Knowledge Base

This article assumes you are on the latest version of Password Policy.

Often questions arise regarding Specops and password expiration. Below are the steps that can be followed to verify whether or not Specops caused a password to expire.

Checking the Periodic Scanning tab

This tab provides counts of users affected by Specops Password Policy, along with license information, password expiration, users whose passwords have been affected due to breached password protection:

We can also take this a step further by first confirming the PDC by going to the Password Policy Sentinels tab and seeing which DC is marked with the (PDC):

Then utilizing the logs in the event viewer under Applications and Services Logs, under the Specops filter:

We see the cause of 1094 is a user found on the breached password protection express list and a 1089 is Specops expiring the password based on the age of the password.

Password Change-Breached Password Protection Complete

If these options are enabled in the policy, it can cause a user to change their password if it is found in the complete API after a successful password change, which is logged under the Application event log on the domain controller where the password change/reset was processed as Event 102 (successful user password change) or Event 103 (successful admin password reset).

The corresponding events can be found on the Arbiter server in the Windows Applications and Services Logs/Specops log. The table below shows the list of events when a password is rejected by the Arbiter when checked against the complete list.