Summary
ApplyToTheseGroupsOnly does not work even though:
- the DLL loads correctly and filtering works globally;
- the user is a direct member of the specified global security group;
NetUserGetGroups() returns the expected group name (NewPasswordPolicy);- the same logic tested outside LSASS (via PowerShell and PassFiltExTest.exe) matches correctly.
When ApplyToTheseGroupsOnly is set, PassFiltEx always logs:
Skipping the user <username> because they are not a member of any of the groups specified in the registry setting ApplyToTheseGroupsOnly.
Environment
- Windows Server 2016 (Polish build, DC role)
- Group: NewPasswordPolicy (Global / Security, CN=Users)
- Users: direct members of this group
- PassFiltEx version: latest x64 release (2025-05)
- DLL loaded under LSASS (tasklist /m PassFiltEx.dll → OK)
Steps to reproduce
1.Configure registry:
HKLM\SOFTWARE\PassFiltEx
ApplyToTheseGroupsOnly = "NewPasswordPolicy"
Debug = 1
2.Reboot DC.
3.Confirm group membership (NetUserGetGroups("testuser") → NewPasswordPolicy).
3.Attempt to reset password for testuser via ADUC or net user testuser "XXXXXX" /domain.
4.Observe PassFiltEx.log.
[PasswordFilter@329] 2 group memberships found for user testuser.
[PasswordFilter@433] Skipping the user testuser because they are not a member of any of the groups specified...
Even though one of the returned groups is exactly NewPasswordPolicy.
When ApplyToTheseGroupsOnly is removed → filter works globally (blocklist is applied and logging works).
### Request
Please verify:
whether group names returned by NetUserGetGroups() include domain prefixes under LSASS or someting else,
and consider adding logging for each group name compared in PasswordFilter().
Summary
ApplyToTheseGroupsOnlydoes not work even though:NetUserGetGroups()returns the expected group name (NewPasswordPolicy);When ApplyToTheseGroupsOnly is set, PassFiltEx always logs:
Skipping the user <username> because they are not a member of any of the groups specified in the registry setting ApplyToTheseGroupsOnly.Environment
Steps to reproduce
1.Configure registry:
2.Reboot DC.
3.Confirm group membership (NetUserGetGroups("testuser") → NewPasswordPolicy).
3.Attempt to reset password for testuser via ADUC or net user testuser "XXXXXX" /domain.
4.Observe PassFiltEx.log.
Even though one of the returned groups is exactly
NewPasswordPolicy.When ApplyToTheseGroupsOnly is removed → filter works globally (blocklist is applied and logging works).
### Request
Please verify:
whether group names returned by NetUserGetGroups() include domain prefixes under LSASS or someting else,
and consider adding logging for each group name compared in PasswordFilter().