Release Notes

The Release Notes provide a summary of new features and changes since the last release. The Release Notes can help you evaluate whether an upgrade is necessary. For the Specops Authentication Client Release Notes, click here.

Current Release


New functionality

  • Enhanced reporting from periodic scan. Ability to view reports in Admin Tool, showing statistics about BPP complete scanning, including accounts with breached passwords. By default, last 100 summary reports without user-related information are saved.
  • New cmdlet New-SpaReport - Creates a new SPA PDF report. This can be invoked manually or from a scheduled task, for instance to send weekly reports.
  • New cmdlet Get-SppPeriodicScanningProgress - Gets periodic scanning progress, if currently running.
  • New cmdlet Get-SppPeriodicScanningResultList - Gets list of available periodic scanning results.
  • New cmdlet Get-SppPeriodicScanningResult - Gets summary of periodic scanning, from latest or a previous scan.
  • New cmdlet Get-SppPeriodicScanningResultUsers - Gets user details of periodic scanning, from latest or a previous scan.

Fixed issues

  • Reading password expiration could fail during periodic scanning.
  • When enabling use of passphrases, the rule "Must contain one or more lower case character" always became enabled.

Other changes

  • Added FirstName and LastName placeholders for notifications
  • Added "copy server name" in new right-click menu for the domain controllers grid.
  • Added "copy server name" to the menu for Arbiters grid.
  • "Disallow Incremental passwords" rule removed from the NIST template.
  • Added missing punctuation for some of the German password rules.
  • User counting processes all had the same event IDs.

Released February 1, 2024


Other changes

  • Removed no longer used third party dependency that was used for the online dictionary feature that was deprecated in version 7.6.21140.1.

Released October 11, 2023


New functionality

  • New page in the Domain Admin Tool for "Periodic Scanning". At five minutes past midnight every day, by default, the Specops Password Policy Sentinel Service on the PDC emulator, or another configured writable domain controller, does Periodic Scanning. This means searching through all users in Active Directory to determine which users are affected by Specops Password Policy. It calculates license usage and takes action as defined in the Specops Password Policy policy for the user. Depending on the features in the license, this could include searching for breached passwords with the local Express list, or the Complete list in the cloud, as well as enforcing password expiration on users if their password is about to expire. This new page shows results of the last run periodic scanning, as well as current status if a scan is currently running. It is also possible to start a new scan from here. It's recommended to avoid scanning unless necessary, since it causes load on the domain controller.
  • Specops Breached Password Protection Continuous Scanning is now available to all customers. Requires a new license file.

Fixed issues

  • Resolving Specops Password Policy policy could fail if multiple group policies were linked and enforced on the same organizational unit.
  • Admin tool could show an error if the domain had domain controllers that weren't online.

Other changes

  • Domain Administration Tool: Added default domain password policy "minimum password age" to overview.
  • Domain Administration Tool: List of domain controllers is now sortable.
  • Enhanced 'character substitution' for dictionaries.
  • Set-SppPasswordPolicy and Remove-PasswordPolicy cmdlets have been updated to accept GPO ID as argument in addition to GPO name.
  • Even accounts having "User must change password at next logon" are now included in breached password protection. In previous versions, such accounts have not been flagged. This change gives the organization better control over accounts with breached passwords. Such accounts will be included in statistics for breached password, but notifications will not be sent.

Known issues

  • The PowerShell CmdLets using remote calls to Sentinel Service and Arbiter only work on Windows PowerShell 5.1 (will fail on PowerShell 7.x). All PowerShell CmdLets work on Windows PowerShell 5.1.

Released September 06, 2023


New functionality

  • [In Limited Preview] Breached password protection continuous scanning: User passwords will continuously be validated against the Breached Password API in Specops Cloud to find newly breached passwords. Your account representative will reach out when this is available for your organization.

Fixed issues

  • Dictionary rule was not being listed in the policy overview control.

