As the #1 cause of a data breach for multiple years in a row now, weak or previously compromised passwords serve as a common entry point for hackers. Additional security gaps arise when multiple users use the same or even no password. Therefore, admins should regularly check Active Directory accounts for such weaknesses. We’ll dive into the tools Microsoft offers for password policies, understand their limitations, and uncover how Enzoic for Active Directory Lite's features make account protection both simpler and stronger.

The importance of strong passwords

Microsoft repeatedly asserts its desire to eliminate authentication using username and password. Hence, under the label "Modern Authentication," the manufacturer offers several alternative methods for Azure AD ("Entra ID").

In purely local AD environments, however, the vast majority of users still log in using a password, underscoring the necessity for strong passwords.

Set password criteria via policy

Active Directory has a policy outlining the criteria that a password must satisfy within a domain. If the password does not adhere to these criteria, it may be rejected during a password change attempt. If a single password policy for the entire domain is insufficient, system administrators can create a fine-grained password policy for specific users or groups.

Limited settings

The capabilities of AD password policies are confined to fixed complexity requirements and the specification of a minimum length. However, employees may still use their company name or easily guessed terms.

Password policy settings

The setting for the maximum age of a password is losing significance since Microsoft has been advising against enforcing regular password changes in its Security Baseline for some time. This aligns with recommendations from organizations such as NIST, which recommends eliminating time-based password resets in SP 800-63b.

Regular checks are advisable

Since Active Directory offers only limited protection against the use of weak passwords, it is advisable to check all accounts using an external tool regularly. Enzoic for Active Directory Lite, which is offered for free, is specifically designed for this purpose. Not only does this helpful tool evaluate password strength, but it also generates reports based on various criteria.

Compromised passwords

If an online shop is hacked, the stolen passwords will eventually be sold on the Dark Web. Attackers often use these lists of compromised passwords to gain access to accounts.

In such a situation, it can be disastrous if users use the same passwords for both personal and business purposes.

Enzoic for Active Directory Lite checks AD passwords against a database of compromised passwords

Enzoic for Active Directory Lite checks AD passwords against a database of compromised passwords

Enzoic has a dedicated team of threat researchers who use a combination of human expertise and automated intelligence to promptly gather all compromised passwords that surface on the Dark Web and store them in a database. Enzoic uses this database of compromised passwords to identify users in your Active Directory who use these passwords.

The comparison uses hashes, as the passwords in Active Directory are not stored in plain text. Enzoic checks passwords against compromised credentials applying a partial hash comparison, ensuring both secure verification and confidentiality by only transmitting a segment of the hash for analysis.

Accounts without a password

Accounts with blank passwords obviously pose a security risk, especially if they have extensive permissions. With the help of a report, admins can easily identify these accounts and then either deactivate the accounts or force users to change the password at the next login.

Find reused passwords

If multiple accounts use the same password that has possibly been compromised, such an environment is particularly susceptible to password spraying, a technique that involves attackers trying the same password on many users. This poses a significant risk, as password spraying is often the precursor to lateral movement, where an attacker explores the network to escalate privileges.

Employees who own multiple accounts tend to use the same password everywhere for convenience. Obviously, this behavior is especially problematic for admin accounts. Enzoic for Active Directory Lite allows organizations to remediate this risk by detecting accounts with shared passwords.

Passwords that never expire

The tool identifies users who, in accordance with Microsoft and NIST recommendations, do not require password changes. However, after a security incident, it is important for all users to change their passwords, including accounts with passwords that have unlimited validity.

Report for accounts with a password without an expiration date

Report for accounts with a password without an expiration date

Conversely, many companies still require regular password changes as part of their security strategy. This report identifies exempted accounts.

Other reports

The tool offers additional reports that do not directly serve password security but help system administration to harden Active Directory.

Administrator Accounts: This report displays all identified accounts with administrative rights. It seems the tool does not only examine the group memberships of accounts but also relies on the adminCount attribute. This attribute often still contains the value 1, after an account has been removed from an administrators group.

Inactive Accounts: If a user has not logged in for an extended period, their account can be deactivated or deleted to reduce the risk of cyberattacks.

List of inactive users in Active Directory

List of inactive users in Active Directory

Export of reports

The user-friendly report interface features a button allowing for easy switching between results. Additionally, you have the option to export reports in either CSV or PDF formats. For CSV exports, you can select to export individual reports or aggregate all reports into one. For PDF exports, you can choose between a detailed version or a summary of the report(s).

For partners, resellers, and MSPs, these reports represent an opportunity to augment their services by offering step-by-step instructions for remediating security risks.

Export the summary of the analysis as a PDF document

Export the summary of the analysis as a PDF document

If you run the tool under another (privileged) account, the reports are located on the desktop of the account used for authentication, not the current user. Opening the reports via the displayed link doesn't work in this case, and you have to open the exported report manually.

Installation and availability

Enzoic for Active Directory Lite can be downloaded from the manufacturer's website after registration. Installing the roughly 9 MB package is straightforward and can be completed within minutes.


Enzoic's free tool simplifies password auditing for AD admins. In addition to identifying weak passwords, it detects compromised passwords on the Dark Web or those shared by multiple users.

The reports also provide insights into accounts with empty passwords, administrative permissions, and non-expiring passwords. Additionally, admins can access a summary of inactive accounts, streamlining Active Directory.

Subscribe to 4sysops newsletter!

The seamless interface, coupled with report export capabilities, make Enzoic Active Directory Lite a valuable asset not just for businesses but also for partners, resellers, and MSPs.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account