Configure the password group policy
The password filter must be enabled and configured using group policy before it will process password changes. When installing the application, you have the option of installing the ADMX group policy template files.
The group policy templates should be installed on any machine that you need to configure the password settings group policy on. We recommend copying the ADMX files to a central policy store, which will enable you to see and manage the group policy settings from any machine in the domain.
If you do not copy the ADMX/ADML files to the central policy story in the domain, you'll only be able to see and edit the group policy settings from the machine where you installed the ADMX files.
Once you have installed the templates, create a new GPO, which you will link to the OU containing your domain controllers in Active Directory. If you have other computers that you want to be able to use the Get‐PasswordFilterResult cmdlet on, they will need to have the group policy applied to them as well.
Do note that Active Directory will still process its own password policy rules, so ensure that the built-in Active Directory password policy settings do not conflict with those that you set in the Lithnet Password Protection settings. For example if you are using password complexity settings in this LPP, then its recommended to disable Active Directory's complexity settings.
The group policy settings are found under Computer Configuration\Policies\Administrative Templates\Lithnet\Password Filter
.
Settings Reference
General settings
Disable password filter
When enabled, prevents the password filter from evaluating password change requests. If disabled, or set to not configured, the password filter will evaluate password change requests
Regular expression policies
Password must match a specified regular expression
When enabled, passwords that do not match the specified regular expression will be rejected. If disabled, or set to not configured, the password filter will not evaluate passwords against the regular expression. Note that the regular expression must match the entire password, not a substring of it.
Passwords must not match a specified regular expression
When enabled, passwords that match the specified regular expression will be rejected. If disabled, or set to not configured, the password filter will not evaluate passwords against the regular expression. Note that the regular expression must match the entire password, not a substring of it.
Complexity policies
Passwords must meet the specified number of complexity points
Enable length-based complexity rules
Minimum password length
When enabled, specifies the minimum password length to enforce. If disabled or not configured, no minimum password length is enforced
Password content policies
Reject passwords that contain the user's account name
When enabled, the filter will reject any password that contains the user's account name, provided the account name is greater than 3 characters in length. If disabled, or set to not configured, the password filter will not reject the password if it contains the user's account name
Reject passwords that contain any part of the user's display name
When enabled, the filter will reject any password that contains all or part of the user's display name. If disabled, or set to not configured, the password filter will not reject the password if it contains the user's display name
Reject passwords found in the compromised password store
When enabled, passwords will be rejected if they are found in the compromised password store. If disabled, or set to not configured, the password filter will not evaluate passwords against the compromised password store
Reject normalized passwords found in the compromised password store
Reject normalized passwords found in the banned word store
Last updated