Configure the password group policy

The password filter must be enabled and configured using group policy before it will process password changes. When installing the application, you have the option of installing the ADMX group policy template files.

The group policy templates should be installed on any machine that you need to configure the password settings group policy on. We recommend copying the ADMX files to a central policy store, which will enable you to see and manage the group policy settings from any machine in the domain.

If you do not copy the ADMX/ADML files to the central policy story in the domain, you'll only be able to see and edit the group policy settings from the machine where you installed the ADMX files.

Once you have installed the templates, create a new GPO, which you will link to the OU containing your domain controllers in Active Directory. If you have other computers that you want to be able to use the Get‐PasswordFilterResult cmdlet on, they will need to have the group policy applied to them as well.

Do note that Active Directory will still process its own password policy rules, so ensure that the built-in Active Directory password policy settings do not conflict with those that you set in the Lithnet Password Protection settings. For example if you are using password complexity settings in this LPP, then its recommended to disable Active Directory's complexity settings.

The group policy settings are found under Computer Configuration\Policies\Administrative Templates\Lithnet\Password Filter.

Settings Reference

General settings

Setting
Explanation

Disable password filter

When enabled, prevents the password filter from evaluating password change requests. If disabled, or set to not configured, the password filter will evaluate password change requests

Regular expression policies

Setting
Explanation

Password must match a specified regular expression

When enabled, passwords that do not match the specified regular expression will be rejected. If disabled, or set to not configured, the password filter will not evaluate passwords against the regular expression. Note that the regular expression must match the entire password, not a substring of it.

Passwords must not match a specified regular expression

When enabled, passwords that match the specified regular expression will be rejected. If disabled, or set to not configured, the password filter will not evaluate passwords against the regular expression. Note that the regular expression must match the entire password, not a substring of it.

Complexity policies

Setting
Explanation

Passwords must meet the specified number of complexity points

Enable length-based complexity rules

Minimum password length

When enabled, specifies the minimum password length to enforce. If disabled or not configured, no minimum password length is enforced

Password content policies

Setting
Explanation

Reject passwords that contain the user's account name

When enabled, the filter will reject any password that contains the user's account name, provided the account name is greater than 3 characters in length. If disabled, or set to not configured, the password filter will not reject the password if it contains the user's account name

Reject passwords that contain any part of the user's display name

When enabled, the filter will reject any password that contains all or part of the user's display name. If disabled, or set to not configured, the password filter will not reject the password if it contains the user's display name

Reject passwords found in the compromised password store

When enabled, passwords will be rejected if they are found in the compromised password store. If disabled, or set to not configured, the password filter will not evaluate passwords against the compromised password store

Reject normalized passwords found in the compromised password store

Reject normalized passwords found in the banned word store

Last updated