Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

  • Sentinel Password Filter: The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.
  • Sentinel Service: The Sentinel Service is always installed as part of the Specops Password Policy, but effective only if the Breached Password Protection add-on is configured.

Sentinel functionality

The Sentinel Service provides a Web API that provides functionality used by the SPP Admin Tool and SPP Cmdlets.

By default, the Web API is active only on the PDC emulator, if the SPP Sentinel is installed there. Other DCs will not have the Web API active by default, even if the SPP Sentinel is installed on those DCs. If required, the Web API can be activated on those DCs as well by changing the correct registry key (see below).

The Sentinel Service Web API is required to:

  • configure credentials for sending mail through the Sentinel Service and the Arbiter
  • send test messages
  • get status from admin tool
  • start and show status for Periodic scanning


The Sentinel Web API serves requests on http://*:4385 when active.

When the sentinel service starts, and the Web API is enabled on that DC, the sentinel service adds an inbound firewall rule on port 4385.

Enabling or disabling the Web API

To explicitly enable or disable the Web API, e.g. to disable it on the PDC emulator, or enable it on a DC other than the PDC emulator, set the registry key below to 0 or 1, respectively. After having changed the registry value, restart the Sentinel Service for the change to take effect.

Registry Key Path Value
EnableWebApi (REG_DWORD32) HKLM\SOFTWARE\Specopssoft\Specops Password Policy\SentinelService 0 (disable), 1 (enable)