Friday, June 29, 2007

How to get plain text password in Active Directory???


I have seen many products synchronizing password/ sending password synch events to IDM products when user changes the password in Active Directory. Due to security reasons Windows does not allow users to get the plain text password once stored in the directory but Microsoft has given a way in case we have to get the plain text password for above reasons and also to enforce a specific password policy which can not be configured out of the box configurations.

There can be chain of password filter DLL's installed which will be called one after the other in the sequence defined in the registry (I will discuss this configuration in a bit)



Password Filters

Password filters provide a way for you to implement password policy and change notification.

When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.





Important Functions


InitializeChangeNotify
Indicates that a password filter DLL is initialized.
PasswordChangeNotify
Indicates that a password has been changed.
PasswordFilter
Validates a new password based on password policy


To install and register a password filter DLL
Copy the DLL to the Windows installation directory on the domain controller or local computer.
To register the password filter, update the following system registry key:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Lsa
If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.
If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.
The Notification Packages subkey can add multiple packages.
Find the password complexity setting.
In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.
To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.


Curtsey: I took some of the content in the article from Microsoft site directly.



4 comments:

Unknown said...

Your idea is enlightenment my day, for solution to 'synchronize' Google Apps password with Active directory ... Appreciate !

Sudheer said...

Do u have any code or programming guide to develop such dll to capture the passwords on active directory, if yes please share me on sudheer.samudrala@gmail.com

Aasha said...

This is a great post. I like this topic.This site has lots of advantage.I found many interesting things from this site.

SEO Company in Chennai

SEO Company in India

Digital Marketing Company in Chennai

Digital Marketing Company in India

Ancy merina said...
This comment has been removed by the author.

Hub and Switch and Router

I was doing a udemy course to learn more about the networking concepts and wanted to clarify the confusion between Hub, Switch and Router. ...