Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / How to Block Common (Weak) Passwords in Active Directory

April 8, 2025

How to Block Common (Weak) Passwords in Active Directory

Only the most basic password length, frequency, and complexity requirements can be enabled for domain users in the default Active Directory password policy. Enabling the mandatory password complexity option, which requires passwords to contain a mix of uppercase, lowercase letters, numbers, and special characters, doesn’t prevent users from using easily guessable passwords like Qwerty123456, P@ssw0rd, March2025, etc. These passwords meet the complexity criteria but remain vulnerable to attack due to their predictability.

This guide explains how to create and enforce banned password lists in an on-premises Active Directory domain, preventing users from setting weak or compromised passwords and protecting accounts from dictionary and brute-force attacks.​

Contents:
  • Banned Password List with AD Password Filter (PassFiltEx)
  • Block Weak and Compromised Passwords with Lithnet Password Protection

Banned Password List with AD Password Filter (PassFiltEx)

First, let’s take a look at PassFiltEx, a lightweight open-source library that provides a simple solution for blocking common weak passwords in Active Directory

When an AD user changes a password, the LSA process on the domain controller checks whether the password matches the registered password filters. The PassFiltEx library can be used transparently as an additional filter when checking a new password.

To implement PassFiltEx, download two files from the project’s GitHub page (https://github.com/ryanries/PassFiltEx) and copy them to the %SystemRoot%\System32 directory on a domain controller.

  • PassFiltEx.dll – PassFiltEx library file
  • PassFiltExBlacklist.txt – a plain text file containing the passwords you want to deny in AD
 Some important points:

  • PassFiltEx reloads the blocklist file every 60 seconds
  • The denied password patterns in the PassFiltExBlacklist.txt file are not case-sensitive. (MyPasswordD and mypassword values ​​will be defined as equal)
  • Unicode characters are not currently supported

PassFiltEx.dll - deny weak passwords in AD

Then, open the Registry Editor, go to the HKLM\SYSTEM\CurrentControlSet\Control\Lsa key, and add the PassFiltEx value to the end of the Notification Packages multi-string parameter.

Add password filter on AD domain controller

Restart the domain controller to apply the new password filter. Verify that the lsass process loads the PassFiltEx library.

tasklist /m PassFiltEx.dll

Check PassFiltEx.dll is loaded in lsass.exe

Now, if the user tries to change the password to any one that matches one of the patterns in the password blacklist, an error will appear stating that the password doesn’t meet the password policy requirements.

cannot change password, it doesn't meet requirements

If you have multiple domain controllers deployed, configure the same password filter on each of them.

Using registry options in the HKLM\SOFTWARE\PassFiltEx reg key (created automatically), you can configure additional PassFiltEx password filter settings:

  • BlacklistFileName (REG_SZ) – path to the file containing the banned passwords. (default is %SystemRoot%\System32\PassFiltExBlacklist.txt ). A UNC path can be used here, which allows the file to be stored in the SYSVOL (to use a single password blacklist file that is automatically replicated between DCs)
  • TokenPercentageOfPassword (REG_DWORD) – is the minimum percentage of a new password matching a blacklisted template that will cause the password to be rejected (by default is 60%). For example, if you add a line with the pattern MyPasswd to the blacklist, users will not be able to use the password MyPasswd2025.
  • Debug – If set to 1, it enables debug mode (all actions are logged to a text file).
  • BlockSequentialChars – block the use of character sequences in the password, such as abcd or 1234.
  • BlockRepeatingChars — block sequences of identical characters like AAAA, 2222.

Information about other registry options can be found on the project’s GitHub page.

Block Weak and Compromised Passwords with Lithnet Password Protection

Lithnet Password Protection for Active Directory (LPP) is an enterprise solution for blocking weak and compromised passwords in Active Directory. Its basic functionality allows to extend AD password policy requirements, block passwords using templates or password hashes (allows to import a database of compromised passwords from external dictionaries). Lithnet Password Protection supports management via Group Policy and PowerShell.

The Lithnet Password Protection for Active Directory agent should be installed on each domain controller (https://github.com/lithnet/ad-password-protection).

Install Lithnet Password Protection for Active Directory agent

Then, use PowerShell to add prohibited passwords and keywords to the Lithnet password vault. Import the module into your PowerShell session:

Import-Module LithnetPasswordProtection

Add a word you want to block from being used in AD user passwords.

