How is my Specops Password Policy configuration?
We sometimes have customers ask how to review that Specops Password Policy is working as intended.
I am going to go through the steps we would check to verify a Specops Password Policy configuration.
Checking Specops Password Policy Administration Tools
We will start by checking the Password Policy Administration Tools.
- On the very first screen, you will be shown your license information. Make sure the licensing information looks okay, and there are no errors.
Now, let’s click on Password Policy Sentinel state: This will do a check of all your writeable Domain Controllers, and report on the version of Sentinel installed. Note that any DC listed here should have the Specops Password Policy Sentinel installed. It is a requirement of the product. They should also be the same version. When users change passwords the Sentinel is what checks the password and evaluates against Specops Password Policy. It is critical that the Specops Password Policy Sentinel is on all of your writeable DCs!
Note: The sentinel status is confirming the installed version is the same as the running version and is not an indicator if the service is running on the DC or not.
- Optional for Breached Password Protection Licensed clients. We will want to go down to Breached Password Protection and check the status of our Arbiter used for BPP complete, and check that we are up to date with our BPP Express lists.
Our first screen for Complete API should look like this. It should show the server where your arbiter is installed, and green checks for Online, and API key. If you are licensed for BPP and need an API key, please reach out to support to get an API key by using this link.
If we switch to the Express List tab, we can see the version of the Express List, and can update by clicking on “Download latest version” to ensure we have the latest list of leaked passwords for BPP Express.
- Next, we want to click on Password Policies near the top left. The Admin Tools do a query to check for any group policies that contain any Specops Password Policy settings within them. These will be the policies that drive Specops Password Policy. You will want to validate that your group policy being used for Specops Password Policy is listed. (Also note that the “Default Domain Policy” may not actually be the Default Domain Policy. This is whatever password policy has the highest level of precedence in group policy. Specops or otherwise.)
If your policy is not listed above, ensure that in Group Policy Management the GPO that has Specops Password Settings is still there, and that User Settings for that GPO are enabled. If your GPO exists, but the User Settings are disabled, they will not show up here as Specops Password Policy is user settings based. They will need to be enabled.
- From there, we can select the policy(shown in green), and look at a summary of settings. You can also click on Edit Policy to make changes to your Specops Password Policy.
Check that our Specops Password Policy is assigned to our users
We now should check that are policy is applied correctly.
Check the scopes/links of our group policy.
- Open Group Policy Management.
- Expand Domains, and then your domain.
- Look under Group Policy Objects for the GPO with the name we identified in the Password Policy Administration Tools / Password Policies screen and click on it.
- Once selected, you can take a look at the Scopes of your policy, and any filtering. This should tell you which OUs/Users have your Specops Password Policy GPO assigned to it.
Use Active Directory Users and Computers to validate that our Specops Password Policy is being applied to particular users.
A good idea is to install Active Directory Users and Computers on the server which has your Password Policy Domain Admin Tools. Doing so will give us the opportunity to check individual users by right clicking them in Active Directory Users and Computers, and using the context menu.
- Open up Active Directory Users and Computers.
- Find a user we would like to check to see if our Specops Password Policy GPO is being applied.
- Right click on the user then click on Specops Password Policy
- You should now see a screen that will tell us if a Specops Password Policy is being applied to a user, and which policy is being applied to the user. On the latest version it will also tell us their password expiration.
Check Domain Controllers for Specops Password Policy Events and Sentinel Service status
Check Domain Controllers for Specops Password Policy Events
Another item to check is your Domain Controllers(any DCs where users would authenticate against), for events that Specops Password Policy logs when it evaluates a password change.
- Open up Event Viewer, Windows Logs, Application.
- Filter events to show from source “Specops Password Policy Sentinel”
- If Specops Password Policy is applying, I would expect some events to the ones below:
|Event Source||Event ID||Description|
|Specops Password Policy Sentinel||102||Successful Password change performed by user.|
|Specops Password Policy Sentinel||103||Failed Password change performed by user.|
|Specops Password Policy Sentinel||202||Successful Password reset performed by administrator.|
|Specops Password Policy Sentinel||203||Failed Password reset performed by administrator.|
If you do not see these events then there are a few common reasons why you would not:
- Default Domain Policy is rejecting the password first, and Specops Password Policy is not getting to evaluate the password. It’s important to under Default Domain Policy and Specops Password Policy precedence as described here.
- The user you are checking is not being affected by Specops Password Policy. See the section on checking to see if Specops Password Policy GPOs are being applied to a specific user.
- The particular DC you are checking was not the one that handled the password change request.
For more information on tracking why a password might be getting rejected you can review the knowledgebase article here.
Check Specops Password Policy Sentinel service is running
Specops Password Policy expiration notification emails go out on your PDC via a service called Specops Password Sentinel Service. This service should be up and running on your PDC(and ideally all DCs).
Note: The Specops Password Sentinel Service is not required to enforce policy rules.