ApplyToTheseGroupsOnly - edge cases

[luxzg]

Hey, first of all thanks for working on this project in your spare time, really appreciated!

We started setting it up, and I've stumbled uppon few issues, so I'll be opening this and another issue...

This one is related to "ApplyToTheseGroupsOnly" option.

We had two issues:

• when removing DC we are asked to set new local admin password, but we got errors that PassFiltEx can't check the group list, so it fails the group check, and automatically blocks setting password, ANY password. We had to remove this key from registry, then we can setup password
• similar issue, when adding new DC to domain, we have to setup password for Directory Services Restore Mode (DSRM Restore password or something like that), we get same issue, new domain controller doesn't yet have PassFiltEx but it communicates with his sync partner which has PassFiltEx and gets rejected because system/service user doesn't have groups, or something similar

Unfortunately I did not grab screenshots, nor did I save log for first error, but I have part of log for adding DC to domain, errors were really similar:

[04/08/2025 12:05:49.788][PassFiltEx.c:PasswordFilter@270] Attempting to SET password for user aklsdjiwuerowierlkmclknlaksjdqweiquroijlkasjlkq.
[04/08/2025 12:05:49.788][PassFiltEx.c:PasswordFilter@380] ERROR: NetUserGetGroups failed with 0x000008ad while trying to check the group memberships for aklsdjiwuerowierlkmclknlaksjdqweiquroijlkasjlkq!
[04/08/2025 12:05:49.788][PassFiltEx.c:PasswordFilter@670] Finished in 629 microseconds. Will accept new password: FALSE

The weird username is original from log, probably how these service users get displayed to PassFiltEx. I'm not sure if in first case when we were removing DC the user was 100% same combination of letters, but it was pretty similar at least.

Like I've added in title, I think this is edge case, and we probably wouldn't even have it happen if we haven't noticed another issue with this DC, and decided to demote, reinstall and promote it. I'll open another issue explaining what lead to that whole situation.

[ryanries]

For now I'm just adding a warning to the README to not install PassFiltEx until after you've fully promoted the machine to domain controller, and to remove PassFiltEx before demoting the domain controller. Until I think of a better way to address these edge cases.

The dsrm account isn't stored in Active Directory, so the same function can't be used to check the dsrm account's group memberships. Definitely something I didn't consider when implementing ApplyToTheseGroupsOnly. I'll work on fixing this.