Comment on page
In this guide, we will look at how to set up Lithnet Password Protection for Active Directory (LPP) from scratch. We'll configure a basic password policy, and integrate the haveibeenpwned.com pwned password data set to prevent users from changing their password to one that is known to be compromised.
- Install the module - You'll need to download and install the application on your writable domain controllers to enable password filtering. You can also install the application on other servers to allow you to use the PowerShell cmdlets and manage the password settings via group policy.
- Create a new store - If you plan on using the compromised password functionality, then once the module is installed you'll need to create the database that contains the compromised passwords. Each domain controller will need access to this store, so this guide will assist you in determining the best way to achieve this.
- Audit existing passwords - As an optional step, you can test the passwords of all existing users in your domain, to see if any of them are in the compromised password store. As these passwords have already been converted to a one-way hash in the Active Directory database, you cannot test other policies such as length and complexity against them.