Tracking Password Change Rejections with Specops Password Policy
In this article we will review how administrators can audit rejected password changes and password resets when Specops Password Policy is deployed in the domain.
The Specops Password Policy Sentinel logs a Windows event log entry each time a password change or password reset is rejected by the rules in the Specops Password Policy. The entry is logged to the Windows Application event log on the domain controller where the password change/reset was processed.
Event Source | Event ID | Description |
---|---|---|
Specops Password Policy Sentinel | 202 | Password Change Rejected (user changing own password) |
Specops Password Policy Sentinel | 203 | Password Admin Reset Rejected (admin/service setting user password) |
These log entries will appear in addition to Windows Event IDs 4723/4724; Windows will log a failure audit event in the Windows security log on any password change/reset failure:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
Specops recommends using an Enterprise SIEM to collect both the Specops event IDs 202/203 and Windows event IDs 4723/4724 in a central repository for troubleshooting/analysis.
Password Changes Rejected By Other Password Policies
If a password change fails and 4723/4724 are logged but Specops Event IDs 202/203 are not logged, this indicates the new password was rejected by another password policy: either the Default Domain Policy, a Fine-Grained Password Policy, Azure Password Protection (for password changes initiated in on-prem Active Directory), or another third-party password filter. Specops recommends adjusting your default and fine-grained policies to be compatible with your Specops policies and turning off any password policy enforcement in any other third-party password filters for ease of administration and troubleshooting.
Specops Password Policy Password Rejection Event Syntax
Both events 202 and 203 have approximately the same event data syntax:
Log Name: Application
Source: Specops Password Policy Sentinel
Event ID: 203
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DC1.specopsdemo1.com
Description:
Password AdminReset for user 'DEMOUSER' rejected.
The password did not meet the requirements specified in policy 'Specops Password Policy Demo'.
PasswordHistory:5:TRUE
DisallowIncremental:1:TRUE
MinimumLength:12:TRUE
RequiredCharacterGroups:3:TRUE[Upper:1:TRUE,Lower:1:TRUE,Digit:1:TRUE,Special:1:TRUE,]
DisallowUserName:1:TRUE
DisallowConsecutive:3:TRUE
DictionaryFileName:UwBwAGUAYwBvAHAAcwA=:FALSE
Log Name: Application
Source: Specops Password Policy Sentinel
Event ID: 202
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DC1.specopsdemo1.com
Description:
Password UserChange for user 'DEMOUSER' rejected.
The password did not meet the requirements specified in policy 'Specops Password Policy Demo'.
PasswordHistory:5:TRUE
DisallowIncremental:1:TRUE
MinimumLength:12:TRUE
RequiredCharacterGroups:3:TRUE[Upper:1:TRUE,Lower:1:TRUE,Digit:1:TRUE,Special:1:TRUE,]
DisallowUserName:1:TRUE
DisallowConsecutive:3:TRUE
DictionaryFileName:UwBwAGUAYwBvAHAAcwA=:FALSE
The first line of the description will specify the sAMAccountName of the end user whose password was rejected (in the examples above, DEMOUSER).
The second line will specify the name of the Specops Password Policy GPO applied to that user (in the examples above, Specops Password Policy Demo).
The rest of the description specifies pass/fail criteria for each rule in the policy. Each line will specify a rule name, a detail about configurable rule criteria where applicable, and TRUE/FALSE, with TRUE indicating the new password was acceptable by that criteria and FALSE indicating the new password did not meet that particular requirement. For example:
PasswordHistory:5:TRUE
PasswordHistory is the indicator for the “number of remembered passwords” setting in the GPO, 5 indicates in this case the number of previous passwords rejected, and TRUE indicates that the new password was acceptable by this rule. The following tables elaborates on each configurable entry in Password Policy and its corresponding feedback.
It should be noted that the client message user feedback on failed attempt setting affects this entry. If ‘show only failed rules’ is set the only the ‘FALSE’ rules are logged. If ‘show only custom message’ is set, no rule feedback is logged.
Older versions of Specops Password Policy may not log any details here. Please validate you are running a recent build of Specops Password Policy.
