gControl Password Policy Settings

One of the challenges Google apps administrators face is having a good password policy across the organization. Google apps provides basic password strength option. With gControl password policy setting, administrator can enforce complex password settings. The administrator can do this for the entire organization or for a subset of users through organization units.

Note: Administrator can bypass the password policy by changing passwords directly in Google apps control panel.

To set up password policy, get into the gControl control panel and select password policy from the quick links on right. You will see a screen as below


Click on Add policy to get started. Ad policy will take you to the policy creation screen as shown below


Fill in the details.

  • Title: Name your policy to easily identify it later when you want to make changes.

  • Description: Short description for helping understand the policy if more than one admin is managing the account.

  • Enabled: For some reason if you want the policy to be disabled for some time and re enable it, you can do it by checking/unchecking the “Enabled” option shown above.

  • Granted: THis option will make sure that end users can change passwords. If the admins wants to restrict the end user from changing pasowrds, this option should be unchecked.

  • Valid Always: You can decide the validity of the policy with Valid Always button. Toggling this you can say whether you want a policy for a stipulated time or a policy which is always applied.

  • Valid From and Valid To: If Valid Always is off, then you will have to provide the date range for which the policy needs to be applied. This way admin need not manually turn off the policy.

  • Organization Units: This option will provide you the option to apply the policy on the set of users that you want to apply this to. Selecting the Root organization will apply the policy on all users.

All the OUs of your Google apps domain gets listed here and you can apply policy on any OU of your choice. If you see any cross marks (stricken OU names) that you see on the OUs, depicts that these OUs are part of other policies. Hence the system does not allow duplication of users/OUs.
  • Complexity: This section allows administrator to define complexity on the passwords. Some of the companies have this as a need from security auditors and this was a limitation in Google apps that gets addressed here. Following options are available for the admin

  • Expiration: Using this option admin can decide on the expiration of user’s policies. Some of the companies have this as a need from security auditors and this was a limitation in Google apps that gets addressed here.

The expiration count starts from the day the password policy saved. If you have a password changed long time back and a 45 day expiration is set, your password will not expire immediately. It will expire after 45 days from applying the policy. Hence we have provided an option of “Force users to change password on next login”. This option will make sure that the users covered in the policy have to change their password when they login for the next time.
  • Restrictions: There are some additional restriction that you can apply. Following are the options that the admin has