Hi,
I have a question about something that is not entirely clear to me in the documentation.
Where should the dictionaries and HIBP files be stored?
Does only the server (each domain controller) need access to them, or do they need to be accessible from the client side?
In other words, can I store them locally on the DCs and do I need to share them on the Sysvol share?
Regards,
Tobias
Don’t need to put it in Sysvol (and that’s a huge file to replicate). I just have it in a separate folder on the DCs, but I’m going to put it on a file server in a bit since the file is getting huge.
To tag onto this, does the folder have to be on a DC or can it be placed on a file share where more disk space is available?
There are two disadvantages to using a share:
While it may seem like the first one is the more serious problem, the latter one can be worse as it can slow down LSASS. In extreme cases, LSASS can stop handling requests briefly as it has a limited number of threads to handle them, and it cannot complete password changes until PPE responds to it. This is true for any password filter, LSASS has to wait for them to respond before it can continue.
Best practice is to have any needed files locally. A share can work if you don’t have the disk space. Work is being done to reduce the file size.
Thanks for your answers so far.
Just to make sure I have understood correctly - the clients itself doesn’ access these file, it’s only the PPE Server that needs to have access
Correct. The PPE client will try to open the dictionary file (using the same path as configured on the server by default), but this is only used by a very small number of customers that want the client to enforce the dictionary rule before Windows sends the password to the DC. For most customers, they can just have the files on the DC and let the DC handle the enforcement.