Re: Custom PASSFILT.DLL and Complexity in GP

From: Steven L Umbach (
Date: 01/26/05

Date: Tue, 25 Jan 2005 17:01:25 -0600

I have never used a custom passfilt.dll but it sure sounds like it is being
applied at the domain level. Open Domain Security Policy [or the GPO used to
managed domain password policy] and make sure that password complexity is
set to disabled, though I am not sure if that will work with a custom
passfilt.dll depending on what was configured. Also keep in mind that
password policy is "computer" configuration and can be applied only to
computers - not users. So if you were testing it in an OU, it would apply to
only "local" users that logon to domain computers in that OU. --- Steve

"" <> wrote in
>I have developed my own passfilt.dll file. I copied it to all four of my
> Win2K3 DC's and added the registry entry under the LSA key Notification
> Packages.
> My problem is that I only enabled password complexity on a single group
> policy (not the default domain policy or default domain controller policy)
> that I applied to a test OU. I also further limited the policy to a single
> user for testing in the GPMC. However any user that now tries to change
> their
> password has the new password go through the passfilt.dll even though
> complexity is not enabled on any policy that applies to them.
> What gives? From what I have read, you have to add the reg value to the
> Notification Packages key AND enable complexity on a group policy. Why
> would
> it apply the password filter to users from whom it is not enabled?

Relevant Pages

  • Re: What Happened? Passwords all expired...
    ... really explain how the new account policy settingmade it to the DCs. ... I would strongly suggest enabling Success/Failure for Account Management ... >>>post that says "I check my GPO's and password complexity ... >>>>account logon events success and fail ...
  • Re: GPO - password policy - Urgent
    ... Set password complexity to "disabled" - NOT undefined in Domain ... You can also use the mmc snapin for Resultant Set of Policy [again ... assuming Windows 2003] in logging mode on the domain controller to see what ... problems being that domain controllers are not pointing only to themselves ...
  • Re: finding group policies that are applied
    ... This is also applied/created when you use the IEAK to create a custom ... > computers or the appropriate registry setting. ... > see where policy is being applied from. ...
  • 2003 GP/Password complexity questions
    ... I have a new 2003 AD domain and am looking for some guidance with the ... In regard to password complexity being enabled by default, ... policy options to disable this in the "Default Domain Policy" and I've ... best to use separate GPO's for both. ...
  • Re: password complexity
    ... Marin and Dave, ... Here is what is happening when you remove the domain policy - account policy ... the domain policy for password complexity is removed from the DCs ...