I like to describe Specops Password Policy as a way to "supercharge" your existing Active Directory Group Policy-based password policies. This client/server software integrates directly into Active Directory and gives you much broader, deeper password/passphrase flexibility than do native tools.
In today's article, I will review the new features in Specops Password Policy v7.2. If you aren't yet familiar with Specops Password Policy, then I invite you to read my previous 4sysops installments on the subject.
Okay—let's get to it!
Leaked password scanning ^
The most important new feature in Specops Password Policy v7.2 is called Leaked Password Scanning. As you probably know, it's nearly daily news that one company or another experiences a data breach and a public disclosure of customer credentials.
The Blacklist component of Specops Password Policy v7.2 enables you to access Specops Blacklist Complete service or download a subset of the hosted list which that contains nearly one billion passwords. The idea is you can configure Blacklist to require that Active Directory users with leaked passwords are required to change them at next logon. The first screen capture shows you where this option exists in the Specops Password Policy Domain Administration tool.
As shown in the next screen capture, you can run a leaked password scan ad-hoc or on a schedule. To run a scheduled scan, you can use the Start-PasswordPolicyLeakedPasswordScanning PowerShell cmdlet; I'll discuss the Specops PowerShell module below.
Specops uses its Group Policy Object (GPO) extensions to deliver password policy and Blacklist Express settings to users. The Group Policy, in combination with a Specops Authentication Client you deploy to endpoints, enforces the leaked password policy in your domain.
Specops Password Policy sends Leaked Password Scan results to your domain controller's Application log. You can see an Event 107 message in the next screen capture.
Greater control over blacklist email notifications ^
Specops added two new features that your users are bound to appreciate because they increase communications between your service desk and affected domain users. In the next screen capture, you can see that Specops Blacklist Complete now enables you to notify users via the To: and CC: email message fields if their passwords are found in a leaked passwords scan.
Improved regular expression passphrase configuration ^
Another user-centric feature I observed concerned regular expression (regex)-based password policies. The next screen capture shows you can now generate a client message if a user's new password doesn't meet regex-based complexity requirements.
For example, your client message could redirect your users to a help document on the corporate intranet, or perhaps to your support desk. Alternatively, the client message can simply explain in detail what your password complexity rules are.
Enhanced PowerShell support ^
With the v7.2 release we (finally) have an honest-to-goodness module for the Specops Password Policy commands. Until now, Specops delivered the commands via the antiquated snap-in architecture.
As you can see in the following screen capture, the module is relatively small. However, one new cmdlet, Get-PasswordPolicyAffectingUser, spiked my interest. This command simplifies reporting on precisely which of your Specops Password Policy password policies is linked to the user. I'm reminded of Resultant Set of Policy (RSoP) in Group Policy.
Administrators can now also apply length-based password aging on top of the standard password age limit. Length-based password aging rewards users who create longer and more secure passwords, by giving them extra time before their password expires.
If your Active Directory password policy isn't flexible enough for you, then I suggest you give Specops Password Policy a try. The Leaked Password Scan feature alone may make the buying easy for businesses who are rightfully concerned about software-as-a-service (SaaS) application-related password privacy.