You also have to install the Visual Studio 2008 Redistributable Package for the dll to load (it requires the assembly fragments from Microsoft.vc90.crt).

Package downloadable here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a5c84275-3b97-4ab7-a40d-3802b2af5fc2

This rocks! You just made my day.

Ryan

Does this work with windows 2008?

Appears to work with server 2k8.

I still cannot get this to function. Anything special I am missing or what?

The tests work by the way - but the division field does not get populated.

Hi when I open sha1hexfltr.dll_64bit_win2k3 in notepad I see this text processorArchitecture="x86" I think there should be processorArchitecture="x64". I want install this in w2k8 but when I Click start -> type "msinfo32" -> "Software Environment" -> "Loaded Modules" -> i don't see sha1hexfltr in the list howewer this "rundll32 sha1hexfltr.dll,about" it should return a popup that says "test this" is working.

Ok working :) but one thing you must change Password attribute name to division

I noticed that Google Directory Sync doesn't register resetting passwords. In other words, when creating a completely new password for a user it shows up when simulating the sync, but resetting one doesn't! Am I missing something?

Hi,

I am running windows 2000 server with AD. I have installed Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) and I'm pretty sure I have registered the dll correctly in the registry but it is not working for me. When I execute "rundll32 sha1hexfltr.dll,about" without the Quotes I get this: Error loading sha1hexfltr.dll, The specified procedure could not be found.

Any ideas?

Ok, So I decided to give the 2k3 32bit version go and it sort of worked. I ran the "rundll32 sha1hexfltr.dll,about" test and the popup appeared with "test this". The problem is that it is not appearing in the Loaded Modules for the System Environment. I have forced a few account password changes but nothing is appearing in the division attribute. Anymore ideas?

So the dll does not show up in the loaded modules but it is working. It is just taking its time replicating between my win2000 DC's. I will test it some more but it seems to be working fine. Thanx for the time and effort put into this filter.

i have to agree with craig. I am not able to see the application write to the division attribute.

is it also possible to just tick, "store passwords using reversible encryption" will that work with GADS?

If I reset a password, the hash is published in the 'division' attribute, but if I change my own password at my workstation, it doesn't change.

In my scenario the sha1hexflr is working and populating the division field viewable in an ldap browser but the GADS is not able to see the division field and so sends an invisible default password. I tried the ldap browser on the machine I'm running GADS and it can see the division attribute fine. Has anyone seen this? thanks, Jim

Error loading sha1hexfltr.dll

%1 is not a valid Win32 application.

On Win2K3? x64 R2 SP2

Can anyone download the source? I can't.

mr.crichards i have the same error, did you find an solution to this problem ?

As elesus requested, is there any way to download the source code and to know the licence of this dll ?

I second the source code question. It's not like I want to "infringe on someone's intellectual property", it's just I don't want to run any binary from the internets as password notification handler.

And yes, I have written something like this myself already, but - I haven't tested it yet, and I'd like to know what kind of "workaround" was needed for windows 2003 servers (since I have a bunch of 2003R2 x64)

I too am getting the "not a valid Win32 application" when running the 64bit version on my 2003 SP2 64bit domain controller. Anyone been able to resolve this error?

Jim, I am having a similar experience - division field is populating, but GADS is not passing it along to Google Apps. Did you manage to solve your issue? Mark

The filter is working on my windows 2000 AD server and populating the division field. In GADS under extended attributes -> User Password Sync I added the attribute "division" for Password Attribute. SHA1 is ticked. GADS syncs the passwords fine. This is a great tool and it is a pity that so many are having problems.

getting the same error as mr.crichards

which is:

Error loading sha1hexfltr.dll

%1 is not a valid Win32 application.

On Win2K3?? x64 R2 SP2

I had the same problems with the 64-bit version. You need to put the x64 file in the C:\WINDOWS\SysWOW64 folder, and then restart the machine. To test, type the line below at a command prompt. There are two rundll32.exe files on a 64-bit machine: one in the system32 folder and one in the SysWOW64 folder, however, only the system32 folder is the PATH environment, so you have to explicitly call the one in the SysWOW64 folder to test.

