Re: Password Filter Issue

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Thu, 29 Mar 2007 21:12:10 -0700

---

"Brian Clayton" <bclayton@xxxxxxxxxx> wrote in message
news:OVwitUjcHHA.3648@xxxxxxxxxxxxxxxxxxxxxxx

I am using a custom password filter (in addition to the default) on Windows
Server 2003 DCs to push password changes to an OpenLDAP server for purposes
of password syncronization. I have Windows password complexity and history
enabled. The problem I am having is that history checking seems to occur
only with the actual Windows password change, that is, after the
PasswordFilter function is called, but before PasswordChangeNotify is
called.

Initially, I pushed the password change to OpenLDAP from the
PasswordFilter function, but this caused a problem when a password met
complexity requirements, but failed the history check because by the time
the history check occurs, the password has already been changed in
OpenLDAP, creating an inconsistency. So, I moved the password push to the
PasswordChangeNotify function, which solves the issue with the history,
but leaves no way to abort the Windows password change if there is a
problem with the push.

I haven't tried it yet, but I am hoping the NetValidatePasswordPolicy
function might allow me to verify ahead of time that the password meets
the history requirement, although I'm a bit doubtful since it sounds like
it may only check complexity. Otherwise, the only idea I can come up with
is to connect to the OpenLDAP server from PasswordFilter function (just to
eliminate connection problems as a point of failure), and leave the
password push in the PasswordChangeNotify function. This seems far from
ideal though, since the password push could still fail for other reasons
and result in inconsistency again. Anyone ideas anyone?

That's sticky.

Is there any chance you can use such as MSMQ so that you can
guarantee that (sooner or later) the pwd push will be processed ?

Roger


.

---

• References:
  • Password Filter Issue
    • From: Brian Clayton

• Prev by Date: Re: netlogon share - do not save desktop settings
• Next by Date: Re: Is it possible to audit Domain Global Group in AD?
• Previous by thread: Password Filter Issue
• Next by thread: AD Disaster recovery setup
• Index(es):
  • Date
  • Thread

---

Relevant Pages Password Filter Issue ... I am using a custom password filter on Windows ... Server 2003 DCs to push password changes to an OpenLDAP server for purposes ... I pushed the password change to OpenLDAP from the PasswordFilter ... I moved the password push to the PasswordChangeNotify ... (microsoft.public.windows.server.security) Password Filter Issue ... I am using a custom password filter on Windows ... Server 2003 DCs to push password changes to an OpenLDAP server for purposes ... I pushed the password change to OpenLDAP from the PasswordFilter ... I moved the password push to the PasswordChangeNotify ... (microsoft.public.windows.server.active_directory) Re: Password Filter Issue ... The problem I am having is that history checking seems to occur ... I pushed the password change to OpenLDAP from the ... I moved the password push to the PasswordChangeNotify ... connect to the OpenLDAP server from PasswordFilter function (just to ... (microsoft.public.windows.server.security) Re: Either you get it... ... it's been getting smaller all throughout history. ... Marco Polo started the big push... ... "That means nigger citizenship. ... (alt.guitar.amps) Re: Either you get it... ... it's been getting smaller all throughout history. ... Marco Polo started the big push... ... "That means nigger citizenship. ... (alt.guitar.amps)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-03