Password Filter Issue
- From: "Brian Clayton" <bclayton@xxxxxxxxxx>
- Date: Thu, 29 Mar 2007 15:19:33 -0400
I am using a custom password filter (in addition to the default) on Windows
Server 2003 DCs to push password changes to an OpenLDAP server for purposes
of password syncronization. I have Windows password complexity and history
enabled. The problem I am having is that history checking seems to occur
only with the actual Windows password change, that is, after the
PasswordFilter function is called, but before PasswordChangeNotify is
called.
Initially, I pushed the password change to OpenLDAP from the PasswordFilter
function, but this caused a problem when a password met complexity
requirements, but failed the history check because by the time the history
check occurs, the password has already been changed in OpenLDAP, creating an
inconsistency. So, I moved the password push to the PasswordChangeNotify
function, which solves the issue with the history, but leaves no way to
abort the Windows password change if there is a problem with the push.
I haven't tried it yet, but I am hoping the NetValidatePasswordPolicy
function might allow me to verify ahead of time that the password meets the
history requirement, although I'm a bit doubtful since it sounds like it may
only check complexity. Otherwise, the only idea I can come up with is to
connect to the OpenLDAP server from PasswordFilter function (just to
eliminate connection problems as a point of failure), and leave the password
push in the PasswordChangeNotify function. This seems far from ideal though,
since the password push could still fail for other reasons and result in
inconsistency again. Anyone ideas anyone?
Thanks!
.
- Follow-Ups:
- Re: Password Filter Issue
- From: Roger Abell [MVP]
- Re: Password Filter Issue
- Prev by Date: Re: OpenSCManager FAILED 5
- Next by Date: Re: IPsec Implementation
- Previous by thread: Re: Verify the Current Updates
- Next by thread: Re: Password Filter Issue
- Index(es):
Relevant Pages
|
