So does anyone know the AD Password Filter API well?
If you have say, Hitachi PSynch, or SpecOps, and an AD IDM driver then
there will be two (or more) password filters.
I know that multiple work together, as each forwards passwords on to
each system as appropriate.
But here is a subtle thought. In what order do the events happen?
Does a single password change event go to each filter defined in the
registry independent of the number, or does it go in sequence?
Reason I ask is that some filters might block a password change, as
enforcing a more complex policy, and then if IDM is still getting the
filter event, then it matters how the filters handle it.
I.e. If the filters get them in the sequence defined in the registry
setting, then first one should be the Hitachi one, blocking invalid
changes (I.e. Ctrl-Alt-Del pwd changes). Then IDM will not see it till
there is a good password change event.
But if they are independent, then a bad password attempt will be sent,
the Hitachi filter will get it, invalidate and block it, but IDM would
independently get the event and process it.