Re: Custom PASSFILT.DLL and Complexity in GP

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/26/05

• Next message: Joel: "Re: event log-logging in/out"
• Previous message: Roger Abell: "Re: Global.msads.net Login Screen"
• In reply to: sarnst_at_umflint.edu: "Custom PASSFILT.DLL and Complexity in GP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 25 Jan 2005 20:30:54 -0500

Password filters apply to all accounts in the local database, so for a filter on
  a domain controller, it would apply to all users hosted on that DC, if on a
workstation it applies to all users on that workstation. The way you can change
this is within the filter itself by writing the code to only impact certain
users with a if user is so and so do this.

As Roger mentioned, disable the builtin complexity unless you want the builtin
functionality in ADDITION to your filter.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
sarnst@umflint.edu wrote:
> I have developed my own passfilt.dll file. I copied it to all four of my 
> Win2K3 DC's and added the registry entry under the LSA key Notification 
> Packages.
> 
> My problem is that I only enabled password complexity on a single group 
> policy (not the default domain policy or default domain controller policy) 
> that I applied to a test OU. I also further limited the policy to a single 
> user for testing in the GPMC. However any user that now tries to change their 
> password has the new password go through the passfilt.dll even though 
> complexity is not enabled on any policy that applies to them.
> 
> What gives? From what I have read, you have to add the reg value to the 
> Notification Packages key AND enable complexity on a group policy. Why would 
> it apply the password filter to users from whom it is not enabled?

---

• Next message: Joel: "Re: event log-logging in/out"
• Previous message: Roger Abell: "Re: Global.msads.net Login Screen"
• In reply to: sarnst_at_umflint.edu: "Custom PASSFILT.DLL and Complexity in GP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Custom PASSFILT.DLL and Complexity in GP ... each domain controller for it to be successfully used. ... > My problem is that I only enabled password complexity on a single group ... > policy ... > complexity is not enabled on any policy that applies to them. ... (microsoft.public.security) Re: bypass default password filter passfilt.dll ... I think that documentation goes back to NT4 when the complexity filter was ... > policy " Passwords must meet complexity requirements policy setting is ... > Now in order to implement our dll I ... (microsoft.public.security) RE: Mailbox Manager Policies ... If you havent already try using the Advanced tab to build your query. ... >Here is an example of the policy. ... >as a rule set (Email Retention Store and "Processing"). ... >> This will create a report that you can look at to make sure your filter is correct. ... (microsoft.public.exchange.admin) Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU ... I would like to filter these two ... policies from inheriting the default domain policies of the SBS server. ... Policy it is because I cannot manage it from the local machine. ... (microsoft.public.windows.server.sbs) RE: Mailbox Manager Policies ... This will create a report that you can look at to make sure your filter is correct. ... >Thread-Topic: Mailbox Manager Policies ... I show the context of the policy ... >to apply against the one user in that particular store, ... (microsoft.public.exchange.admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)