Other Products

Here are some of our products that we work on outside of the Microsoft Identity Manager space.

shield icon 300x300.png

Password Protection for Active Directory

Read the getting started blog post series

Lithnet Password Protection for Active Directory (LPP) enhances the options available to an organization wanting to ensure that all their Active Directory accounts have strong passwords.

LPP is a module that you install on your Active Directory servers that uses a password filter to inspect passwords as users attempt to change them. Using group policy, you customize the types of checks you want to perform on those passwords and they are either rejected, or approved, and committed to the directory.

LPP gives you the ability to take control of what a good password means to you. Whether you want to adopt the 2018 NIST password recommendations in part, or in full, it provides a rich set of group policy-based controls that allow you to enable any combination of the following checks on attempted password changes.

  • Block compromised passwords from being used. We've made it super easy to import the HIBP data set, but you can also import any plain-text passwords or NTLM hashes that you can get your hands on.

  • Block passwords based on certain words. Adding a banned word prevents it from being used as the base of a password. For example, adding the word 'password' to the banned word store, prevents not only the use of that word itself, but common variants such as 'P@ssw0rd', 'pa55word!' and 'password123456!'. LPP is aware of common character substitutions and weak obfuscations and prevents their use through a normalization process.

  • Define complexity policies based on length. For example, you can require number, symbol, upper and lower for passwords less than 13 characters, but have no special requirements for passwords 13 characters or longer. Reward length, with less complexity.

  • Regular expression-based policies. If regular expressions are your thing, you can define a regular expression that the password must match (or not match).

  • Points-based complexity. Assign points for the use of certain characters and categories and set a minimum point threshold a password must meet.

It also includes the ability to audit your users' existing passwords against the compromised password list. You'll be able to find the weak and known compromised passwords, and force those users to change their password.


LAPS Web App

Microsoft's Local Admin Password Solution (LAPS) is one of the most important defences against the risk of lateral movement of threats between computers when the same local admin password is used on each machine. It regularly rotates and randomizes the local administrator password on each machine, and securely stores it in Active Directory. The Lithnet LAPS web app, addresses some of the usability and auditing issues with the native product, by providing a user-friendly method of accessing LAPS passwords. 

  • Mobile friendly, web-based interface

  • Auditing of access to passwords

  • Support for external authentication providers such as AzureAD, Okta and ADFS, opening up options for multi-factor authentication

  • Supports fine-grained authorization


Idle LogOff

A group-policy enabled utility for logging off idle windows user sessions

The Lithnet Idle Logoff tool is a simple utility that allows you to log off users after a period of inactivity. It was designed specifically with kiosk and student lab scenarios in mind.

  • The tool runs in the background of each user session when installed

  • It logs the user out after a preset period of inactivity

  • It provides the ability to control all settings via a group policy



Lthnet MoveUser is a command line tool that can be used to change the owner of a profile from one user to another. It is designed to be a replacement for Microsoft's moveuser.exe tool (used for Windows XP), originally included in the Windows Resource Kit, and the Win32_UserProfile.ChangeOwner WMI method, used for Windows Vista and above. 

The Lithnet MoveUser tool provides the same functionality as the other tools, but overcomes some of the shortcomings of the Microsoft provided toolsets. It does not require any scripting knowledge, provides a consistent experience across Windows XP, Vista, and Windows 7, and provides detailed logging of progress and any errors encountered


  • Changes the owner of the profile to the destination user, and update associated permissions

  • Add the destination user to the same local groups that the source user was a member of

  • If the source account is a local account, then it can either be deleted, disabled, or left as-is after a successful migration. By default it is deleted

  • The source and destination usernames can either be provided in standard username format (domain\username, computer\username) or as a SID

  • The tool can also scan areas outside of a users profile for permissions assigned to the source user, and update them to apply to the destination user instead.


RADIUS Accounting to Palo-Alto Networks Firewall User-ID Agent

The Lithnet PAN RA Proxy is a windows service that recieves RADIUS accounting requests, and submits them as User-ID updates to a Palo Alto firewall via its web service