Add-BannedWord -Value "admin"

You can import the list of banned keywords from a text file:

Import-BannedWords -Filename "c:\temp\blacklistpwd.txt"

Check LPP database for banned word:

Test-IsBannedWord -value admin

PowerShell: Test-IsBannedWord - test password for backlist

Use the Get-PasswordFilterResult cmdlet to test whether the password that you typed complies with the password policy:

Get-PasswordFilterResult -Password "Admin321" -Username jsmith -Fullname "John Smith"

Compromised

Get-PasswordFilterResult Compromised

Get-PasswordFilterResult -Password "Adm123n!" -Username jsmith -Fullname "John Smith"

Approved

Approved password in AD

In the first case, the password contains the exact match of the keyword Admin, and the password policy prohibits its use.

LPP’s password vault is a file-based password hash database (because of the binary format, searching such a database is fast). By default, DB files are stored in the C:\Program Files\Lithnet\Active Directory Password Protection\Store\v3\p directory. DFS-R is used to replicate the Lithnet Password Protection database of banned passwords between domain controllers.

Lithnet Password Protection (LPP) allows administrators to import compromised passwords from the “Have I Been Pwned” (HIBP pwnded) service into a local database, increasing security by preventing users from selecting passwords exposed in data breaches. This will require about 8 GB of disk space on the DC to store the hash dictionary.

Sync-HashesFromHibp

Sync-HashesFromHibp

To automatically synchronize the local database with HIBP, run the Sync-HashesFromHibp PowerShell command periodically by using a Task Scheduler.

Or import hashes from a text file:
Import-CompromisedPasswordHashes -Filename "c:\ps\pwned-ntlm-hashs.txt"

Check if the specific password or user’s UPN is in the database of compromised passwords.

Test-IsCompromisedPassword -value MyAdminl0veSme
Test-IsADUserPasswordCompromised -upn [email protected]

Administrative template files (ADMX) are available to manage LPP settings via GPO. By default, the ADMX templates can be found in the %WINDIR%\PolicyDefinitions\ directory on a DC with an LPP agent (you can copy them to the central GPO store):

  • lithnet.activedirectory.passwordfilter.admx
  • lithnet.admx
  • \en-us\lithnet.activedirectory.passwordfilter.adml
  • \en-us\lithnet.adml

To have the LPP agent check a user’s password against the blacklist password dictionary when the user changes the password, create a GPO for domain controllers with the following minimum settings under Computer Configuration -> Administrative Templates -> Lithnet ->Password Protection for Active Directory -> Default Policy section.

  • Reject passwords found in the compromised password store – Enable , uncheck the options Enable for password set and Enable for password change operations.
  • Reject normalized password found in the compromised password store (deny normalized passwords, for example, WOSHub and woshub)

GPO: Reject passwords found in the compromised password store

Other GPO options can be enabled/disabled depending on your security needs.

Restart the domain controller to update the GPO settings. This will also add the lithnetpwdf password filter to the registry key specified above.

Enable lithnetpwdf password filter in Active Directory

Now, when trying to change (reset) an AD user’s password, an additional check is performed to see if the password is in the dictionary of forbidden passwords. For example, Windows 11 displays the following error:

The password on this account cannot be changed at this time

Obviously, this is inconvenient because it is not clear to the user that their password has failed to pass the password policy check.

Windows 11: The password on this account cannot be changed at this time

If you have an Entra ID P1 or P2 subscription and sync with your on-premises Active Directory, you can create a list of banned passwords in the Microsoft cloud. The Microsoft Entra Password Protection Proxy Service and Microsoft Entra Password Protection DC Agent can apply these security settings to on-premises AD accounts. See Password policy in Entra ID (ex-Azure AD).

We’ve explored how to improve Active Directory security by implementing open-source solutions that prevent the use of weak, leaked, or common passwords that are not typically blocked by default AD password policy.

0 comment
0
Facebook Twitter Google + Pinterest
Active DirectoryWindows 11Windows Server 2022
previous post
Fix: The referenced assembly could not be found error (0x80073701) on Windows
next post
Load Drivers from WinPE or Recovery CMD

Related Reading

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

Extend an Expired User Password in Active Directory

December 23, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Extend an Expired User Password in Active Directory
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Exclude a Specific User or Computer from Group Policy
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
  • Unlocking Active Directory User Accounts
  • Configure NTP Time Source for Active Directory Domain
  • AD Domain Join: Computer Account Re-use Blocked
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top