The biggest change to Specops Password Policy v7.2 is a leaked password scanner, which can run on a schedule and requires users with leaked passwords to change them at next logon.
Latest posts by Timothy Warner (see all)

I like to describe Specops Password Policy as a way to "supercharge" your existing Active Directory Group Policy-based password policies. This client/server software integrates directly into Active Directory and gives you much broader, deeper password/passphrase flexibility than do native tools.

In today's article, I will review the new features in Specops Password Policy v7.2. If you aren't yet familiar with Specops Password Policy, then I invite you to read my previous 4sysops installments on the subject.

Okay—let's get to it!

Leaked password scanning

The most important new feature in Specops Password Policy v7.2 is called Leaked Password Scanning. As you probably know, it's nearly daily news that one company or another experiences a data breach and a public disclosure of customer credentials.

The Blacklist component of Specops Password Policy v7.2 enables you to access Specops Blacklist Complete service or download a subset of the hosted list which that contains nearly one billion passwords. The idea is you can configure Blacklist to require that Active Directory users with leaked passwords are required to change them at next logon. The first screen capture shows you where this option exists in the Specops Password Policy Domain Administration tool.

Configuring the Leaked Password Scanning feature

Configuring the Leaked Password Scanning feature

As shown in the next screen capture, you can run a leaked password scan ad-hoc or on a schedule. To run a scheduled scan, you can use the Start-PasswordPolicyLeakedPasswordScanning PowerShell cmdlet; I'll discuss the Specops PowerShell module below.

Specops uses its Group Policy Object (GPO) extensions to deliver password policy and Blacklist Express settings to users. The Group Policy, in combination with a Specops Authentication Client you deploy to endpoints, enforces the leaked password policy in your domain.

Running a leaked password scan

Running a leaked password scan

Specops Password Policy sends Leaked Password Scan results to your domain controller's Application log. You can see an Event 107 message in the next screen capture.

Viewing leaked password scan results

Viewing leaked password scan results

Greater control over blacklist email notifications

Specops added two new features that your users are bound to appreciate because they increase communications between your service desk and affected domain users. In the next screen capture, you can see that Specops Blacklist Complete now enables you to notify users via the To: and CC: email message fields if their passwords are found in a leaked passwords scan.

Configuring blacklist email notifications

Configuring blacklist email notifications

Improved regular expression passphrase configuration

Another user-centric feature I observed concerned regular expression (regex)-based password policies. The next screen capture shows you can now generate a client message if a user's new password doesn't meet regex-based complexity requirements.

Add a custom message to help users with regex associated passphrases

Add a custom message to help users with regex associated passphrases

For example, your client message could redirect your users to a help document on the corporate intranet, or perhaps to your support desk. Alternatively, the client message can simply explain in detail what your password complexity rules are.

Enhanced PowerShell support

With the v7.2 release we (finally) have an honest-to-goodness module for the Specops Password Policy commands. Until now, Specops delivered the commands via the antiquated snap-in architecture.

As you can see in the following screen capture, the module is relatively small. However, one new cmdlet, Get-PasswordPolicyAffectingUser, spiked my interest. This command simplifies reporting on precisely which of your Specops Password Policy password policies is linked to the user. I'm reminded of Resultant Set of Policy (RSoP) in Group Policy.

Testing the new Specops Password Policy PowerShell module

Testing the new Specops Password Policy PowerShell module

Administrators can now also apply length-based password aging on top of the standard password age limit. Length-based password aging rewards users who create longer and more secure passwords, by giving them extra time before their password expires.

Subscribe to 4sysops newsletter!


If your Active Directory password policy isn't flexible enough for you, then I suggest you give Specops Password Policy a try. The Leaked Password Scan feature alone may make the buying easy for businesses who are rightfully concerned about software-as-a-service (SaaS) application-related password privacy.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account