Specops Password Policy 7.9 – Send Mail from Arbiter, Configure AD Sites for Improved Performance & more

Today we’ve released the latest version of our Active Directory password management solution, Specops Password Policy 7.9.

In this post, we’ll take a look at what’s new:

  • New option to send mail from the Arbiter instead of through the Sentinel Service
  • New option to configure which AD Sites an Arbiter serves for improved performance
  • Improved breached password enforcement for users with passwords set to never expire
  • And more

New: Optionally configure email to send via the Arbiter to help further harden DCs

In this release, we’ve added the ability to optionally configure emails sent by Specops Password Policy (expiry reminders and breached password notifications) through the Specops Arbiter instead of the Sentinel Service.

Find the option to configure the Arbiter as the SMTP email sending system in the Domain Settings section within the Specops Password Policy Domain Administration Tools

As the Sentinel Service is required to be installed on domain controllers, customers looking to avoid generating SMTP traffic directly from domain controllers will find this new option especially of interest. Customers who have Arbiters installed on servers that are not domain controllers (as recommended) will be able to utilize this new option to further harden their domain controllers.

Existing customers may only have Arbiters installed if using Specops Breached Password Protection. Customers who don’t currently have Specops Breached Password Protection, but would like to utilize an Arbiter for sending the expiry reminder emails, may need to install the Arbiter first.

More information on configuring the Arbiter for sending email can be found here.

New: Configure which Active Directory Sites an Arbiter Serves for improved performance

In this release, we’ve added the ability to configure which Active Directory sites a Specops Arbiter Serves.

Existing customers can find the ability to Configure Sites for a particular Arbiter within the Password Policy Arbiters section of the Domain Administration Tools

Arbiters are a component of Specops Password Policy that are used for:

  • Checking passwords against the 4 billion+ Breached Password Protection Complete list (always, if Breached Password Complete is configured)
  • Sending texts from Specops Password Policy (always, if text notifications are configured) 
  • Sending email from Specops Password Policy (optional, as of this release)

Customers looking to further optimize performance of the Arbiter and their network will find this new configuration of interest.

More info on this configuration option can be found here.

Improved Breached Password Enforcement for Never-Expire Users

Prior to this release, users who had passwords set to never expire were unable to be forced to change their password at next logon when their password was found in the Breached Password Protection list.

With this release, we’ve introduced the ability to enforce a password change for users who have passwords set to never expire but are also found to have a breached password.

When the “Require that users with leaked passwords change them at next logon” setting is checked for Breached Password Protection, Specops Password Policy will clear the “never expire” flag on the user if their password is found on the Complete list or as part of the daily scan for the Express List, enabling the ability to enforce the user to change their password at next logon.

The setting that when enabled forces users to change their password at next logon. This setting also exists in the Breached Password Protection Express menu.

Customers can make use of log monitoring (event ID 1166) or email notifications to help manage users who will have their “never expire” flag cleared.

Note: Customers with service accounts set to never expire may want to take extra care before upgrading and review which service accounts have breached passwords with the help of Specops Password Auditor and make a plan to change those passwords or exclude them from the Express daily scan.

Alternatives to never expire

While many organizations may be interested in setting passwords to never expire to reduce the password management burden and remove poor password iteration user practices, we find many customers still prefer to make use of expiry to help hedge against password reuse. These customers make use of length-based password aging as a middle ground accommodation for both concerns.

Example settings for length-based password aging within Specops Password Policy

More improvements and fixes

More improvements and fixes can be found in the release notes.

If you are an existing Specops Password Policy customer, you can find upgrade instructions here. If you have questions about upgrading, please contact support.

See how Specops Password Policy can help

If you’re interested in seeing a demo of the latest Specops Password Policy or have questions about how you can block over 4 billion compromised passwords with Breached Password Protection, contact us.

(Last updated on March 29, 2023)

Back to Blog