Specops Password Auditor scans your Active Directory and detects security related weaknesses, specifically related to password settings. The collected information is used to display multiple interactive reports containing user and password policy information. The reports include comparisons of the password settings in your organization with industry standards and best practices according to multiple official standards.

Specops Password Auditor will only read information from Active Directory, it will not make any changes. It will read the Default Domain Password Policy, any Fine-Grained Password Policies, as well as any Specops Password Policies (if installed).

Note: To be able to read Fine-Grained Password Policies,  you must run Specops Password Auditor as a user with administrative privileges in Active Directory.

The following user account attributes will also be read:
• pwdLastSet
• userAccountControl
• lastLogonTimestamp

Password Policy Report

Specops Password Auditor Reports


The following is a list of reports you can view/export from Specops Password Auditor tool.

Admin Accounts

Use this report to identify whether admin privileges are used appropriately (granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions). Delete unnecessary admin accounts and consider a delegated Active Directory security model to follow best practice.

Stale Admin Accounts

Use this report to audit unused accounts. Dormant accounts should be deleted as they can be leveraged by attackers to access resources without being noticed.

Password Not Required

Use this report to identify user accounts with the control flag for not requiring a password, or those affected by a password policy without a minimum password length. The accounts in this list indicate serious security holes within your organization.

Expiring Passwords

Use this report to keep track of password expiration. Anticipating the expiration with a contingency plan can be effective for curbing password reset calls.

Expired Passwords

Use this report to identify user accounts with expired passwords. Password that have been expired for an extended period of time can indicate a stale account.

Password Policies

Use this report for an overview of your password policies including change interval, dictionary enforcement, as well as relative strength.

The following settings are used to determine the maximum strength.

  • Minimum length= 16 characters
  • At least one of each of the following:
    • Lower
    • Upper
    • Digit
    • Special Character

Any policy with as strong, or stronger settings will be displayed as having “maximum” strength.

For more information about the relative strength calculation, click here.

Password Policy Usage

Use this report for a graphical overview of users affected by each password policy.

Password Policy Compliance

Use this report to measure your password policies against industry and compliance recommendations.

  • Was this Helpful ?
  • Yes   No