Overview#

Some detailed information on Active Directory and Passwords

Microsoft Active Directory uses the UnicodePwd instead of the more common userPassword unless you have Enable UserPassword in Microsoft Active Directory.

Setting and Changing Microsoft Active Directory Passwords#

Some details on Setting and Changing Microsoft Active Directory Passwords.

Password Filters[1]#

Password filters provide a way for you to implement password policy and change notification. Passfilt.dll is Microsoft's implementation of a password filter.

When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made.

Password change request

Password change notification can be used to synchronize password changes to foreign account databases.

Password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy.

The following topics provide more information about password filters:

Windows Server 2003 Default Password Policy#

A default password filter ships with Windows Server 2003 Default Password Policy.

Some Active Directory and Passwords Examples#

"Password Hook" is a Window Password Filter DLL that sends any Windows password changes to a script/program, stored in the registry by a configuration utility. The DLL is effectively a generic windows password filter.

The Active Directory SHA-1 hex password filter|http://code.google.com/p/sha1hexfltr/] is a password filter stores that password in SHA-1 hash in an attribute in Microsoft Active Directory. (Link no longer available)

DirXML Password Flow From Active Directory to eDirectory#

We describe the DirXML Password Flow From Active Directory to eDirectory along with some troubleshooting tips.

A different Approach#

SUN/Oracle came up with a different method to allow password synchronization with Active Directions that they call, On-Demand Password Synchronization.

Setting and Changing Microsoft Active Directory Passwords#

Information on Setting and Changing Microsoft Active Directory Passwords from LDIF, LDAP or Java.

Enable UserPassword in Microsoft Active Directory #

How to Enable UserPassword in Microsoft Active Directory instead of UnicodePwd.

How passwords are used in Windows#

How passwords are used in Windows

More Information#

There might be more information for this subject on one of the following:
[#1] http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
LSA-Password-Filter.png 1.5 kB 1 28-Apr-2010 14:09 jim LSA-Password Filters
« This page (revision-44) was last changed on 21-Jun-2017 10:36 by jim