I have seen many products synchronizing password/ sending password synch events to IDM products when user changes the password in Active Directory. Due to security reasons Windows does not allow users to get the plain text password once stored in the directory but Microsoft has given a way in case we have to get the plain text password for above reasons and also to enforce a specific password policy which can not be configured out of the box configurations.
There can be chain of password filter DLL's installed which will be called one after the other in the sequence defined in the registry (I will discuss this configuration in a bit)
Password Filters
Password filters provide a way for you to implement password policy and change notification.
When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.
Important Functions
InitializeChangeNotify
Indicates that a password filter DLL is initialized.
PasswordChangeNotify
Indicates that a password has been changed.
PasswordFilter
Validates a new password based on password policy
To install and register a password filter DLL
Copy the DLL to the Windows installation directory on the domain controller or local computer.
To register the password filter, update the following system registry key:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Lsa
If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.
If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.
The Notification Packages subkey can add multiple packages.
Find the password complexity setting.
In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.
To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.
Curtsey: I took some of the content in the article from Microsoft site directly.
4 comments:
Your idea is enlightenment my day, for solution to 'synchronize' Google Apps password with Active directory ... Appreciate !
Do u have any code or programming guide to develop such dll to capture the passwords on active directory, if yes please share me on sudheer.samudrala@gmail.com
This is a great post. I like this topic.This site has lots of advantage.I found many interesting things from this site.
SEO Company in Chennai
SEO Company in India
Digital Marketing Company in Chennai
Digital Marketing Company in India
Post a Comment