Discussion:
How to create a custom passfilt.dll for Windows 2003 Domain Contro
(too old to reply)
Don B.
2008-05-16 18:03:04 UTC
Permalink
I have been task to find an in-house solution to modify the complexity level
for AD passwords. It appears the only way to modfy from either having it
enabled or disable in Group Policy, is to create your own passfilt.dll file
and register the custom dll on each DC & disable using complexity in the GPO.
I am looking for some sample source code or documentation on creating a
custom passfilt.dll for Windows 2003 domain controllers.

I have found a few forums talking about customizing the passfilt.dll to
modify the complex password settings. But nothing on how to actually code the
dll. I did fine in one forum that the information could be found in Microsoft
Windows SDK. The only version that can be downloaded is for Windows 2008
server and doesn't have the sample code that the forum mention. I assume that
I might need the Windows 2003 SDK version? But that isn't available anymore.
I also read in a MS forum a MS engineer said that the passfilt.dll is no
longer used and it is in LASS.exe? But I couldn't find any info on that one
either. He didn't provide any links or referances.

Thank you,
Don
JPolicelli [MVP - Directory Services]
2008-05-17 06:45:00 UTC
Permalink
I wouldn't suggest taking either approach unless absolutely necessary. There
are a number of third-party products on the market that will meet your
requirements.
Post by Don B.
I have been task to find an in-house solution to modify the complexity level
for AD passwords. It appears the only way to modfy from either having it
enabled or disable in Group Policy, is to create your own passfilt.dll file
and register the custom dll on each DC & disable using complexity in the GPO.
I am looking for some sample source code or documentation on creating a
custom passfilt.dll for Windows 2003 domain controllers.
I have found a few forums talking about customizing the passfilt.dll to
modify the complex password settings. But nothing on how to actually code the
dll. I did fine in one forum that the information could be found in Microsoft
Windows SDK. The only version that can be downloaded is for Windows 2008
server and doesn't have the sample code that the forum mention. I assume that
I might need the Windows 2003 SDK version? But that isn't available anymore.
I also read in a MS forum a MS engineer said that the passfilt.dll is no
longer used and it is in LASS.exe? But I couldn't find any info on that one
either. He didn't provide any links or referances.
Thank you,
Don
ANIXIS
2008-05-17 07:10:52 UTC
Permalink
Post by Don B.
I have been task to find an in-house solution to modify the complexity level
for AD passwords. It appears the only way to modfy from either having it
enabled or disable in Group Policy, is to create your ownpassfilt.dll file
and register the custom dll on each DC & disable using complexity in the GPO.
I am looking for some sample source code or documentation on creating a
custompassfilt.dll for Windows 2003 domain controllers.
I have found a few forums talking about customizing thepassfilt.dll to
modify the complex password settings. But nothing on how to actually code the
dll. I did fine in one forum that the information could be found in Microsoft
Windows SDK. The only version that can be downloaded is for Windows 2008
server and doesn't have the sample code that the forum mention. I assume that
I might need the Windows 2003 SDK version? But that isn't available anymore.
I also read in a MS forum a MS engineer said that thepassfilt.dll is no
longer used and it is in LASS.exe? But I couldn't find any info on that one
either. He didn't provide any links or referances.
Thank you,
Don
Passfilt.dll is Microsoft's implementation of a password filter. It is
true that the inbuilt password policy rules are no longer handled by a
separate DLL, but there is nothing stopping you from registering your
own password filter on Windows 2003.

Everything you need to get started is at http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx
and http://msdn.microsoft.com/en-us/library/ms721884(VS.85).aspx and
http://msdn.microsoft.com/en-us/library/ms721849(VS.85).aspx

I don't know if MS includes the password filter sample with the latest
SDK, but there isn't much to learn from it. You really just need to
understand the three functions used by LSASS to call your filter (see
last URL above).

