I had posted a blog How to get plain text password in Active Directory??? to give some inside of how to write password filter DLL.
In this post I am going to talk about some issues and precautions should be followed while writing these components.
Like a user account Active Directory maintains computer accounts in it's repository. It enforces the same password policy which is applicable for user accounts. For example if there is a policy to change the password after every 30 days for the user accounts same applies to the computer accounts stored in Active Directory. This policy can be disabled for computer accounts but that leads to some security issues over the network because these accounts (computer accounts) are used to provide some kind of internal authentication when you access shared resources over the network like printer or some shared folder etc.
Computer accounts password change notifications should be ignored while passing the credentials to the identity management(IDM) products ( I am assuming that you know why this is done???) for synchronization. If password filter DLL will send these computer password change notifications to the IDM products it will not be processed as these products are not managing computer accounts.
Every computer account has an attribute named samaccountname which has a DOLLAR ($) character at the end. Password filter DLL should check if the sAmAccountname of the event is terminating with DOLLAR then it should skip the whole process. This provides two benefits
1) Increases the efficiency of the password filter DLL as it is skipping the processing of unnecessary accounts.
2) Better utilization of network bandwidth.
Hope this tips help you building more efficient password filter DLL.
I was doing a udemy course to learn more about the networking concepts and wanted to clarify the confusion between Hub, Switch and Router. ...
LDAP directory servers contain information about people: users, employees, customers, partners, and others. Many times, it makes sense to a...
What Are Objectclasses? Objectclasses are prototypes for entries that will actually exist in directory server. The objectclass definition (...
I have seen many products synchronizing password/ sending password synch events to IDM products when user changes the password in Active Dir...