Windows Password Filters

Password filters provide a way for you to implement password policy and change notification.
When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made

Installing and Registering a Password Filter DLL

You can use the password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.
Perform the following steps to install your password filter. You can perform these steps manually, or you can write an installer to perform these steps. You need to be an Administrator or belong to the Administrator Group to perform these steps.

To install and register a password filter DLL

1. Copy the DLL to the Windows installation directory on the domain controller or local computer.
2. To register the password filter, update the following system registry key:
HKEY_LOCAL_MACHINE=>SYSTEM=>CurrentControlSet=>Control=>Lsa

If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.

If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.

The Notification Packages subkey can add multiple packages.

3. Find the password complexity setting.
In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.

4. To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.


Password Filter Functions:

The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.

Function Description
InitializeChangeNotify() => Indicates that a password filter DLL is initialized. PasswordChangeNotify() => Indicates that a password has been changed.
PasswordFilter() => Validates a new password based on password policy

Example Usage of Password Filters:
AD(Active Directory) Password Filters are used to notify Active directory Password changes to custom Products which need to be notified of AD passwords.


Links:

Password Filters - http://msdn.microsoft.com/en-us/library/ms721882.aspx