMware -vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes Center for Internet Security +(CIS) certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi diff --git a/docs/changetracker/8.1/integration/splunk.md b/docs/changetracker/8.1/integration/splunk.md index a0809bae30..bb95215eb6 100644 --- a/docs/changetracker/8.1/integration/splunk.md +++ b/docs/changetracker/8.1/integration/splunk.md @@ -36,7 +36,8 @@ Change Tracker updates the Splunk credentials. ## Policy Templates Use policy templates to configure what to monitor on the target devices. Splunk requires a policy -template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +template that defines an SPL query. Splunk's SPL query language is similar to Structured Query +Language (SQL): it's flexible in defining the data to query, how to filter it, and what transformations to apply, such as column aliases. @@ -145,7 +146,7 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Change Tracker ignores events without a matching device +match a device in Change Tracker. Change Tracker ignores events without a matching device. ::: diff --git a/docs/changetracker/8.1/integration/vmware.md b/docs/changetracker/8.1/integration/vmware.md index 0ede1a0b47..788dbd24a3 100644 --- a/docs/changetracker/8.1/integration/vmware.md +++ b/docs/changetracker/8.1/integration/vmware.md @@ -6,7 +6,8 @@ sidebar_position: 50 # VMware -vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes Center for Internet Security +(CIS) certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi diff --git a/docs/changetracker/8.2/integration/splunk.md b/docs/changetracker/8.2/integration/splunk.md index ef799e5787..1f2cc92f83 100644 --- a/docs/changetracker/8.2/integration/splunk.md +++ b/docs/changetracker/8.2/integration/splunk.md @@ -36,7 +36,8 @@ Change Tracker updates the Splunk credentials. ## Policy Templates Use policy templates to configure what to monitor on the target devices. Splunk requires a policy -template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +template that defines an SPL query. Splunk's SPL query language is similar to Structured Query +Language (SQL): it's flexible in defining the data to query, how to filter it, and what transformations to apply, such as column aliases. @@ -145,7 +146,7 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Change Tracker ignores events without a matching device +match a device in Change Tracker. Change Tracker ignores events without a matching device. ::: diff --git a/docs/changetracker/8.2/integration/vmware.md b/docs/changetracker/8.2/integration/vmware.md index 37cba26df2..ebd3f9fad5 100644 --- a/docs/changetracker/8.2/integration/vmware.md +++ b/docs/changetracker/8.2/integration/vmware.md @@ -6,7 +6,8 @@ sidebar_position: 50 # VMware -vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes Center for Internet Security +(CIS) certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi From bfb3628aea704b8446e5827b2626633869302639 Mon Sep 17 00:00:00 2001 From: nwx-david-wolff Date: Wed, 24 Jun 2026 12:06:55 -0500 Subject: [PATCH 21/21] Add NTM Entra ID Proxy Doc (#1159) * Add Extra Proxy Doc AB#440150 * fix(vale): auto-fix style issues (Vale + Dale) --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> --- docs/threatmanager/3.1/install/appsettings.md | 72 ++++++++++++++++ docs/threatmanager/3.1/install/proxy.md | 83 +++++++++++++++++++ docs/threatmanager/3.1/install/secure.md | 4 + docs/threatmanager/3.2/install/appsettings.md | 72 ++++++++++++++++ docs/threatmanager/3.2/install/proxy.md | 83 +++++++++++++++++++ docs/threatmanager/3.2/install/secure.md | 10 ++- 6 files changed, 321 insertions(+), 3 deletions(-) create mode 100644 docs/threatmanager/3.1/install/appsettings.md create mode 100644 docs/threatmanager/3.1/install/proxy.md create mode 100644 docs/threatmanager/3.2/install/appsettings.md create mode 100644 docs/threatmanager/3.2/install/proxy.md diff --git a/docs/threatmanager/3.1/install/appsettings.md b/docs/threatmanager/3.1/install/appsettings.md new file mode 100644 index 0000000000..a2a0bc5e9b --- /dev/null +++ b/docs/threatmanager/3.1/install/appsettings.md @@ -0,0 +1,72 @@ +--- +title: "Modify Service Configuration Settings" +description: "Modify Service Configuration Settings" +sidebar_position: 45 +--- + +# Modify