Specops Password Auditor v7.2: New features

• Author
• Recent Posts

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

• Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
• Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
• Powerline: Customize your PowerShell console - Tue, Aug 31 2021

Specops Password Auditor is freeware that scans your Active Directory Domain Services (AD DS) password environment and reports on its findings. Specifically, Specops Password Auditor targets:

• Traditional AD domain password policy
• Fine-grained AD password policy
• Specops password policies (if you use Specops Password Policy)

If you're new to Specops Password Auditor, check out the review I did for 4sysops not too long ago:

• 4sysops: Specops Password Auditor - Detect weak password policies

Today we're reviewing the new features in Specops Password Auditor v7.2. Note that I also reviewed the new features in Specops Password Policy v7.2.

New report definitions ^

At its heart, Specops Password Auditor is a reporting engine. Accordingly, the most important news in release 7.2 is a few new report definitions. Note that the new reports do require the software to be run under domain admin credentials. No passwords are revealed to the admin because Specops Password Auditor only compares hashes.

In my opinion, the Blacklisted Passwords report is the most important report. This report relies on your licensing Specops Password Policy with the Specops Password Blacklist service. The service is an enormous database of leaked passwords culled from (according to Specops documentation) "thousands of different sources," including those used in Troy Hunt's legendary haveibeenpwned.com.

The Blacklisted Password reports display the usernames of AD accounts with leaked, blank and duplicate passwords.

Blacklisted Passwords report

Specops Password Auditor dashboard with Blacklisted Passwords report

Your organization may use a synchronized or federated identity so your AD users can use their local credentials to access cloud-based applications. For this use case in particular, the ability to report against known password disclosures may be enough to warrant a Specops Password Policy with Specops Password Blacklist license.

Identical Passwords is another potentially useful new report definition. For instance, your test, dev, and QA people may have accidentally or intentionally used the same password across multiple accounts, which may violate your organizational security policy. Here's the associated Specops Password Auditor interface:

Identical Passwords report

Finally, there is the Blank Password report. Assuming you've enabled Minimum password length (at the very least) and/or Password must meet complexity requirements in Group Policy, you will only see report contents here when a new account has been created where the corresponding attribute is set. Nonetheless, I like Specops' thoroughness in including this report definition.

Blank Password report

Additional metadata added to existing reports ^

Another new feature in Specops Password Auditor v7.2 I want to tell you about is the new metadata added to some built-in report definitions. Specifically, Specops added the following Active Directory schema attributes:

• samAccountName
• emailAddress
• distinguishedName

As you may know, Specops Password Auditor can generate comma-separated value (CSV) reports; here's one of mine shown in Microsoft Excel, with the new fields highlighted.

New report fields in Specops Password Auditor

The inclusion of distinguishedName in particular strikes me as a great idea because many administrators have distributed management and it's nice to be able to separate a report by the organizational unit (OU) in which particular user accounts reside. You can also use the exported report for scripting purposes.

Wrap-up ^

As I said earlier, Specops Password Auditor is freeware. However, I feel you can derive maximum benefit from this software when you pair it with Specops Blacklist Service and Specops Password Policy.

In case you're unfamiliar with these, Specops Password Policy "turbocharges" your existing Active Directory domain policies, giving you much more robust control over password policy creation as well as communication with end users through the password change/reset process.

Sadly, Specops does not publish their price list on their website. However, you can reach out to them directly to request a price quote.

Update: With the latest release users are now able to see full details of all accounts using compromised passwords.