Re: Password Filter Issue

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Thu, 29 Mar 2007 21:10:20 -0700

---

"Brian Clayton" <bclayton@xxxxxxxxxx> wrote in message
news:e7HBwcjcHHA.4836@xxxxxxxxxxxxxxxxxxxxxxx

I am using a custom password filter (in addition to the default) on Windows
Server 2003 DCs to push password changes to an OpenLDAP server for
purposes
of password syncronization. I have Windows password complexity and history
enabled. The problem I am having is that history checking seems to occur
only with the actual Windows password change, that is, after the
PasswordFilter function is called, but before PasswordChangeNotify is
called.

Initially, I pushed the password change to OpenLDAP from the
PasswordFilter
function, but this caused a problem when a password met complexity
requirements, but failed the history check because by the time the history
check occurs, the password has already been changed in OpenLDAP, creating
an
inconsistency. So, I moved the password push to the PasswordChangeNotify
function, which solves the issue with the history, but leaves no way to
abort the Windows password change if there is a problem with the push.

I haven't tried it yet, but I am hoping the NetValidatePasswordPolicy
function might allow me to verify ahead of time that the password meets
the
history requirement, although I'm a bit doubtful since it sounds like it
may
only check complexity. Otherwise, the only idea I can come up with is to
connect to the OpenLDAP server from PasswordFilter function (just to
eliminate connection problems as a point of failure), and leave the
password
push in the PasswordChangeNotify function. This seems far from ideal
though,
since the password push could still fail for other reasons and result in
inconsistency again. Anyone ideas anyone?

That's sticky.

Is there any chance you can use such as MSMQ so that you can
guarantee that (sooner or later) the pwd push will be processed ?

Roger


.

---

• References:
  • Password Filter Issue
    • From: Brian Clayton

• Prev by Date: Re: "Who disabled the user" problem
• Next by Date: KDC service hangs on start + cert error in event log at every boot
• Previous by thread: Password Filter Issue
• Next by thread: KDC service hangs on start + cert error in event log at every boot
• Index(es):
  • Date
  • Thread

---

Relevant Pages Password Filter Issue ... I am using a custom password filter on Windows ... Server 2003 DCs to push password changes to an OpenLDAP server for purposes ... I pushed the password change to OpenLDAP from the PasswordFilter ... I moved the password push to the PasswordChangeNotify ... (microsoft.public.windows.server.active_directory) Password Filter Issue ... I am using a custom password filter on Windows ... Server 2003 DCs to push password changes to an OpenLDAP server for purposes ... I pushed the password change to OpenLDAP from the PasswordFilter ... I moved the password push to the PasswordChangeNotify ... (microsoft.public.windows.server.security) Re: Password Filter Issue ... Server 2003 DCs to push password changes to an OpenLDAP server for purposes ... The problem I am having is that history checking seems to occur ... I pushed the password change to OpenLDAP from the ... (microsoft.public.windows.server.active_directory) Re: Either you get it... ... it's been getting smaller all throughout history. ... Marco Polo started the big push... ... "That means nigger citizenship. ... (alt.guitar.amps) Re: Either you get it... ... it's been getting smaller all throughout history. ... Marco Polo started the big push... ... "That means nigger citizenship. ... (alt.guitar.amps)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)