PwdFilt.dll

If Active Directory's password complexity is too complex (or not complex enough), MSFT say that you can write your own password complexity function in a DLL.

MSFT explain the procedure here:

They also give a few programming tips for the DLL:

And finally, there is a sample implementation in the Windows SDK. (Link to badly formatted PwdFilt.dll source file)

I added a line to export one of the functions:

extern __declspec(dllexport)
BOOL
NTAPI
PasswordFilter(
    PUNICODE_STRING UserName,
    
PUNICODE_STRING FullName,
    PUNICODE_STRING Password,
    
BOOL SetOperation
    )

I also changed this ZeroMemory() call

ZeroMemory(CharType, Password->Length);

into this SecureZeroMemory() call:

SecureZeroMemory(CharType, Password->Length);

I think that might be good.

The sample DLL allows passwords with at least two out of upper case character, lower case character, and digit or, alternatively, at least one non-digit and non-character (like # or !).

To build the DLL (and assuming you have basic knowledge of how Visual Studio and C work), these pointers might help. They are basically a list of the solutions to some of the many mistakes I made when I did this. Follow at your own peril!

Since all current versions of Windows Server are of the x64 architecture the source file needs to be compiled for that architecture. 

  • Build
  • Configuration Manager: create an x64 configuration and use it.

Apparently you also have to include a few libraries that are normally linked dynamically:

  • Project Properties
  • C/C++ Code Generation
  • Runtime Library: Multi-threaded (/MT)

Finally, you have to experiment with the SDK a bit. Install an older version of Visual Studio in case it doesn't work with a current version. (With the wrong version the DLL will compile but it won't work on the domain controller.)

To test the DLL (and to find out if it at least technically works on the domain controller) create a test program like this.

PwdFiltTest

You can find the C# source for this test program here: Link to badly formatted test program source file

Figure out which control is which. (I'll give you a hint: "textPasswordToCheck" is the text box.) You probably want to disable AutoCheck for the checkbox to avoid confusion.

Then take the two compiled programs and copy them into C:\Windows\system32 on your domain controller(s). Or test the DLL locally before you do. And as I said, follow these instructions at your own peril.




 © Andrew Brehm 2016