%SystemRoot?%\SysWOW64\rundll32.exe sha1hexfltr.dll,about

Good luck!

@blaineperry I can return the about using your location, but I still don't see the module loaded under Loaded Modules in System Information. Am I missing something?

I've got the sha1hexfltr file loaded in the C:\WINDOWS\SysWOW64 on a Windows Server 2008 SP2 x64 system, I can test it using %SystemRoot?%\SysWOW64\rundll32.exe sha1hexfltr.dll,about successfully. However it does not show up in loaded modules in msinfo32 and when I change a password via the workstation, it does not populate the division field in AD. Any help?

I have the same issue. doesn't show up in loaded modules. 2003 64bit

fixed mine by loading the older 64bit dll

The 64bit older dll doesn't seem to be using sha1 encryption. It populates the field but wrong format. Anyone else experience this?

I was able to get the sha1hexfltr up and running on Windows Server 2008 R2 (64bit) but it took a fair amount of troubleshooting. With a little luck, my experience will help others.

First I tried the newest revision of the x64, that is the win2k3 compatible version with no luck. I put it in the C:\WINDOWS\SysWOW64 directory as per the comment by blaineperry, but like havok3114, it failed to populate the division field.

Next, I tried the same revision, except putting it in both the C:\WINDOWS\SysWOW64 and c:\windows\system32 directories. This still did not work.

Finally, I tried the older revision - that is the October 2009 x64 version. I put it in both the system32 and SysWOW64 directories. This worked - passwords now populate to the division field.

A couple of important notes about this: 1) I was never able to see the loaded module in msinfo32. 2) I was, however, able to see the "test this" pop up when using the %SystemRoot??%\SysWOW64\rundll32.exe sha1hexfltr.dll,about technique mentioned by blaineperry. 3) I cannot say without a shadow of a doubt that the fix was putting the file in both the SysWOW64 and system32 directories. However, I can definitely confirm that putting the 2009 revision of the x64 version in the SysWOW64 only did not work.

When using Windows Server 2000 I had the same problem as som other ppl here. The test worked but the sha1hexfltr.dll did not show up in loaded modules.

I figured out it was the way I edited the registry that was wrong. In Windows 2000 you should use regedt32 (notice the spelling) and not regedit to change the registry key. Add the filename excluding ".dll" on a new line.

On a Windows 2003 R2 server I added it by using regedit and rightklicking the key and chose modify. Add sha1hexfltr on to a new line.

Hope this helps someone out there.

When someone changes the password on their workstations does the password filter pick it up or do all passwords require to be changed on AD?

this works perfect. i got it working on my windows 2000 AD network. its important to make sure to ad the entry "division" in GADS user sync setting (in password attribute). also add "division" in alias address attribute.

Elvin... why add the division attribute as an alias?

Just curious.

I had some issues running on some DC's. Ran Windows Update, installed the 2008 C++ component mentioned above, and it works. Thanks!

For Windows 2008 R2 (64 bit), you just need the older (non-windows 2003) 64 bit dll in the system32 folder (system32 is for 64 bit stuff, syswow64 is for 32 bit stuff). The standard instructions are still correct.

Worked! Just use the Oct 2009 dll and place it in your system32 folder for both x64 and x86 domain controls. I have both and it filled the division attribute and then synced it using the tool. Thanks!

If I set the password in Active Directory to temp password and check off the box for the user to change it on next log in and they set their own password, the value that shows up in the division attribute generates the following sync error:

InvalidPassword?(1402) - InvalidPassword?(1402): pWQMD0odJZaf7QKU5iqLjjqa3C8=

However, If I just reset the users password the value stored in the division attribute works. So do I need to give users some type of permission for this to work without me changing each users password myself?

Ok figured it out. Use the new dll on your x86 server and the old dll on your x64 server.

Works fine for me when the dll is put in the system32 directory. However ldapsearch to the AD doesn't return the division field. If had the source code I could have change it to something useful like otherHomePhone which shows up when set. I need the source code please!

