Category: Technology

Open Password Filter (OPF) Detailed Overview

When we began allowing users to initiate password changes in Active Directory and feed those passwords into the identity management system (IDM), it was imperative that the passwords set in AD comply with the IDM password policy. Otherwise passwords were set in AD that were not set in the IDM system or other downstream managed directories. Microsoft does not have a password policy that allows the same level of control as the Oracle IDM (OIDM) policy, however password changes can be passed to DLL programs for farther evaluation (or, as in the case of the hook that forwards passwords to OIDM – the DLL can just return TRUE to accept the password but do something completely different with the password like send it along to an external system). Search for secmgmt “password filters” (https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx) for details from Microsoft.

LSA makes three different API calls to all of the DLLs listed in the NotificationPackages registry hive. First, InitializeChangeNotify(void) is called when LSA loads. The only reasonable answer to this call is “true” as it advises LSA that your filter is online and functional.

When a user attempts to change their password, LSA calls PasswordFilter(PUNICODE_STRING AccountName, PUNICODE_STRING FullName, PUNICODE_STRING Password, BOOLEAN SetOperation) — this is the mechanism we use to enforce a custom password policy. The response to a PasswordFilter call determines if the password is deemed acceptable.

Finally, when a password change is committed to the directory, LSA calls PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword) — this is the call that should be used to synchronize passwords into remote systems (as an example, the Oracle DLL that is used to send AD-initiated password changes into OIDM). In our password filter, the function just returns ‘0’ because we don’t need to do anything with the password once it has been committed.

Our password filter is based on the Open Password Filter project at (https://github.com/jephthai/OpenPasswordFilter). The communication between the DLL and the service is changed to use localhost (127.0.0.1). The DLL accepts the password on failure (this is a point of discussion for each implementation to ensure you get the behaviour you want). In the event of a service failure, non-compliant passwords are accepted by Active Directory. It is thus possible for workstation-initiated password changes to get rejected by the IDM system. The user would then have one password in Active Directory and their old password will remain in all of the other connected systems (additionally, their IDM password expiry date would not advance, so they’d continue to receive notification of their pending password expiry).

While the DLL has access to the user ID and password, only the password is passed to the service. This means a potential compromise of the service (obtaining a memory dump, for example) will yield only passwords. If the password change occurred at an off time and there’s only one password changed in that timeframe, it may be possible to correlate the password to a user ID (although if someone is able to stack trace or grab memory dumps from our domain controller … we’ve got bigger problems!

The service which performs the filtering has been modified to search the proposed password for any word contained in a text file as a substring. If the case insensitive banned string appears anywhere within the proposed password, the password is rejected and the user gets an error indicating that the password does not meet the password complexity requirements.

Other password requirements (character length, character composition, cannot contain UID, cannot contain given name or surname) are implemented through the normal Microsoft password complexity requirements. This service is purely analyzing the proposed password for case insensitive matches of any string within the dictionary file.

Did you know … you can send e-mail to a Microsoft Teams channel?

Why would you send an e-mail to a Microsoft Teams channel? That’s a good question! At first, e-mailing a Team channel sounds like a solution in search of a problem. I think of it as moving an e-mail discussion into Teams. And there are a lot of times when an e-mail thread can be more efficiently handled in Teams.

Attachments that are being updated and resent – you know, the documents where there are five different working copies with various people’s changes and now someone must condense those changes into a single document. Including the document in the Team space allows team members to collaboratively edit it online. One copy! Having the discussion history available in Teams avoids switching between e-mail and Teams as the document is developed.

“I forwarded this to five people, and here’s what they think” – When a message gets forwarded and you’ve got three different sets of recipients discussing the same issue – or if someone keeps going back to an older message and dropping a few recipients who were added late in the discussion – moving the discussion into Teams ensures all of the people who should be involved in the discussion are included and working together – not a person from one of the threads trying to update everyone on a separate thread.

“Hey, Sean, can you forward me that hour-by-hour for this weekend?” – Ever have to ask a coworker to forward some message that you’ve misplaced (probably deleted, but cannot seem to find there either). The Teams threads are persistent (I cannot accidentally delete your message) and searchable.

The new guy – an involved discussion may take months. When a new person joins your group, someone has to remember to include them on the next reply-all (even adding an existing employee to a thread, they get lost when someone else replies to an older message). By moving involved discussions into Teams, you can quickly add a new person to the discussion.

