There are a few new enhancements for MyPass Password Sync Interceptor. The enhancements are 4 registry values for filtering of accounts and 4 registry values for the control of creating events in Windows Event Log.
To locate and edit the Registry, open and enter regedit.
Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Password Interceptor
For every new value right click on any blank surface in the right side of the window and create each registry value as “String Value”.
New Filter Registry values:
- AccountNamePatternAllow = “”
- AccountNamePatternDeny = “”
- GroupNamePatternAllow = “”
- GroupNamePatternDeny = “”
The new filter values are treated as single regular expression in .Net.
- AccountNamePatternAllow: Filters which specific account name pattern can be forwarded by the interceptor
- AccountNamePatternDeny: Deny specific account name pattern from being forwarded by the interceptor
- GroupNamePatternAllow: Allow which group name pattern can be forwarded by the interceptor. The value will check on every group item found in the “memberOf” attribute.
- GroupNamePatternDeny: Deny specific group name pattern from being forwarded by the interceptor
Between the allow and deny filters, the deny filter is the stronger one. This means if both filters are enforced the deny filter will deny any users who are allowed by the allow filter. Account and group name filters are equally weighted, if both are enforced and a user fails with one of the filters, the user reset is not forwarded. The account name is the SAMAccount name, the groupname is the DN of the group name eg:
Some examples to allow sync of the users in a specific group:
- GroupNamePatternAllow = “CN=myusers,OU=Groups,OU=somewhere,DC=Domaim,DC=local”
- To specify only the group name, not the OU (the below will still work if the group is moved in the OU structure.):
- GroupNamePatternAllow = “CN=myusers,”
- To deny users in any group with the name “_admin” in it:
- GroupNamePatternAllow = “_admin”
Event log registry values
EventLogGenerateEventForFailedPassingAccountNamePatternAllow = false / true EventLogGenerateEventForFailedPassingAccountNamePatternDeny = false / true EventLogGenerateEventForFailedPassingGroupNamePatternAllow = false / true EventLogGenerateEventForFailedPassingGroupNamePatternDeny = false / true
If these values are set to true, the interceptor will create an event in the Event log depending on which value is true. These event log values create an event every time a password is not forwarded, by their respected registry filter value.
- EventLogGenerateEventForFailedPassingAccountNamePatternAllow: An event is created when AccountNamePatternAllow failed to forward the password
- EventLogGenerateEventForFailedPassingAccountNamePatternDeny: An event is created when AccountNamePatternDeny failed to forward the password
- EventLogGenerateEventForFailedPassingGroupNamePatternAllow: An event is created when GroupNamePatternAllow failed to forward the password
- EventLogGenerateEventForFailedPassingGroupNamePatternDeny: An event is created when GroupNamePatternDeny failed to forward the password