Today I'll introduce you to Specops Password Policy, a sophisticated password management solution that substantially enhances the native Active Directory password policy features.
Latest posts by Timothy Warner (see all)

Let's face it: passwords aren't going away. Yes, we're in the 21st century. Yes, we have various multi-factor authentication (MFA) and biometric identity schemes. But the unavoidable fact is that for most Windows systems administrators, our corporate secrets are only as protected as our passwords are strong.

As you know, Windows Server includes some bare-bones password management features in Group Policy. Here, let me show you a screenshot:

Windows Server built-in password policy

Windows Server built-in password policy

Windows Server 2012 gave us fine-grained password policy with which we can deploy different password policies to different user populations within our organizations. All this is well and good, but how many of the following "pain points" do you deal with on a daily basis?

  • Help desk personnel constantly having to reset user passwords
  • Fielding user complaints regarding password policy and change requirements
  • Lack of self-service password reset
  • Difficulty passing compliance audits because your password controls aren't granular enough

Specops Password Policy is part of a larger product family called Specops Password Management that help admins with the tasks mentioned above. Let me introduce you to each component:

How Specops Password Policy works

One thing I really like about Specops Password Policy is that it requires no database or other heavy infrastructure plumbing. Take a look at the following conceptual diagram I drew, and I'll walk you through the various parts and pieces of the solution:

Specops Password Policy topology

Specops Password Policy topology

  • Specops Client: This agent should be deployed to every domain workstation.
  • Specops Password Policy Sentinel: This is the password filter engine that should be installed on all Active Directory domain controllers.
  • Specops Password Policy Administration Tool: Domain admins use this tool and the typical Windows Server Remote Server Administration Tools (RSAT) to manage Specops password policies.

As you'll see in a moment, you can do some amazing things to your password policy (or policies) in your domain. Recall that Windows Server's fine-grained password policy has the following limitations:

  • Maximum of 6 policies per domain
  • Targets AD users and groups only
  • Limited to built-in password policy (GPO) options

By contrast, Specops Password Policy can target any GPO level, computer, user, or group population and has the added benefit of expanded password policy options, including the use of passphrases.

Let's get the product installed so we can kick the proverbial tires together.

Install Specops Password Policy

First of all, sign up for a free trial, and a Specops representative will send you a link to the installer package as well as a trial license file.

Make sure you're logged on to a domain controller as an administrator and fire up the installation wizard as shown here:

Specops Password Policy installation wizard

Specops Password Policy installation wizard

As you can see in the previous screenshot, the interface updates as you progress through each installation phase. This is useful because I find that when I perform a multi-phase product installation, I sometimes forget which components I've installed vs. which ones I haven't.

The installer actually walks you through each administrative phase. For instance, the following interface screenshot shows the process of installing the domain controller sentinel component:

Installing the domain controller sentinel

Installing the domain controller sentinel

At the conclusion of the Specops Password Policy installation process, you'll have extended Group Policy to include Specops-specific functionality and deployed the agent to your users. You're now ready to actually build your first policy.

Create your first Specops password policy

On your administrative workstation, fire up the Specops Password Policy Domain Administration Tool. As usual, I'll give you a screenshot and then explain each major part of the interface:

The Specops Password Policy management tool

The Specops Password Policy management tool

  • Domain Administration: Manage your license and enable/disable the service
  • Domain Settings: Specify whether you need reversible password encryption and point the tool to your SMTP mail server for alerts
  • Password Policy Sentinel state: Verify that Sentinel's running and on which domain controllers
  • Configured password policies: View and edit any of your password policies
  • Language files: Manage client language files; this is used to localize the software
  • Password policy templates: Create, edit, and delete policy templates; the Microsoft and NSA templates ship with the product

Now open the Group Policy Management Console and open the Group Policy Object (GPO) that will hold your first password policy. On my system, I used the Default Domain Policy as shown in the following screen capture:

Specops Password Policy integrated into a GPO

Specops Password Policy integrated into a GPO

Make sure to create a Group Policy Central Store so that all your domain controllers can access the Specops GPO templates. Now take another look at the previous screen capture. You specify client agent settings under Computer Configuration (annotation 1). You build your password policy under User Configuration (2). Finally, you manage the policy itself (3).

The actual interface for building your policy is pretty awesome. We don't have the white space to give the subject its due (check the documentation), but let me show you the Password Rules page:

Password rules page from Specops Password Policy

Password rules page from Specops Password Policy

Do you see the Use online dictionaries option? You can actually configure Specops to include the password hashes from the 2012 LinkedIn breach, the 2010 Gawker breach, and the Adobe "Top 100" worst password lists as part of your policy requirements! They regularly update this section to include major leaked password lists or you can import your own lists

The idea here is that while we don't want to overly burden our users with regard to their password complexity, we also don't want to open unnecessary attack vectors by allowing any sort of weak passwords or passphrases.

Another neat thing you can do with Specops Password Policy is configure custom user feedback when a user's new password doesn't meet your corporate requirements. Because the Specops solution rides on top of Windows' native LSASS process, the user will see detailed help text from within the OS password-change screen as shown here:

Users receive detailed guidance on changing their password

Users receive detailed guidance on changing their password

You do have to invest in other members of the Specops Password Management solution if you want to enable, for instance, self-service password reset (beyond the native OS tool) and account unlock.


One thing I didn't like about Specops Password Policy was that I couldn't locate licensing/pricing information anywhere on the website. Instead, prospective customers are asked to reach out to Specops directly.

Subscribe to 4sysops newsletter!

But this doesn’t take away from  my overall experience with the product. It is great that Specops Password Policy integrates so naturally into Windows Group Policy. Also, its breadth and depth of password policy options are super impressive.



Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account