Knowledge Base

Specops Password Policy (and all 3rd party password filters in Active Directory) do not and cannot replace the built-in password policy in Active Directory. For all password changes/resets, Active Directory will check its own built-in policy and ensure the new password meets its requirements before even checking the Specops policy requirements. Active Directory also continues...

All password changes in Active Directory passes through one or more Password Filters on the Domain Controllers (Specops Password Policy Sentinel is basically a Password Filter), all these Password Filters need to approve the new password before the change is finalized, like the following flowchart shows. Following this somewhat simplified chart yield some important information:...

In this article we will review how the Specops client and Specops Password Policy determine the language to use when displaying feedback to the end user when their password is not accepted. There are two ways the language for the feedback is chosen; either set manually in the Password Policy Group Policy Snap-In, or chosen...

With the retirement of Server 2012/r2, a question that has risen in popularity is how I migrate my password policy to another server to continue using the product without any issues? The simple answer is not a lot needs to be done since all of the configuration is stored in Group Policy and Active Directory....

This article will review the steps required to confirm the Specops Password Policy Sentinel is installed properly on your domain controllers. The Sentinel is required on every writeable domain controller in order to ensure proper enforcement of Specops password policies. It does not need to be installed on read-only domain controllers; if you have any...

Make sure that standard communication is allowed. The management Computer with the Specops Password Policy Domain Administration Tool installed must be able to communicate with Domain Controllers on: LDAP: TCP 389 SMB: TCP 445 Kerberos: TCP 88, 464 DNS: TCP/UDP 53 Other common client protocols RPC (Remote Procedure Call) RPC should be open/allowed between the...

For the initial policy Create your policy you will use for this policy and tag the policy where you would like it applied within the Active Directory structure. The security filtering will be Authenticated users which for most cases is fine: For an additional policy Create your policy you will use for this policy and...

User counting has been renamed to periodic scanning and has been relocated for ease of access in Password Policy version 7.10. Below is each version’s method for what needs to be done for user counting/periodic scanning to be adjusted accordingly. 7.5 and Below: In versions 7.5 and below, you would modify the value “CheckExpiredPasswordsStartTime” registry...

This article lists all file locations and executables associated with the Specops Password Policy Sentinel on domain controllers. File Locations The following locations contain files associated with the Sentinel: %PROGRAMFILES%\Specopsssoft\Specops Password Policy\ %WINDIR%\System32\SppFilter.dll %WINDIR%\System32\SppFilterInfo.json %WINDIR%\System32\SppFilterRes.dll Executables Specops Password Sentinel Service — Windows service, must run as local system. C:\Program Files\Specopssoft\Specops Password Policy\Sentinel Service\Specopssoft.SentinelService.exe Specops Password...

After a Breached Password Protection Complete scanning the results are showing less email notifications sent then compromised passwords found. Possible reasons for this 1. A users password has been caught as breached by the complete list in the past and the “User must change password during next logon” setting has been ticked on the user...