Lithnet Password Protection for AD

A cool password filter to stop people from picking weak passwords in AD!

Install it

Download from GitHub and run the install wizard (I checked all the options).
Reboot

Prepare a password repository

The documentation covers a way to do this via something like DFS, but for a single DC implementation:

# Make a folder to store passwords in
mkdir c:\passprotect

# Load the lithnet password protection module
import-module lithnetpasswordprotection

# Specify the "storepath" for passwords:
Set-PasswordFilterConfig -StorePath "c:\passprotect"

# Download all passwords from HaveIBeenPwned!
Sync-HashesFromHibp 

Note - if you have problems with the HIBP hash download, try adding -Threads 1 to the end of the command (per this issue)

Adjust the lithnet GPO

Head to Computer Configuration > Policies > Administrative Templates > Lithnet > Password Protection for Active Directory > Default Policy, and set the properties you desire. I went with:

Enable Reject passwords that contain the user's account name
Enable Reject passwords that contain the user's display name
Enable Reject passwords found in the compromised password store
Enable Reject normalized passwords found in the compromised password store
Enable Reject normalized passwords found in the banned word store

Be careful with this policy and make sure none of the settings conflict with Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. I set this policy to establish:

Password history
Password maximum age
Password minimum age
Password length
Enable password complexity

Review policy configuration

Get-PasswordFilterPolicy | fl

Import a custom word list

In addition to the HIBP database, you can import custom word lists you've downloaded from places like weakpass.com

Import-CompromisedPasswords -Filename "D:\password-protection\hashes.org-2018.txt"

Add a specific password you don't want people to be able to pick

Add-CompromisedPassword -Value Meowmix2025!

Test if a given password is blocked

Test-IsCompromisedPassword -Value Meowmix2025!

Add banned passwords to the store

By adding passwords into the "banned" list, you essentially normalize those passwords and prevent common variations. So for example, if you banned lithnet as a password, you'd also be banning lithnet2018, l1thn3t, and Lithnet! from being used.

# Import a list of banned words
Import-BannedWords -Filename "D:\password-protection\english-dictionary-words.txt"

# Import an individual banned word
Add-BannedWord -Value "7minutesecurity"

Test if banned password is on the list

Test-IsBannedWord "7minutesecurity!"
Test-IsBannedWord "7minutesecurity2025"
Test-IsBannedWord "7m1nut3s3cur1ty2030!"

Check filter actions in the event logs

Look in Windows Logs > Application for events such as 8195 which will show a user's password change was blocked due to not meeting the domain requirements and/or the lithnet filter's requirements.

Video demo

video Last updated on 2026-03-22