Installer for Password Synchronization Filters on AD - IDM Tested Version 3.5.0


This script installs Password Synchronization filters into a Microsoft Active Directory environment (on the DCs themselves) by running on each DC. This is useful when things like Remote Registry are locked down so the normal Control Panel applet isn't able to push out these from one central server. The notes from the install.bat file follow:

This .bat file is made to deploy a password filter to the box on which it is running copying necessary files from a server to which it has access. Be sure to set the variables at the top of the script and modify the appropriate .reg files with your driver server's hostname.

This script is NOT made to be used on the box with the driver itself and if used there, while not hurting things, will cause you to need to re-enter the DNS name when opening the Password Synchronization Control Panel applet which may cause confusion.

Once finished running this script and rebooting all of the DCs you may still need to open the applet, see them all 'Installed', check them all and click the 'Add' button which should immediately set them to the 'Running' state after which time passwords should synchronize from active directory to eDirectory.

REMOTEINSTALLSHARE should be set to the remote server's DNS name or IP address with the share name on the end. \\\someShare for example.

INSTALLPATH should be set to the full path from the share point on the server specified above all the way to and including them ./nt/dirxml/PasswordSync directory on the install media. This location should also have the three reg files included with this bat file (filterforward.reg, pweventlog.reg, and notification.reg).

MAPDRIVELETTER should have some unused drive letter that the script can use temporarily.

LOCALSYSTEM32DIR should point to something equal to c:\windows\system32.

REBOOTONHAPPYCOMPLETION should be set to 1 to have the script automatically reboot the DC. This is disabled by default.

PWFILTLOGFILE should be set to the full path of a log file which will be appended to as the operations take place.

The hardest thing about doing this is setting up the registry file that creates the entry directing the filter where to send passwords that have been captured. This is all done in the filterforward.reg file contained in this set of files. The problem with modifying this is that is is a multi-valued (potentially) value in the registry and wants to be imported in hex(7) format. This means that the ascii representation of simple things like 'nts57' become a bit longer like the following:


Figuring out how to modify this properly is simple enough and the filterforward.reg.example file has some notes on that. Also you can easily find a million examples via Google ( on tables of ascii characters and their hex/decimal/octal/binary/etc. values. One such site is '' but this is all standard info you can find from any site with conversion tables.

An alternative method of generating the filterforward.reg entry is to get any old windows box and create the value in the registry via regedit or regedt32 (or whatever you want really) and then export the value. The filterforward.reg file included will do this but put in a bogus DNS name for the driver-hosting server. If you import this to any old box (even XP or a member server... it really doesn't matter and won't hurt anything regardless at this point) and modify the value in a registry editing tool and then export the value you will have a new file with which you can replace filterforward.reg directly. This takes some of the guesswork out of playing with DNS names in hex.

One more method which may be a nice mix of the two above is to simply type the DNS name in a decent text editor and view the hex values directly within that editor. 'hexdump' is a free utility which can get the hex values directly from a file to the command-line. JEdit is also a free, powerful, cross-platform text editor which has a free download-from-within-the-program hex editor to let you do this all within one program.


How To-Best Practice
Comment List