DC Passwords TimeToLive (minute): Specify the time limit in minutes for the passwords to be
stored in the Domain Controller registry.
This allows the passwords that are stored in the Domain Controller registry to time out if the
password does not synchronize to the driver within the specified time.
If this value is set to -1, passwords will never be deleted from the registry.
The default value is -0.
The password filter implements a feature that allows passwords stored in the Domain Controller filters to time out if the password does not get synchronized to the driver in a given amount of time. This time out behavior is controlled with the driver parameter "DC Passwords TimeToLive" . The password keys that outlive the time period set by the parameter are marked as stale and deleted. Such a setting on a Domain Controller, prevents accumulation of unnecessary password cache. The time interval mentioned in the parameter is set on all pwfilter DCs that this driver internally connects to.
The PwFilter.dll wakes up every minute (this is hardcoded) and looks at each entry to see if the current time minus the DC Passwords TimeToLive value is greater than the current time. If the saved password outlives the time period set in "DC password Time to Live" parameter, then it is marked as stale and is flagged to be deleted.
i.e current_time - time_of_password_key_creation > DC password Time to Live,
then delete the password.
If yes, the password entry is removed. It uses filetimestamp to arrive at a conclusion whether a password key has
Removals of passwords are not recorded in the normal remote loader trace, but they are recorded if you use a debug filter and capture the output. This shows how it reads the timeout.
For example if you set to 3 minutes it wakes up every minute to
check for stale passwords (interval of one minute is hardcoded) and after 3
minutes it times out and clears the registry.
It is pretty easy to read in the debug. If you set a password and the driver is
offline with a 3 minute timout stored. You will see an RPC error when the
filter tries to send the password to the driver, the filter goes to sleep and
wakes up every minute. After 3 minutes, the filter will decide it needs to remove
the password and write in the event viewer that it will abort. This is
what you get in the event viewer:
The password for user lab10-test3 in directory idmbootcamp.com was not
synchronized because the password change timed out.