Rule | Logged rule name | Second field value/detail |
---|---|---|
Number of remembered passwords | PasswordHistory | Configured threshold |
Minimum password age (days) | MinimumPasswordAge | Configured threshold |
Disallow Incremental Passwords | DisallowIncremental | Always 1 |
Minimum number of changed characters | MinChangedCharactersByPosition | Configured threshold |
Disallow reusing part of current password | MaxCommonSubStringInCurrent | Configured threshold |
Passphrase Requirements | Phrases | Configured minimum passphrase length. Note: if any rule on the Passphrase tab fails (length, character groups, custom requirements) this line indicates FALSE. The individual criteria for passphrases are not logged. |
Dictionaries (custom & downloaded), Breached Password Protection Express List | DictionaryFileName | Varies based on configuration. See the article section on Dictionary rules for more detail. |
Minimum password length | MinimumLength | Configured threshold |
Maximum password length | MaximumLength | Configured threshold |
Character group requirements (not all) | RequiredCharacterGroups | Configured threshold for number of character groups. This entry only applies when 'number of required character groups' is not set to (All). See details of this entry later in this article. |
Character group requirements (all) | Upper Lower Digit Special Unicode Alpha NonAlpha | When 'number of required character groups' is set to (All) each character group and its configured threshold is logged on a separate line. |
Regular Expression | RegularExpression | Configured client message for regular expression |
Disallow full user name in password | DisallowUserName | Always 1 |
Disallow part of user name in password | DisallowUserNameParts | Always 1 |
Disallow digit as first character in password | DisallowStartingDigit | Always 1 |
Disallow digit as last character in password | DisallowEndingDigit | Always 1 |
Disallow consecutive identical characters | DisallowConsecutive | Configured threshold. |
Character Group Requirements
When the ‘number of required character groups’ is set to (All) each character group becomes its own line in the log. Only character groups required by the policy are logged (e.g. if ‘unicode’ is unchecked the unicode requirement will not be checked/logged). For example:
Upper:1:TRUE
Lower:1:TRUE
Digit:1:TRUE
Special:1:FALSE
Unicode:1:FALSE
Alpha:1:TRUE
NonAlpha:1:TRUE
When the ‘number of required character groups’ is set to a number and not (All) the entire character group feedback is merged into a single line. For example:
RequiredCharacterGroups:3:TRUE[Upper:1:TRUE,Lower:1:TRUE,Digit:1:TRUE,Special:1:FALSE,]
The second field in the line is the number of required character groups. Each character group requirement appears in the final section surrounded by [] with requirements comma delimited and always with a trailing comma after the final character group.
Dictionaries and Breached Password Protection Express
As noted in the table above, custom dictionaries, downloaded dictionaries, and Breached Password Protection (BPP) Express list feedback are merged into one entry.
The Sentinel checks the Express List first. If the new password is found on the Express list, the change is rejected and processing of custom/downloaded dictionaries is skipped. The following entry is logged:
DictionaryFileName::FALSE:Blacklist
Please note ‘Blacklist’ is a legacy name of the Breached Password Protection feature; the log entries will be updated to reflect this in a future release.
If a partial match dictionary word is found and the ‘show failed dictionary word to user’ setting is enabled, the log entry will contain a base-64 encoded string of the dictionary word that was found in the password. Partial match can include custom dictionaries with ‘part of the new password’ enabled and the downloaded dictionary for common keyboard combinations and sequences:
DictionaryFileName:UwBwAGUAYwBvAHAAcwA=:FALSE
In this example, UwBwAGUAYwBvAHAAcwA= is a base-64 encoding of ‘Specops’ — this indicates specops was in the custom dictionary and was also found within the new password.
Finally, if the new password is an exact match of something in an exact-match custom or downloaded dictionary, the following entry will be logged. Partial match dictionaries will also log this entry if ‘show failed dictionary word to user’ is disabled.
DictionaryFileName::FALSE
Breached Password Protection Complete
The table below are the list of events when a password is either accepted or rejected by the Arbiter when checked against the complete list. These events can be found in the Windows Applications and Services Logs/Specops log on the Arbiter server(s).
Event Source | Event ID | Description |
---|---|---|
Password Arbiter (Specops) | 2015 | Request to Breached Password Protection API completed. Password for user 'username' was not blacklisted. |
Password Arbiter (Specops) | 2016 | Request to Breached Password Protection API completed. Password for user 'username' was blacklisted. |