Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Did Specops Expire My Password?

Often questions arise regarding Specops and password expiration. Below is the steps that can be followed to verify whether or not Specops caused a password to expire.

Verifying the PDC

We will first need to verify what domain controller is the PDC so that user counting logs can be checked to see if passwords expired due to age or if they were found on the Breached Password Protection Express list. This can be done in 2 ways; via the Command prompt or Active Directory Users and Computers.

Command Prompt:

launch cmd and type the following command:

netdom query fsmo

Your result should look like below and you should then be able to verify the PDC:

Active Directory Users and Computers:

Launch ADUC and right click on the domain name and select Operations Masters:

Go to PDC and see what is displayed:

Checking the PDC for user counting logs to see if password expiration or Breached Password Protection express expired a user’s password

Launch the event viewer on the PDC:

We can see from the log that the user counting process has run as indicated by an Event 1073 which indicates user counting has started and Event 1079 that indicates user counting is complete, but what are the other events?

We have a series of Event IDs that are 1104, which is a series of components that include:

  • License counting– this shows that there is a total of 9 users in the Active Directory scope that the policy is applied to, but only 3 users are affected by the policy.
  • Password expiration-this shows how many password expired during this user counting along with the number of expiration emails set based on the number of days before expiration.
  • Breached Password Protection Express– this tells us that 1 user’s password hash was found in the breach list and that based on the settings in the policy, the password will be forced to be changed at next login. no email will be sent, based on the policy settings.

  • Length based aging flag check

Breached Password Protection Complete

If this option is enabled in the policy, it can cause a user to change their password if it is found in the complete API after a successful password change, which is logged under the Application event log on the domain controller where the password change/reset was processed as Event 102 (successful user password change) or Event 103 (successful admin password reset).

The corresponding events can be found on the Arbiter server in the Windows Applications and Services Logs/Specops log. The table below shows the list of events when a password is rejected by the Arbiter when checked against the complete list.

Event SourceEvent IDDescription
Password Arbiter (Specops)2016Request to Breached Password Protection API completed. Password for user 'testuser' was blacklisted.
Password Sentinel Service (Specops)1011The password that was set for 'testuser' was found in the breach list, user will be forced to change it at next logon.

April 21, 2022

Was this article helpful?

Related Articles