Service Configuration Settings + +Threat Manager services are configured through JSON configuration files. Each service reads its +settings at startup from `appsettings.json` in the service's installation directory. + +## Configuration Files + +Each service ships with an `appsettings.default.json` file that contains the default settings used +when no override is present. Every upgrade replaces this file, so don't edit it +directly. Use it as a reference to see what settings are available for a given service. + +To override settings for a service, create an `appsettings.json` file in the same directory. The +installer doesn't create this file — you must create it yourself. Settings in `appsettings.json` +take precedence over those in `appsettings.default.json`. + +The following services support configuration overrides via `appsettings.json`: + +| Service | Configuration directory | +|---|---| +| Action Service | `C:\Program Files\STEALTHbits\StealthDEFEND\ActionService\` | +| Active Directory Service | `C:\Program Files\STEALTHbits\StealthDEFEND\ActiveDirectoryService\` | +| Azure Service | `C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\` | +| Email Service | `C:\Program Files\STEALTHbits\StealthDEFEND\EmailService\` | +| Event Message Service | `C:\Program Files\STEALTHbits\StealthDEFEND\EventMessageService\` | +| Integration Service | `C:\Program Files\STEALTHbits\StealthDEFEND\IntegrationService\` | +| Job Service | `C:\Program Files\STEALTHbits\StealthDEFEND\JobService\` | +| License Service | `C:\Program Files\STEALTHbits\StealthDEFEND\LicenseService\` | +| SIEM Service | `C:\Program Files\STEALTHbits\StealthDEFEND\SiemService\` | +| Web Service | `C:\Program Files\STEALTHbits\StealthDEFEND\RestServer\` | + +## Override Specific Settings + +Only include the settings you want to change in `appsettings.json`. Don't copy the entire contents +of `appsettings.default.json` into `appsettings.json`. Copying all defaults prevents Threat Manager +upgrades from applying updated default values for settings you haven't intentionally changed. + +For example, to override a single setting for the Azure Service, create +`C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json` with only the section +containing that setting: + +```json +{ + "Proxy": { + "Enabled": true, + "Address": "http://proxy.contoso.com:8080" + } +} +``` + +Settings not present in `appsettings.json` continue to use the values from +`appsettings.default.json`. + +## Apply Configuration Changes + +Changes to `appsettings.json` don't take effect until you restart the service. To restart a +service, open the Windows Services management console (`services.msc`), locate the service by name, +and select **Restart**. + +## Troubleshooting + +If a service fails to start after editing `appsettings.json`, the most common cause is a JSON +formatting error. Verify the file contains valid JSON before restarting the service. Common mistakes +include missing or extra commas, mismatched braces, and unquoted property names. + +You can validate the file using any JSON validator, or open it in an editor with JSON syntax +checking such as Visual Studio Code. diff --git a/docs/threatmanager/3.1/install/proxy.md b/docs/threatmanager/3.1/install/proxy.md new file mode 100644 index 0000000000..c06b549b82 --- /dev/null +++ b/docs/threatmanager/3.1/install/proxy.md @@ -0,0 +1,83 @@ +--- +title: "Configure a Proxy for Azure and Entra ID Connections" +description: "Configure a Proxy for Azure and Entra ID Connections" +sidebar_position: 50 +--- + +# Configure a Proxy for Azure and Entra ID Connections + +Netwrix Threat Manager's Azure Service connects to Azure and Microsoft Entra ID to sync data. If +your environment requires outbound connections to go through a proxy server, configure the proxy +settings in the Azure Service configuration file. + +## Configuration File + +The proxy is configured in the Azure Service `appsettings.json` file on the Threat Manager server: + +**C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json** + +:::warning +Before editing configuration files, review the [Modify Service Configuration Settings](/docs/threatmanager/3.1/install/appsettings.md) topic for important guidance on the correct approach. +::: + +## Proxy Settings + +Add or update