Password Hygiene Filter for Active Directory
The MyPass Password Hygiene Filter is an optional add-on for MyPass Cloud customers, designed to enhance and align multi-vendor password policies through a lightweight agent installed on Microsoft Active Directory Domain Controllers. It can operate standalone or alongside other MyPass components.
Key Features
- Installs in under 15 minutes as an Active Directory add-on
- Supplements AD Group Policies (doesn't override them)
- Supports Normal or Silent Mode deployments
- Should be installed on all domain controllers to be effective
- Works for both Password Reset and Password Change
- Logs to Windows Server Event Log
- Configured using a simple
XMLfile for custom rules (dictionary, regex, etc.)
Supported Platforms
The filter is distributed as a single MSI installer and supports the following Windows Server versions:
| Operating Systems | Limitations |
|---|---|
| Windows Server 2008 / 2008 R2 (32/64-bit) | None |
| Windows Server 2012 / 2012 R2 (64-bit) | None |
| Windows Server 2016 (version 1607) | None |
| Windows Server 2019 (version 1809) | None |
| Windows Server 2022 | None |
| Windows Server 2025 | None |
Important: Installation integrates with Windows LSA. A reboot is required after installation to activate the filter.
ECMAScript Regex Engine (v3.5.1.4+)
From version 3.5.1.4 onward, the regex engine used in rule files has changed to ECMAScript. Unless you’ve customized rules deeply, they should work without change.
Read more: ECMAScript Regex Reference
Installation Steps (GUI Mode)
- Log in with an account that has administrative privileges.
- Launch
FastPass-PasswordFilter.msi. - Follow the InstallShield Wizard → Click Next, accept the license, and confirm installation.
- Once complete, click Finish.
- Reboot the server to activate the filter.
Silent Installation (Command Line)
Ensure Microsoft Visual C++ 2010 Redistributable Package (x86) is installed before running silent installs.
Silent install command examples:
FastPass-PasswordFilter.msi /s /v"/qn"
FastPass-PasswordFilter.msi /s /v"/qn INSTALLDIR=C:\PasswordFilter"
Uninstalling
Uninstall from Control Panel → Programs.
A reboot is required to fully remove it from Windows LSA integration.
Password Filter Configuration
Configuration File Location
<drive>\FastPassCorp\Configuration\FastPassPasswordFilter\PasswordFilterRules.xml
This XML file defines:
- Event logging level
- Supported operations (change/reset)
- Password rule filters (regex, keywords, group-based logic)
Basic File Structure
<?xml version="1.0" encoding="UTF-8"?>
<filterrules>
<configuration>
<loglevel>2</loglevel>
<Operations>
<PasswordChange>false</PasswordChange>
<PasswordReset>true</PasswordReset>
</Operations>
</configuration>
<filters>
<!-- Example rules here -->
</filters>
</filterrules>
Logging Levels
| Level | Description |
|---|---|
| 0 | Verbose (everything) |
| 1 | Information, warnings, errors |
| 2 | Only errors (default) |
| 3 | Warnings and errors |
Supported Operations
| Operation | Effect if Enabled |
|---|---|
PasswordChange | Rules apply on password change (via Ctrl+Alt+Del etc.) |
PasswordReset | Rules apply on password reset (via helpdesk, tools) |
Filter Rules–Examples
<filters>
<!-- Deny common passwords -->
<filter match="no" ignorecasing="true">.*(p[a@]ssw[o0]rd|qwerty|123).*</filter>
<!-- Minimum length: 8 -->
<filter match="yes">^.{8,}$</filter>
<!-- Allow only 8-char usernames for accounts starting with az -->
<filter match="yes" accountnamepattern="^az.*$">^[a-zA-Z0-9]{8,8}$</filter>
<!-- Apply only to group members -->
<filter match="yes" groupnamepattern="^FilterGroup$" groupnamepatternmatch="True">^.{8,}$</filter>
<!-- Block if not in group -->
<filter match="yes" groupnamepattern="^FilterGroup$" groupnamepatternmatch="False" valuetype="Keyword">AccountNameCheck</filter>
<!-- AD Password Complexity (keyword rules) -->
<filter match="yes" valuetype="Keyword">AccountNameCheck</filter>
<filter match="yes" valuetype="Keyword">FullNameCheck</filter>
<filter match="yes" valuetype="Keyword">CharacterVarianceCheck</filter>
</filters>
Rule Behavior & Notes
Each <filter> rule includes:
match="yes"→ Must matchmatch="no"→ Must not matchignorecasing="true"→ Case-insensitivegroupnamepattern→ Applies to users in a named groupvaluetype="Keyword"→ Enables special internal checks
Example Rules
| Rule | Description |
|---|---|
| Rule 1 | Require at least 6 characters |
| Rule 2 | Deny common passwords like p@ssw0rd, qwerty, 123 |
| Rule 3 | Require special characters |
| Rule 4 | Require uppercase letters |
| Rule 5 | Require lowercase letters |
| Rule 6 | Demand Unicode characters (for example, accented letters) |
| Rule 7 | Apply rule only to users with usernames starting with az |
| Rule 8 | Apply only to members of a specific AD group |
| Rule 9 | Apply rule to an entire group |
| Rule 10 | Apply rule to users not in a specific group |
| Rule 11 | Enforce Active Directory complexity using AccountNameCheck, FullNameCheck, and CharacterVarianceCheck |
More info on Microsoft’s AD complexity: Technet–Password Policy