Get-PasswordFilterResult vs Test-IsCompromisedPassword different results

[MidavSec]

Using Windows Server 2019 and the policy is applied to the Domain Controller directly.

PS C:\Users\Administrator> Get-PasswordFilterResult -Password "P@ssw0rd" -Username "pwuser" -Fullname "pwuser" Approved PS C:\Users\Administrator> Test-IsCompromisedPassword -Value P@ssw0rd True

Do you know why there is this result? The the password is in the store but it can be used by DC and users. The GPO is linked to DC directly.

[ryannewington]

@MidavSec

A few things to check;

1. Where does the Store registry key point to in the key HKEY_LOCAL_MACHINE\SOFTWARE\Lithnet\PasswordFilter. Is it where you expect?

2. Does the domain controller have read access to this location? If its a local path, then the SYSTEM account needs read access. If its a network path, then the DC computer object needs read access

3. Are there any errors in the event log from Lithnet Password Protection? The module 'fails open' by default, which means any errors in trying to access the store, result in the password being approved, rather than failing every password request.

4. Can you export the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Lithnet\PasswordFilter\Default, and paste the contents of the reg file here

[MidavSec]

@ryannewington

Hi Ryan, thank you very much for this great tool. I found out where the problem was. I used Shared Folders function from VMWare Workstation (it is a FUSE mount), because I created the HIBP and rockyou.txt related database on my host system.

When I tried to re-import rockyou.txt for troubleshooting in the Win2019 guest system, the Powershell Script created a new v3 folder. Afterwards I deleted the V3 folder and replaced it with the one from the hostsystem, seems to be working. Thanks!

[ryannewington]

Great! glad you got it working!