Specops Password Auditor is freeware that scans your Active Directory Domain Services (AD DS) password environment and reports on its findings. Specifically, Specops Password Auditor targets:
- Traditional AD domain password policy
- Fine-grained AD password policy
- Specops password policies (if you use Specops Password Policy)
If you're new to Specops Password Auditor, check out the review I did for 4sysops not too long ago:
Today we're reviewing the new features in Specops Password Auditor v7.2. Note that I also reviewed the new features in Specops Password Policy v7.2.
New report definitions ^
At its heart, Specops Password Auditor is a reporting engine. Accordingly, the most important news in release 7.2 is a few new report definitions. Note that the new reports do require the software to be run under domain admin credentials. No passwords are revealed to the admin because Specops Password Auditor only compares hashes.
In my opinion, the Blacklisted Passwords report is the most important report. This report relies on your licensing Specops Password Policy with the Specops Password Blacklist service. The service is an enormous database of leaked passwords culled from (according to Specops documentation) "thousands of different sources," including those used in Troy Hunt's legendary haveibeenpwned.com.
Until you have a Specops Password Policy license, the Blacklisted Password reports doesn’t display the usernames but it shows the total number of AD accounts with leaked, blank and duplicate passwords.
Your organization may use a synchronized or federated identity so your AD users can use their local credentials to access cloud-based applications. For this use case in particular, the ability to report against known password disclosures may be enough to warrant a Specops Password Policy with Specops Password Blacklist license.
Identical Passwords is another potentially useful new report definition. For instance, your test, dev, and QA people may have accidentally or intentionally used the same password across multiple accounts, which may violate your organizational security policy. Here's the associated Specops Password Auditor interface:
Finally, there is the Blank Password report. Assuming you've enabled Minimum password length (at the very least) and/or Password must meet complexity requirements in Group Policy, you will only see report contents here when a new account has been created where the corresponding attribute is set. Nonetheless, I like Specops' thoroughness in including this report definition.
Additional metadata added to existing reports ^
Another new feature in Specops Password Auditor v7.2 I want to tell you about is the new metadata added to some built-in report definitions. Specifically, Specops added the following Active Directory schema attributes:
As you may know, Specops Password Auditor can generate comma-separated value (CSV) reports; here's one of mine shown in Microsoft Excel, with the new fields highlighted.
The inclusion of distinguishedName in particular strikes me as a great idea because many administrators have distributed management and it's nice to be able to separate a report by the organizational unit (OU) in which particular user accounts reside. You can also use the exported report for scripting purposes.
As I said earlier, Specops Password Auditor is freeware. However, I feel you can derive maximum benefit from this software when you pair it with Specops Blacklist Service and Specops Password Policy.
In case you're unfamiliar with these, Specops Password Policy "turbocharges" your existing Active Directory domain policies, giving you much more robust control over password policy creation as well as communication with end users through the password change/reset process.
Sadly, Specops does not publish their price list on their website. However, you can reach out to them directly to request a price quote.
Update: With the latest release users are now able to see full details of all accounts using compromised passwords.