There are also cases where Teams could replace a shared group mailbox – you cannot receive messages from outside of the company, but if your group mailbox only gets messages from other Windstream mailboxes … Teams may be a good replacement for that group mailbox. Team members can post into the thread taking ownership of the request – everyone will see who claimed the request, and if someone is unexpectedly out of office, you can see the issues on which they were working.

Ok, ok … you convinced me! Sending an e-mail into a Teams channel isn’t a completely pointless feature. So how do I do it?

First, you need to know the e-mail address associated with the channel. Click on the hamburger menu next to the channel name and select “Get email address”

There you have it – you can click “Copy” and all of that text will be in your clipboard.

Paste the address into the “to” field of an e-mail message, then send the message.

Wait for it … this may take a minute … and the message will appear as a thread in the channel.

If the message includes an attachment, that attachment will be displayed in the thread. You can even edit the document online – in Teams or in Word Online.

The default setting for Channels is to accept e-mail messages from the windstream.com domain – this may be exactly what you want. You can send the address to individuals outside of your team and allow them to create threads without having to grant them access to your Team space. But you may not want that – go back to that pane where you got the channel e-mail address. Click to “See advanced settings for more options” – you can set the channel to accept messages only from Team members:

Think it’s kind of crazy that every Team member can adjust these settings? Vote for my idea on the Teams UserVoice site 🙂

Did you know … you can quickly start a web meeting from within a Microsoft Teams channel discussion?

Sometimes text conversations become cumbersome – a topic really takes off, and there’s a lot of typing. A LOT of typing! Sometimes it’s easier to just take a few minutes and talk about the subject instead of typing back and forth. In Microsoft Teams, just click the “Meet now” icon at the bottom of the channel.

This will bring up a page that lets you start an unscheduled meeting (or schedule a meeting, if people aren’t available right now to discuss the subject). You can add a subject so attendees know which thread you want to discuss. Click “Meet now” and …

Voila – you’ve started a meeting with audio (and video, if participants choose).

Did you know … that you can recover a deleted Teams channel?

Oh no, I didn’t mean to delete THAT!!! Sure, it asked me five times if I was sure that I was sure … and maybe that’s part of the problem – I see so many “are you sure” messages that I click OK a little too easily. Well, they say to err is human. And I must be exceptionally human ? Sometimes recovering my data requires a sheepish call to the Help Desk. But did you know you can recover deleted Teams channels?

I used the hamburger menu next to a channel to delete it. Oops!

I even read the first few words of the “are you sure” dialogue before clicking the “Delete” button. Except … oops! I didn’t want to delete that channel!

You can recover the channel immediately, all by yourself. Even if you’re not a team owner. From the hamburger menu next to the team, select “Manage team”.

On the Team management page, select “Channels”. You can expand “Deleted” and see the channel you just removed. Click “Restore”

Yet another prompt … click “Restore” again.

Voila, the channel is back. Along with all its content. Whew!

Just because channel recovery is self-service doesn’t mean no one will know that you’ve mis-clicked. The channel deletion event which appears in the “General” channel … well, it’s still there. You can up-vote a request for enhancement on Microsoft’s site … but it’s not like no one will every know about your mistake.  

Do you know … Teams Activity View?


The very first icon on the left-hand navigation menu, “Activity”, isn’t just a listing of all unread Teams activity. This view provides a customized view of important Teams communications, allowing you to focus on the most important communication first. 

This isn’t a list of every thing that has been posted to every one of your Teams spaces. It doesn’t even include chat messages sent to you –new chat messages will show up as a red circle with a message count on the“Chat” view icon.

So what shows up in the Activity feed? Missed calls – missed calls are only displayed in your Activity feed. Clicking on the entry will display a chat with the caller; you can reply with a chat message or click the phone icon to return their call.

Posts with @mentions – both your individual mentions and mentions for Teams of which you are a member – will appear in the Activity feed.

Beyond that, you control what appears in your feed. Posts to channels you follow will appear in your feed. To follow a channel, click the“Teams” icon. Click the not-quite-a hamburger menu next to the channel name and select “Follow channel”.

When messages are posted to the channel, you’ll see a red circle with the number 1. This indicates that there is one thread with unread post(s). There may be a bunch of replies in that thread, but the thread is only counted once. This doesn’t mean replies won’t be highlighted – if someone replies to a thread you’ve already read, that thread will again be counted as a thread with unread post(s).

You can click on an entry to display the specific thread. Clicking on a reply will focus on the reply – which helps identify what part of the thread you haven’t seen.