At the risk of sounding like I am trying to sell you something, have
you considered using a configurable password filter like Password
Policy Enforcer (www.anixis.com)? Building a password filter isn't
particularly hard, but your code will run as local system on each DC.
A bug in your filter could compromise security or bring down your DCs
as LSASS.EXE dies. You also have to deal with the inaccurate rejection
messages that users see when your password filter rejects a password.
This can be fixed with another DLL on the client, but it's not easy to
do.
Don B.
2008-05-19 20:27:01 UTC
Permalink
Thank you both for the response. I have enough fuel now to push for a third
party product and PPE looks good.
Post by ANIXIS
Post by Don B.
I have been task to find an in-house solution to modify the complexity level
for AD passwords. It appears the only way to modfy from either having it
enabled or disable in Group Policy, is to create your ownpassfilt.dll file
and register the custom dll on each DC & disable using complexity in the GPO.
I am looking for some sample source code or documentation on creating a
custompassfilt.dll for Windows 2003 domain controllers.
I have found a few forums talking about customizing thepassfilt.dll to
modify the complex password settings. But nothing on how to actually code the
dll. I did fine in one forum that the information could be found in Microsoft
Windows SDK. The only version that can be downloaded is for Windows 2008
server and doesn't have the sample code that the forum mention. I assume that
I might need the Windows 2003 SDK version? But that isn't available anymore.
I also read in a MS forum a MS engineer said that thepassfilt.dll is no
longer used and it is in LASS.exe? But I couldn't find any info on that one
either. He didn't provide any links or referances.
Thank you,
Don
Passfilt.dll is Microsoft's implementation of a password filter. It is
true that the inbuilt password policy rules are no longer handled by a
separate DLL, but there is nothing stopping you from registering your
own password filter on Windows 2003.
Everything you need to get started is at http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx
and http://msdn.microsoft.com/en-us/library/ms721884(VS.85).aspx and
http://msdn.microsoft.com/en-us/library/ms721849(VS.85).aspx
I don't know if MS includes the password filter sample with the latest
SDK, but there isn't much to learn from it. You really just need to
understand the three functions used by LSASS to call your filter (see
last URL above).
At the risk of sounding like I am trying to sell you something, have
you considered using a configurable password filter like Password
Policy Enforcer (www.anixis.com)? Building a password filter isn't
particularly hard, but your code will run as local system on each DC.
A bug in your filter could compromise security or bring down your DCs
as LSASS.EXE dies. You also have to deal with the inaccurate rejection
messages that users see when your password filter rejects a password.
This can be fixed with another DLL on the client, but it's not easy to
do.
Joe Kaplan
2008-05-19 20:39:59 UTC
Permalink
This is the way to go. Writing these is tricky work and if you make even a
tiny mistake, you can destabilize the entire AD with your code. Putting
that in the hands of a vendor is probably a better idea.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Don B.
Thank you both for the response. I have enough fuel now to push for a third
party product and PPE looks good.
Post by ANIXIS
Post by Don B.
I have been task to find an in-house solution to modify the complexity level
for AD passwords. It appears the only way to modfy from either having it
enabled or disable in Group Policy, is to create your ownpassfilt.dll file
and register the custom dll on each DC & disable using complexity in the GPO.
I am looking for some sample source code or documentation on creating a
custompassfilt.dll for Windows 2003 domain controllers.
I have found a few forums talking about customizing thepassfilt.dll to
modify the complex password settings. But nothing on how to actually code the
dll. I did fine in one forum that the information could be found in Microsoft
Windows SDK. The only version that can be downloaded is for Windows 2008
server and doesn't have the sample code that the forum mention. I assume that
I might need the Windows 2003 SDK version? But that isn't available anymore.
I also read in a MS forum a MS engineer said that thepassfilt.dll is no
longer used and it is in LASS.exe? But I couldn't find any info on that one
either. He didn't provide any links or referances.
Thank you,
Don
Passfilt.dll is Microsoft's implementation of a password filter. It is
true that the inbuilt password policy rules are no longer handled by a
separate DLL, but there is nothing stopping you from registering your
own password filter on Windows 2003.
Everything you need to get started is at
http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx
and http://msdn.microsoft.com/en-us/library/ms721884(VS.85).aspx and
http://msdn.microsoft.com/en-us/library/ms721849(VS.85).aspx
I don't know if MS includes the password filter sample with the latest
SDK, but there isn't much to learn from it. You really just need to
understand the three functions used by LSASS to call your filter (see
last URL above).
At the risk of sounding like I am trying to sell you something, have
you considered using a configurable password filter like Password
Policy Enforcer (www.anixis.com)? Building a password filter isn't
particularly hard, but your code will run as local system on each DC.
A bug in your filter could compromise security or bring down your DCs
as LSASS.EXE dies. You also have to deal with the inaccurate rejection
messages that users see when your password filter rejects a password.
This can be fixed with another DLL on the client, but it's not easy to
do.
Loading...