Custom Password Filter Error messages

G

Guest

I'm trying to implement a custom password filter in a 2000 AD domain. I'm
using passwdhk (http://sourceforge.net/projects/passwdhk) to call a perlapp
application I wrote myself. All the components seem to be installed
correctly (passwdhk is registered on the DC's, my perl app is where it needs
to be) and Group Policies have been set. (Password must meet complexity
requirements=Enabled and Minimum password length=8, password history=1)

The filter seems to work just fine. Our password rules are being enforced,
and AD as well as our external system is being updated by my app when a
password is valid.

What's annoying is when the password is rejected by the filter, the user is
presented with, "Your password must be at least 0 characters and cannot
repeat any of your previous 0 passwords. Please type a different password.
Type a password which meets these requirements in both text boxes." The only
reference I've found to this message in the KB has to do with a custom filter
installed without GP settings having been changed to match.

Is there something I can change to at least get a more generic message like
"Your password doesn't conform to complexity requirements"? Our poor users
are gonna be confused enough with our (very basic, but new) password
requirements as it is without Windows asking that their password be at least
0 characters. :)

Thanks!
 
J

Joe Richards [MVP]

Unfortunately no, that has always been the downside with the custom filters.

One thing to note, you do not have to have Password must meet complexity
requirements enabled unless you want the Microsoft complexity filter working in
conjunction with your filter.
 
J

Joe Richards [MVP]

After looking at the source of that code, be careful. It could have consequences
on the stability and security of your environment. Right off, calling out to
other executables from the LSASS is dangerous and could introduce considerable
instability since you are running in a very sensitive context. Additionally,
this code isn't handling unicode very well. Finally no safeguards appear to be
in place to wipe the memory the passwords and usernames are being copied into so
there could be possible security implications.

joe
 
A

ANIXIS

You need to write a client application to do this. The work involved is
substantial. It would be cheaper for you to purchase our Password
Policy Enforcer product. PPE has an optional client component that
displays customizable error messages. It also displays the password
policy on the Change Password dialog, so users can see the password
policy before they enter their password.

Screenshots at: http://www.anixis.com/products/ppe/screens.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top