the `Proxy` section in `appsettings.json`: + +```json +{ + "Proxy": { + "Enabled": true, + "Address": "http://proxy.contoso.com:8080", + "BypassProxyOnLocal": null, + "UseDefaultCredentials": null, + "PreAuthenticate": null, + "CredentialProfileId": null + } +} +``` + +The following table describes each setting. + +| Property | Config Key | Type | Description | +|---|---|---|---| +| Enabled | `Proxy:Enabled` | bool | Whether the proxy is active. If `false`, the service ignores all other settings and connects directly. | +| Address | `Proxy:Address` | string | The proxy server URL, e.g. `http://proxy.contoso.com:8080`. Required when `Enabled` is `true`. | +| BypassProxyOnLocal | `Proxy:BypassProxyOnLocal` | bool | Whether to skip the proxy for local and intranet addresses. | +| UseDefaultCredentials | `Proxy:UseDefaultCredentials` | bool | Whether to authenticate to the proxy using the Windows identity of the service account. Suitable for NTLM/Kerberos-authenticated proxies. | +| PreAuthenticate | `Proxy:PreAuthenticate` | bool | Whether to send proxy credentials on the first request rather than waiting for a 407 challenge. Can improve performance on authenticated proxies. | +| CredentialProfileId | `Proxy:CredentialProfileId` | long | ID of a credential profile to use for proxy authentication. Used instead of `UseDefaultCredentials` when the proxy requires an explicit username and password. See the [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for information on creating credential profiles. | + +## Configure the Proxy + +**Step 1 –** Open the Azure Service configuration file on the Threat Manager server: + +**C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json** + +**Step 2 –** Locate the `Proxy` section. If it doesn't exist, add it as shown in the preceding example. + +**Step 3 –** Set `Enabled` to `true`. + +**Step 4 –** Set `Address` to the URL of your proxy server, e.g. `http://proxy.contoso.com:8080`. + +**Step 5 –** Configure authentication for the proxy using one of the following options: + +- **Windows identity (NTLM/Kerberos)** — Set `UseDefaultCredentials` to `true`. The service + authenticates to the proxy using the Windows identity of the account running the Azure Service. +- **Explicit credentials** — Set `CredentialProfileId` to the ID of a credential profile stored in + Threat Manager. See the + [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) + topic for information on creating credential profiles. +- **No authentication** — Leave both `UseDefaultCredentials` and `CredentialProfileId` as `null` + for unauthenticated proxies. + +**Step 6 –** Optionally, set `BypassProxyOnLocal` to `true` to bypass the proxy for local and +intranet addresses. + +**Step 7 –** Optionally, set `PreAuthenticate` to `true` to send proxy credentials on the first +request and avoid the 407 challenge round-trip. Use this only if your proxy supports +pre-authentication. + +**Step 8 –** Save the configuration file. + +**Step 9 –** Restart the Netwrix Threat Manager Azure Service for the changes to take effect. diff --git a/docs/threatmanager/3.1/install/secure.md b/docs/threatmanager/3.1/install/secure.md index ff9340d99b..46560b3d0f 100644 --- a/docs/threatmanager/3.1/install/secure.md +++ b/docs/threatmanager/3.1/install/secure.md @@ -6,6 +6,10 @@ sidebar_position: 40 # Secure the Threat Manager Console +:::warning +Before editing configuration files, review the [Modify Service Configuration Settings](/docs/threatmanager/3.1/install/appsettings.md) topic for important guidance on the correct approach. +::: + To support HTTPS, do the following: - Import an SSL certificate to the server diff --git a/docs/threatmanager/3.2/install/appsettings.md b/docs/threatmanager/3.2/install/appsettings.md new file mode 100644 index 0000000000..a2a0bc5e9b --- /dev/null +++ b/docs/threatmanager/3.2/install/appsettings.md @@ -0,0 +1,72 @@ +--- +title: "Modify Service Configuration Settings" +description: "Modify Service Configuration Settings" +sidebar_position: 45 +--- + +# Modify Service Configuration Settings + +Threat Manager services are configured through JSON configuration files. Each service reads its +settings at startup from `appsettings.json` in the service's installation directory. + +## Configuration Files + +Each