Password Hygiene Filter for Active Directory
The MyPass Password Hygiene Filter is an optional add-on for MyPass Cloud customers, designed to enhance and align multi-vendor password policies through a lightweight agent installed on Microsoft Active Directory Domain Controllers. It can operate standalone or alongside other MyPass components.
Quick Implementation Pointers
- Review Key Features & Supported Platforms
- Install the Filter on Domain Controllers
- Configure Filter Rules
Key Features
- Installs in under 15 minutes as an Active Directory add-on
- Supplements AD Group Policies (doesn't override them)
- Supports Normal or Silent Mode deployments
- Should be installed on all domain controllers to be effective
- Works for both Password Reset and Password Change
- Logs to Windows Server Event Log
- Configured using a simple
XMLfile for custom rules (dictionary, regex, etc.)
Supported Platforms
The filter is distributed as a single MSI installer and supports the following Windows Server versions:
| Operating System | Limitations |
|---|---|
| Windows Server 2008 / 2008 R2 (32/64-bit) | None |
| Windows Server 2012 / 2012 R2 (64-bit) | None |
| Windows Server 2016 (version 1607) | None |
| Windows Server 2019 (version 1809) | None |
| Windows Server 2022 | None |
| Windows Server 2025 | None |
Installation
Installation integrates with Windows LSA. A reboot is required after installation to activate the filter.
GUI Installation
- Log in with an account that has administrative privileges.
- Launch
FastPass-PasswordFilter.msi. - Follow the InstallShield Wizard — click Next, accept the license, and confirm installation.
- Once complete, click Finish.
- Reboot the server to activate the filter.
Silent Installation (Command Line)
Ensure Microsoft Visual C++ 2010 Redistributable Package (x86) is installed before running silent installs.
FastPass-PasswordFilter.msi /s /v"/qn"
FastPass-PasswordFilter.msi /s /v"/qn INSTALLDIR=C:\PasswordFilter"
Uninstalling
Uninstall from Control Panel → Programs. A reboot is required to fully remove it from Windows LSA integration.
Configuration
Configuration File
<drive>\FastPassCorp\Configuration\FastPassPasswordFilter\PasswordFilterRules.xml
This XML file defines the event logging level, supported operations, and all password rule filters (regex, keywords, group-based logic).
File Structure
<?xml version="1.0" encoding="UTF-8"?>
<filterrules>
<configuration>
<loglevel>2</loglevel>
<Operations>
<PasswordChange>false</PasswordChange>
<PasswordReset>true</PasswordReset>
</Operations>
</configuration>
<filters>
<!-- Example rules here -->
</filters>
</filterrules>
Logging Levels
| Level | Description |
|---|---|
0 | Verbose (everything) |
1 | Information, warnings, errors |
2 | Errors only (default) |
3 | Warnings and errors |
Supported Operations
| Operation | Effect if Enabled |
|---|---|
PasswordChange | Rules apply on password change (via Ctrl+Alt+Del etc.) |
PasswordReset | Rules apply on password reset (via helpdesk, tools) |
Filter Rules
Each <filter> element in the XML accepts the following attributes:
| Attribute | Values | Description |
|---|---|---|
match | yes / no | Whether the password must or must not match this rule |
ignorecasing | true / false | Makes the regex match case-insensitive |
accountnamepattern | regex string | Restricts the rule to accounts with matching usernames |
groupnamepattern | regex string | Restricts the rule to users in a matching group |
groupnamepatternmatch | True / False | True = in group · False = not in group |
valuetype | Keyword | Enables a built-in internal check (see below) |
Built-in Keyword Checks
| Keyword | Description |
|---|---|
AccountNameCheck | Rejects passwords that contain the user's account name |
FullNameCheck | Rejects passwords that contain the user's full name |
CharacterVarianceCheck | Enforces AD-style character class complexity requirements |
From version 3.5.1.4 onward, the regex engine uses ECMAScript syntax. Unless you've deeply customized rules, existing rules should work without change. ECMAScript Regex Reference
Examples
<filters>
<!-- Deny common passwords -->
<filter match="no" ignorecasing="true">.*(p[a@]ssw[o0]rd|qwerty|123).*</filter>
<!-- Minimum length: 8 -->
<filter match="yes">^.{8,}$</filter>
<!-- Allow only 8-char passwords for accounts starting with "az" -->
<filter match="yes" accountnamepattern="^az.*$">^[a-zA-Z0-9]{8,8}$</filter>
<!-- Apply only to group members -->
<filter match="yes" groupnamepattern="^FilterGroup$" groupnamepatternmatch="True">^.{8,}$</filter>
<!-- Block if not in group -->
<filter match="yes" groupnamepattern="^FilterGroup$" groupnamepatternmatch="False" valuetype="Keyword">AccountNameCheck</filter>
<!-- AD Password Complexity (keyword rules) -->
<filter match="yes" valuetype="Keyword">AccountNameCheck</filter>
<filter match="yes" valuetype="Keyword">FullNameCheck</filter>
<filter match="yes" valuetype="Keyword">CharacterVarianceCheck</filter>
</filters>
Common Use Cases
| Rule | Description |
|---|---|
| Rule 1 | Require at least 6 characters |
| Rule 2 | Deny common passwords like p@ssw0rd, qwerty, 123 |
| Rule 3 | Require special characters |
| Rule 4 | Require uppercase letters |
| Rule 5 | Require lowercase letters |
| Rule 6 | Demand Unicode characters (e.g. accented letters) |
| Rule 7 | Apply rule only to users with usernames starting with az |
| Rule 8 | Apply only to members of a specific AD group |
| Rule 9 | Apply rule to an entire group |
| Rule 10 | Apply rule to users not in a specific group |
| Rule 11 | Enforce Active Directory complexity using AccountNameCheck, FullNameCheck, and CharacterVarianceCheck |
More info on Microsoft's AD complexity: Technet – Password Policy