Lithnet password protection is not working properly.

[fmoyay]

The Lithnet password protection is not working properly, I created the store and added the bannedword, the test result is true, but any user can use that word later. In the logs, the event ID 3 with the message "The password filter has been successfully loaded" is fine.

I reviewed the regedit (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Lithnet\PasswordFilter\Store) and the store appears to be the default installation route; however, I tested this route and the problem persists. I discovered that the lithnet folder did not appear in the regedit policies folder (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES)

I'm not sure what's wrong. Could you please assist me?

Thank you very much.

[ryannewington]

@fmoyay

Is HKEY_LOCAL_MACHINE\SOFTWARE\Lithnet\PasswordFilter\Store pointing to the correct location on all DCs?

Does Get-PasswordFilterResult return the expected result?

Also make sure that the DC has access to the password store. SYSTEM needs to have access if its a local folder, but the DC's computer object needs to have read access if its on a remote share.

[fmoyay]

Yes, both servers (W2012 R2) have the same localitation (C:\Program Files\Lithnet\Active Directory Password\Protection\Store\). When installated the LPP, I put a shared folder, anyway I have created a store with bannedwords in this default localization but the tests are wrong.

About Get-PasswordFilterResult the result is approved: PS C:\Windows\system32> Get-PasswordFilterResult -Password Summer.2023 -Username testlpp -Fullname testlpp Approved

In regarding to permissions, the default location _C:\Program Files\Lithnet\Active Directory Password\Protection\Store), System has full permissions.

Furthermore, I have a question: Can we link the GPO only in an OU with several test computers, or must we link the GPO in the Domain Controllers OU? Is it possible for me not to apply the bannedword to all users just yet? Before applying it to all users, I want to ensure that it works properly with some of them.

Thank you

[ryannewington]

It's the DCs that process the password change request, so the GPO has to apply to the DCs, and therefore, it impacts any password change coming into the DC.

If the GPO is not currently applied to the DC, that would be why the filter is approving the password.

[fmoyay]

Ok, so we can't apply the GPO only for specific users that belong to a specific OU, we have to apply the GPO to the domain controllers OU.

Thank you.

[ryannewington]

Yes that's correct

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.