service ships with an `appsettings.default.json` file that contains the default settings used +when no override is present. Every upgrade replaces this file, so don't edit it +directly. Use it as a reference to see what settings are available for a given service. + +To override settings for a service, create an `appsettings.json` file in the same directory. The +installer doesn't create this file — you must create it yourself. Settings in `appsettings.json` +take precedence over those in `appsettings.default.json`. + +The following services support configuration overrides via `appsettings.json`: + +| Service | Configuration directory | +|---|---| +| Action Service | `C:\Program Files\STEALTHbits\StealthDEFEND\ActionService\` | +| Active Directory Service | `C:\Program Files\STEALTHbits\StealthDEFEND\ActiveDirectoryService\` | +| Azure Service | `C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\` | +| Email Service | `C:\Program Files\STEALTHbits\StealthDEFEND\EmailService\` | +| Event Message Service | `C:\Program Files\STEALTHbits\StealthDEFEND\EventMessageService\` | +| Integration Service | `C:\Program Files\STEALTHbits\StealthDEFEND\IntegrationService\` | +| Job Service | `C:\Program Files\STEALTHbits\StealthDEFEND\JobService\` | +| License Service | `C:\Program Files\STEALTHbits\StealthDEFEND\LicenseService\` | +| SIEM Service | `C:\Program Files\STEALTHbits\StealthDEFEND\SiemService\` | +| Web Service | `C:\Program Files\STEALTHbits\StealthDEFEND\RestServer\` | + +## Override Specific Settings + +Only include the settings you want to change in `appsettings.json`. Don't copy the entire contents +of `appsettings.default.json` into `appsettings.json`. Copying all defaults prevents Threat Manager +upgrades from applying updated default values for settings you haven't intentionally changed. + +For example, to override a single setting for the Azure Service, create +`C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json` with only the section +containing that setting: + +```json +{ + "Proxy": { + "Enabled": true, + "Address": "http://proxy.contoso.com:8080" + } +} +``` + +Settings not present in `appsettings.json` continue to use the values from +`appsettings.default.json`. + +## Apply Configuration Changes + +Changes to `appsettings.json` don't take effect until you restart the service. To restart a +service, open the Windows Services management console (`services.msc`), locate the service by name, +and select **Restart**. + +## Troubleshooting + +If a service fails to start after editing `appsettings.json`, the most common cause is a JSON +formatting error. Verify the file contains valid JSON before restarting the service. Common mistakes +include missing or extra commas, mismatched braces, and unquoted property names. + +You can validate the file using any JSON validator, or open it in an editor with JSON syntax +checking such as Visual Studio Code. diff --git a/docs/threatmanager/3.2/install/proxy.md b/docs/threatmanager/3.2/install/proxy.md new file mode 100644 index 0000000000..1ff9c8c5e7 --- /dev/null +++ b/docs/threatmanager/3.2/install/proxy.md @@ -0,0 +1,83 @@ +--- +title: "Configure a Proxy for Azure and Entra ID Connections" +description: "Configure a Proxy for Azure and Entra ID Connections" +sidebar_position: 50 +--- + +# Configure a Proxy for Azure and Entra ID Connections + +Netwrix Threat Manager's Azure Service connects to Azure and Microsoft Entra ID to sync data. If +your environment requires outbound connections to go through a proxy server, configure the proxy +settings in the Azure Service configuration file. + +## Configuration File + +The proxy is configured in the Azure Service `appsettings.json` file on the Threat Manager server: + +**C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json** + +:::warning +Before editing configuration files, review the [Modify Service Configuration Settings](/docs/threatmanager/3.2/install/appsettings.md) topic for important guidance on the correct approach. +::: + +## Proxy Settings + +Add or update the `Proxy` section in `appsettings.json`: + +```json +{ + "Proxy": { + "Enabled": true, + "Address": "http://proxy.contoso.com:8080", + "BypassProxyOnLocal": null, + "UseDefaultCredentials": null, + "PreAuthenticate": null, + "CredentialProfileId": null + } +} +``` + +The following table describes each setting. + +| Property | Config Key | Type | Description | +|---|---|---|---| +| Enabled | `Proxy:Enabled` | bool | Whether the proxy is active. If `false`, the service ignores all other settings and connects directly. | +| Address | `Proxy:Address` | string | The proxy server URL, e.g. `http://proxy.contoso.com:8080`. Required when `Enabled` is `true`. | +| BypassProxyOnLocal | `Proxy:BypassProxyOnLocal` | bool | Whether to skip the proxy for local and intranet addresses. | +| UseDefaultCredentials | `Proxy:UseDefaultCredentials` | bool | Whether to authenticate to the proxy using the Windows identity of the service account. Suitable for NTLM/Kerberos-authenticated proxies. | +| PreAuthenticate | `Proxy:PreAuthenticate` | bool | Whether to send proxy credentials on the first request rather than waiting for a 407 challenge. Can improve performance on authenticated proxies. | +| CredentialProfileId | `Proxy:CredentialProfileId` | long | ID of a credential profile to use for proxy authentication. Used instead of `UseDefaultCredentials` when the proxy requires an explicit username and password. See the [Credential Profile Page](/docs/threatmanager/3.2/administration/configuration/integrations/credentialprofile.md) topic for information on creating credential profiles. | + +## Configure the Proxy + +**Step 1 –** Open the Azure Service configuration file on the Threat Manager server: + +**C:\Program Files\STEALTHbits\StealthDEFEND\AzureService\appsettings.json** + +**Step 2 –** Locate the `Proxy` section. If it doesn't exist, add it as shown in the preceding example. + +**Step 3 –** Set `Enabled` to `true`. + +**Step 4 –** Set `Address` to the URL of your proxy server, e.g. `http://proxy.contoso.com:8080`. + +**Step 5 –** Configure authentication for the proxy using one of the following options: + +- **Windows identity (NTLM/Kerberos)** — Set `UseDefaultCredentials` to `true`. The service + authenticates to the proxy using the Windows identity of the account running the Azure Service. +- **Explicit credentials** — Set `CredentialProfileId` to the ID of a credential profile stored in + Threat Manager. See the + [Credential Profile Page](/docs/threatmanager/3.2/administration/configuration/integrations/credentialprofile.md) + topic for information on creating credential profiles. +- **No authentication** — Leave both `UseDefaultCredentials` and `CredentialProfileId` as `null` + for unauthenticated proxies. + +**Step 6 –** Optionally, set `BypassProxyOnLocal` to `true` to bypass the proxy for local and +intranet addresses. + +**Step 7 –** Optionally, set `PreAuthenticate` to `true` to send proxy credentials on the first +request and avoid the 407 challenge round-trip. Use this only if your proxy supports +pre-authentication. + +**Step 8 –** Save the configuration file. + +**Step 9 –** Restart the Netwrix Threat Manager Azure Service for the changes to take effect. diff --git a/docs/threatmanager/3.2/install/secure.md b/docs/threatmanager/3.2/install/secure.md index 3eecfaa466..7b6a772f28 100644 --- a/docs/threatmanager/3.2/install/secure.md +++ b/docs/threatmanager/3.2/install/secure.md @@ -6,6 +6,10 @@ sidebar_position: 40 # Secure the Threat Manager Console +:::warning +Before editing configuration files, review the [Modify Service Configuration Settings](/docs/threatmanager/3.2/install/appsettings.md) topic for important guidance on the correct approach. +::: + To support HTTPS, do the following: - Import an SSL certificate to the server @@ -28,7 +32,7 @@ editing the configuration files discussed in this topic. ::: -**Step 2 –**   Copy the thumbprint of the certificate as you will need to use it while editing +**Step 2 –**   Copy the thumbprint of the certificate, as you need it while editing the configuration files. ## Web Service Configuration File @@ -143,8 +147,8 @@ Found cert with subject % and thumbprint 12345ABCDEF54AED1DB59C349CA4D514628DB4D ## Re-register the Action Service -While not always necessary it is a good practice to also re-register the Action Service whenever -changing the certificate in use. +Re-registering the Action Service whenever you change the certificate in use is good practice, +though not always necessary. **Step 1 –** Open an administrative command prompt.