If a channel becomes prolific and irrelevant to you, you can simply stop following the channel. Click the not-quite-a hamburger menu next to the channel name and select “Unfollow this channel”. Anything from the channel in your feed will remain there, but new activity in the channel will cease appearing in your Activity feed.

In addition to a feed of activity from other individuals, you can use the activity feed like the “Sent Items” in your mailbox. Click the inverted caret next to “Feed” and select “My Activity”. You’ll see two weeks of your Teams posts.

Did you know … You can control what members of a Microsoft Team group can do within the team?

When you create a new Team, members can create new channels, delete channels, add apps … they can do a lot of things. Did you know much of that is configurable? You can create a Team where individuals receive but cannot respond to posts. You can restrict your Team so only owners can remove channels.

From the hamburger menu next to your Team, select “Manage team”

On the Team management page, select the “Settings” tab.

Expand the “Member permissions” section. Now uncheck any permission you want to restrict to Team owners. There’s even a radio button near the bottom of this section so only Team owners can post to the “General” channel (if that’s the only channel, and members are prohibited from creating their own channels, you’ve got a broadcast-only Team space)

Scroll down and expand “Fun stuff” … you can prevent Gliphy content from being used in the Team (or change the filter used to determine which Gliphy content is appropriate), disable stickers, and disable memes.

Kernel Updates In GNOME

Since I usually do not install X11 ‘stuff’ on my Linux hosts — using the console interface — I do not have any experience installing kernel updates on “desktop” type systems. Evidently, the best practice is to drop out of the GUI into what I’d call init 3 then install the kernel updates. You can get random hangs and malfunctions when you attempt to update the kernel whilst in the graphic console.

Did you know … OneDrive for Business Retains Document History?

Have you ever really messed up a document? Like “man, I wish I could go back to what I had last week, because this is just W.R.O.N.G” messed up? Even if that’s just me, files can become unusable without perfectly human err’ing – ransomware encrypts the file, a colleague removes that paragraph you spent hours getting just right. Did you know that you can restore earlier versions of files stored to OneDrive for Business?

How? From the https://portal.office.com site, select OneDrive

Click the three dots that aren’t quite a hamburger menu – the ones between the file name and the modified date.

On the menu which appears, select “Version History”

A complete version history of the file will be displayed

You can select “Restore” to replace the “current” file with the selected version, or you can select “Open File” to view the file without replacing the “current” file. Voila!

Did you know … you can prevent meetings from being forwarded?

Have you ever had an attendee forward a meeting that was supposed to be confidential? Microsoft Exchange will notify you when a meeting attendee has forwarded your meeting; unless you are really close on that time machine project, what’s done is done. Unless … did you know that you can prevent the meeting from being forwarded? 

* The forwarding restriction is enforced on the mail client, so attendees outside the company may still be able to forward the meeting request. Additionally, there are ways to circumvent this forwarding restriction – e.g. meeting content can still be copied and pasted into a new appointment item. While restricting forwarding is a way to convey the confidentiality of the meeting and deter casual forwarding, this doesn’t guarantee eyes-only security.

How do I do it?

Right now, you can only restrict meeting forwarding when using the Outlook client on Windows or the Web – Mac, iOS, and Android client users will need to use the Web client.  

Outlook for Windows

This feature has not been deployed to all of the Office 365 channels as of this writing. The screen-shots below were created using an Office 365 installation with the monthly update channel. The semi-annual channel is slated to be updated in March 2019, so use Outlook Web until then!

Create a new meeting:

On the ribbon bar, select “Meeting”. You can restrict forwarding under the “Response Options” button.

Outlook Web

Create a new meeting:

Once you have added an attendee, a gear icon will be displayed above the attendee list.

Click the gear icon – by default, meetings can be forwarded. You can click “Allow forwarding” to prevent the meeting from being forwarded to others.

What does the recipient see?

Exchange Online recipients using Outlook Web will see a banner indicating that forwarding is disabled. The forward option will be grayed out.

Exchange online recipients using Outlook with the Monthly update channel will see the banner as well. Those will the semi-annual update channel will not see any indication that they cannot forward the invitation … in fact, their client will seemingly let them forward the meeting. But Exchange Online will refuse the message and they will get a non-delivery report indicating that the meeting could not be forwarded.

Recipients outside of Exchange online not notice any change — Gmail, for example, happily allows me to forward the meeting request.