Re: Password change notifications on Domain controllers
- From: Tushar <Tushar@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Aug 2006 22:44:01 -0700
Thanks for the reply Joe.
I just tried a test and I seem to be able to achieve what I want to using
the DLL on a single DC.
Following are the steps I followed:
1. Created a domain with two domain controllers; DC1 and DC2
2. The Password filter DLL was only present on DC1.
3. Disconnected DC1 from the domain, to simulate the scenario where a user
logs on and changes their password on a DC that does not have the password
filter installed.
4. On the Client PC logged onto the domain.
5. Changed the users password
6. Confirmed that the user's password was successfully changed on DC2.
7. Re-added DC1 onto the rontest.com domain to allow the users password
change to be replicated across to DC1.
8. Disconnected DC2 from the domain and logged on the domain on the client
PC with the new password, this was to confirm that the new password value was
replicated to DC1.
9. My 'PasswordChangeNotify' routine of the password filter DLL was invoked
(I confirmed this using some logging statements in the routine).
Any idea how this was possible in my case?
Thanks,
Tushar.
"Joe Richards [MVP]" wrote:
Nope. The code path that the filter gets invoked in is the password.
set/change operation specifically when the clear text password is
available. Once that password is accepted and stored in the directory,
the replication will send over a hash and the password filter will not
be invoked because it is a simple attribute replication.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Tushar wrote:
Hi,
I have a password filter DLL but do not want it to be installed on all the
domain controllers. Would it be possible for me to put the Password filter
DLL on only a single DC and still get it working?
I read on MSDN and it says that the password filter DLL should be present on
all the DCs. I think this requirement is only if we want the password value
to be filtered using the function 'PasswordFilter'.
But if I want only the 'PasswordChangeNotify' function to be invoked ( and
not to filter the passwords) when a password change is replicated to a DC,
then would it be possible if I install the DLL on only one DC? In this way,
even if the password is changed on any other DC, my notification function
will be invoked whenever a password change is replicated to the DC having my
DLL.
Could anyone please let me know if this is possible?
Thanks,
Tushar.
- References:
- Re: Password change notifications on Domain controllers
- From: Joe Richards [MVP]
- Re: Password change notifications on Domain controllers
- Prev by Date: Re: Is fix for 818173 present in win-xp sp2?
- Next by Date: RE: Implementing an PROV_EC_ECDSA_SIG CSP
- Previous by thread: Re: Password change notifications on Domain controllers
- Index(es):
Relevant Pages
|
