I had posted a blog How to get plain text password in Active Directory??? to give some inside of how to write password filter DLL.
In this post I am going to talk about some issues and precautions should be followed while writing these components.
Like a user account Active Directory maintains computer accounts in it's repository. It enforces the same password policy which is applicable for user accounts. For example if there is a policy to change the password after every 30 days for the user accounts same applies to the computer accounts stored in Active Directory. This policy can be disabled for computer accounts but that leads to some security issues over the network because these accounts (computer accounts) are used to provide some kind of internal authentication when you access shared resources over the network like printer or some shared folder etc.
Computer accounts password change notifications should be ignored while passing the credentials to the identity management(IDM) products ( I am assuming that you know why this is done???) for synchronization. If password filter DLL will send these computer password change notifications to the IDM products it will not be processed as these products are not managing computer accounts.
Every computer account has an attribute named samaccountname which has a DOLLAR ($) character at the end. Password filter DLL should check if the sAmAccountname of the event is terminating with DOLLAR then it should skip the whole process. This provides two benefits
1) Increases the efficiency of the password filter DLL as it is skipping the processing of unnecessary accounts.
2) Better utilization of network bandwidth.
Hope this tips help you building more efficient password filter DLL.