• Home
• Admin Docs
• Enforce blacklisted passwords

Restrict Blacklisted Passwords

To block the use of blacklisted passwords across all domain-connected systems, you must deploy a password filter on each domain controller:

Step 1: Download and Place the Password Filter DLL

• Download the required DLL file for the miniOrange Password Filter.
• Copy the DLL to the following location on each domain controller:
  C:\Windows\System32

Step 2: Create the Configuration File

• In the same directory (C:\Windows\System32), create a file named MoPasswordFilterConfig.json with the following content:

• Replace with the hostname or IP address where the password filter API is hosted.

Step 3: Register the DLL in the Windows Registry

• Open the Registry Editor (Win + R → type regedit → press Enter).
• Navigate to:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
• Locate the Notification Packages entry.
  If it doesn't exist, create a new Multi-String Value (REG_MULTI_SZ) named Notification Packages.
• Edit the value and add the DLL name (without .dll extension).
• Example:
  rassfm
scecli
MoPasswordFilter

Step 4: Restart the Domain Controller

• Reboot each domain controller where the DLL is installed and registered.
  This ensures the custom password filter is loaded and active.

Step 5: Verify DLL Installation

• Open PowerShell and run the following command to confirm the DLL is loaded: Get-Process -Name lsass | ForEach-Object { $_.Modules | Where-Object { $_.ModuleName -like "*MoPasswordFilter*" } }