Passwords not being rejected when found in compromised password store
bezzoh opened this issue · 2 comments
I have set this up for one of my domains today and imported the latest hashed PW list from HIBP.
I have applied policies as per the 1st screenshot below. Complexity policies all work just fine, as does detection of userames, etc... but compromised passwords are being accepted. PowerShell queries (Get-PasswordFilterResult) acknowledge that passwords I'm attempting are compromised, and even log to event viewer when doing so (see 2nd screenshot.) However if I reset such a password, either as a user on a PC or admin in ADUC, compromised passwords are accepted without complaint.
Are there any event log entries from the password filter?
My guess would be that the DC doesn't have permission to read the password store. If its stored locally to the DC, make sure SYSTEM has read access. If it's on a network share, make sure the Domain Controllers group has read permission to the share.
Nailed it! Thanks Ryan. The network share was on a DFS cluster and I had domain 'users' with read... not domain controllers. Awesome.