Installation

PreviousSetup requirements NextCreating a new store

Last updated 6 months ago

Installation

Download the latest version of the installer from the page.

Installation options

The installer presents several options for you to choose from

Enable password filtering on this computer
PowerShell module
Group policy templates (ADMX)

Enable password filtering on this computer

When you select this option, the installer will register the password filter with the local security authority subsystem (LSASS) on the local computer. After a reboot, Windows will pass all password changes to the filter for validation. Note that you still need an appropriate configured before the filter will be configured to reject any passwords.

When you select this option on a domain controller, this means that the password filter will process any password change or set operations for any user.

Note that as any writable domain controller in a domain can process a password change, the module must be installed on every domain controller.

When you select this option a member server or workstation, enabling this option will mean that password changes for local accounts are checked by the filter for approval. Password changes for domain accounts are always processed by the domain controller, so this setting has no effect for domain account password changes performed on member servers and workstations.

PowerShell module

The PowerShell module allows you to build your store, add passwords and banned words and test passwords against the policy. For managing the password store, the PowerShell module can be installed on any machine that has access to the store folder. For testing passwords, the PowerShell module should be installed on a machine that has the domain's group policy applied to it. In order to audit existing user's passwords against the compromised password store, we recommend installing this module on the domain controller and running the appropriate cmdlet from there.

Group policy templates

Choosing a store path

If you are going to use the compromised password and banned word functionality, you'll need to create a password store. The store is a file-based data structure containing the NTLM hashes of the compromised passwords and banned words.