PasswordFilter callback function

The PasswordFilter function is implemented by a password filter DLL. The value returned by this function determines whether the new password is accepted by the system. All of the password filters installed on a system must return TRUE for the password change to take effect.

Syntax


BOOLEAN PasswordFilter(
  _In_  PUNICODE_STRING AccountName,
  _In_  PUNICODE_STRING FullName,
  _In_  PUNICODE_STRING Password,
  _In_  BOOLEAN SetOperation
);

Parameters

AccountName [in]

Pointer to a UNICODE_STRING that represents the name of the user whose password changed.

FullName [in]

Pointer to a UNICODE_STRING that represents the full name of the user whose password changed.

Password [in]

Pointer to a UNICODE_STRING that represents the new plaintext password. When you have finished using the password, clear it from memory by calling the SecureZeroMemory function. For more information on protecting the password, see Handling Passwords.

SetOperation [in]

TRUE if the password was set rather than changed.

Return value

Return codeDescription
TRUE

Return TRUE if the new password is valid with respect to the password policy implemented in the password filter DLL. When TRUE is returned, the Local Security Authority (LSA) continues to evaluate the password by calling any other password filters installed on the system.

FALSE

Return FALSE if the new password is not valid with respect to the password policy implemented in the password filter DLL. When FALSE is returned, the LSA returns the ERROR_ILL_FORMED_PASSWORD (1324) status code to the source of the password change request.

 

Remarks

Password change requests may be made when users specify a new password, accounts are created and when administrators override a password.

This function must use the __stdcall calling convention and must be exported by the DLL.

When the PasswordFilter routine is running, processing is blocked until the routine is finished. When appropriate, move any lengthy processing to a separate thread prior to returning from this routine.

This function is called only for password filters that are installed and registered on a system.

Any process exception that is not handled within this function may cause security-related failures system-wide. Structured exception handling should be used when appropriate.

For information aboutSee
Programming issues when implementing a password filter DLL Password Filter Programming Considerations
How to install and register your own password filter DLL Installing and Registering a Password Filter DLL
The password filter DLL provided by Microsoft Strong Password Enforcement and Passfilt.dll

 

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Ntsecapi.h

See also

InitializeChangeNotify
PasswordChangeNotify

 

 

Community Additions

ADD
Show:
© 2014 Microsoft