Randy? is this you?

Question, is absolutely necessary for the ALL the users to reset their passwords? I ask because we have users with machines that are not running on the domain and this could possibly cause havoc with password resets(where would/ could they reset them?)

In order to get Windows Server 2008 R2 to work, these were the steps I had to take:

1. Make sure all users are have "passwords store password using reversible encryption" enabled 2. Download sha1hexfltr.dll 64-bit version from 2009 3. Copy the file to the 'System32' and 'SysWOW64' directories 4. Register the filter - Open "regedit" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Control\Lsa and modify 'Notification Packages' by adding sha1hexfltr to the end of the list ( Do NOT include the '.dll' part. ) - Reboot

If you force your users to change passwords at next login then they should be all set.

Another piece to consider on 64-bit systems (or specifically Windows 2008 R2) is the use of Security or Group Policies that may "lock" certain files. The downloaded sha1hexfltr.dll may need to be "unlocked" after it is downloaded to work properly.

Another point to mention is to not use a Read-Only Domain Controller when testing this.

How do you unlock the file or check to see if a file is locked?

this stopped working for me on my windoes 2003 sp2 dc. windows update cause this?

@Jknoblegassolutions - right click the file, choose properties and then unblock. If you do this on the zip file before unzipping, then the files will be unblocked when you extract them.

I have multiple domain controllers in my environment. I started with a 2003 SP2 and everything works fine with the users authenticate to that AD server and do their password changes. I've added the file and changes to my other AD servers (2003 x86 and x64) and any time the users authenticate to those and change their passwords it won't update the "division" attribute. Any suggestions?

FYI, following the steps noted by jk...@noblegassolutions.com on May 12, 2011 worked perfectly. I did unblock the file before beginning as well.

We are using two AD servers running Windows Server 2008 R2.

Thanks to all for the help!

I have 52 users in my DC.. and I have the same users in google control panel. When a user has changed his password in the LDAP, then after google directory sync.. The google mail accounts must operate using the latest password. Will I be able to achieve this by following the below steps?

Iam concerned because I need to perform these on a Domain controller that is live..

Please advise.

2 - Copy the file to the 'Windows/System32' directory. 3 - Register the filter •Click Start -> Run •type 'regedit' -> click 'OK' •Go to: HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet? -> Control -> Lsa •Modify 'Notification Packages' by adding sha1hexfltr to the end of the list ( Do NOT include the '.dll' part. ) •Reboot for the filter to take effect. 4 - Notes •Users DO need to change passwords after the filter is installed. •You can use an LDAP browser or Advanced Features View Attribute Editor ( in Active Directory Users and Computers Console ) to view the hashes. •The password filter MUST be installed on ALL domain Controllers!

@tsadk...@hotmail.com I see your post is a few months ago and just curious if you were able to iron out this problem? It would be interesting to know your fix.

I have a (dumb) question, we are running Server 2008 R2 x64. If we use the 64-bit version of the dll, does that mean we have to use the 64-bit version of the C++ runtime, as found here (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15336)?

I have this working on my Win2k3 32 bit active directory but there are a few accounts that says it is syncing but it is not. My account works great when I change my password but I have a few other teachers that even after they change their password it does not syn their password. I have tried deleting their google apps account and have the sync tool re-create it, and this teacher is getting the division attrib in ldap. Any ideas?

I had issues with two window 2003 R2 32 bit servers until I installed the .net 3.5 framework SP1 update. I just wanted to add this into the discussion in case others are having issues, maybe it will help them.

for working with windows2008 R2, use 2009version 64bit wont work(either in system32,or both 64bit folder), division can showup in windows AD, the password value can be kept in division as well but when view with ldapbrowser, it can't find division attribute,so google GADS can't find division to sync

Hello everybody. I am Ricardo and I wish to know if it possible to use sha1hexfltr to capture the user and password that are changed and then execute some script or custom code? If so is there any example? Because I successfully installed the sha1hexfltr but I don´t know how to use-it. Can anyone help me Best Regards Ricardo Cardoso