Other changes

  • Admin Tool: Restructured interface in Breached Password Protection policy settings. This now contains two sections, Password Change for configuring what happens when a user changes/resets password and Continuous for configuring Express (local) and Complete (online) list validation during the periodic scanning.
  • A new Arbiter installation was using a certificate with 2048 bit key size and SHA2 signing. However, during an upgrade from a previous installation with a less secure certificate, the certificate wasn't upgraded. This has been fixed, and upgrading will replace a less secure certificate with a certificate with 2048 bit key size and SHA2 signing.
  • Sentinel Password Filter: When using the "reversible encryption" feature, encryption has been upgraded to use AES256.
  • Sentinel Service could fail to start in certain environments. The password filter will now try to start the Sentinel Service if it isn't started by Windows itself.
  • The Get-SppBppExpressList cmdlet has a new switch '-VerifyFileIntegrity' to do checksum validation of the downloaded files.

Breaking changes

  • Time for the daily Periodic Scanning (previously also called "user counting") used to be in registry, but has from this release been moved to global domain configuration and is configurable in admin tool. The Periodic scanning runs on the selected domain controller (by default the PDC emulator). If a custom time has been defined in registry, it is recommended to start the admin tool, and set "Periodic scanning time" under "Domain Settings" before upgrading Password Policy Sentinels. The custom time in registry, if set, can be found as "DailyUserCountTime" under "[HKLM\SOFTWARE\Specopssoft\Specops Password Policy\SentinelService]", or in older versions as "CheckExpiredPasswordsStartTime" under "[HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Filter]". Configuration can also be made using new cmdlets Get-SppUserCounting/Set-SppUserCounting.

Released June 21, 2023


Fixed issues

  • Configuring Arbiters per site from cmdlets was case sensitive.

Released April 17, 2023


New Functionality

  • Support for configuring which Active Directory sites each Arbiter should serve. This enables using an Arbiter local to the domain controller.
  • Support for sending email from Arbiters as an optional configuration. If using a cloud based SMTP server, sending SMTP from the Arbiter instead of the Sentinel Service removes the need for having DCs connecting directly to the internet. Sending email from Sentinel Service is still supported.

Fixed Issues

  • Admin tool could show a certificate warning regarding the Sentinel Web API even though the certificate was valid.
  • Authentication to Sentinel Service from admin tools could fail with an error message in admin tool, and trace log indicated trust relationship failure.
  • User accounts with breached password and 'password never expires' were not forced to change their password at next logon. Such users will get the 'password never expires' flag cleared if the password is found to be breached.
    If you have applied a policy using the Breached Password Protection Express daily scan and requiring change at next logon to any critical service accounts, take care before upgrading. Use Specops Password Auditor to check which service accounts are currently using breached passwords and either change their passwords or exclude them from the daily check until you are able to do so.
  • Admin tool grid could show inaccurate information for domain controller with older sentinel version and when the service was not running.
  • Fixed incorrect logging where users were marked as skipped in the Breached Password Protection scan.

Other changes

  • Add-PasswordPolicyArbiter renamed to Set-PasswordPolicyArbiter.
  • Improved help text if length-based password aging is enabled, and the maximum password age can't be determined.
  • Ranges for length-based password expiration can now be edited in addition to adjustment with sliders.

Released March 28, 2023


Fixed issues

  • Minor UI fixes.

Released February 24, 2023



Starting from this version of Specops Password Policy, the custom language setting can no longer be configured separately for expiration emails (Expiration Email Language). Instead, the custom language can only be configured for the entire policy (Custom Message Language). The User language setting has therefore been moved to the User defaults section under General Settings in the policy configuration.

When upgrading to this version, in cases where a custom language was defined in the policy, the Custom Message Language will be overwritten with the Expiration Email Language. This means that the custom language setting configured for expiration emails in the old version, will be used for the entire policy in the new version.

New Functionality

  • Added information about Sentinel Service state to grid in Sentinels page in the Domain Administration Tool.
  • New Cmdlets for updating Breached Password Protection Express list (Get-SppBppExpressList/Update-SppBppExpressList).
  • Added support for BCC recipient when sending email.

Fixed issues

  • Saving settings from the Domain Administration Tool could fail with an error indicating a file was locked.
  • If custom attributes were configured for email/mobile, those were not honored when sending test messages.
  • Disabled domain controllers could incorrectly be listed in Domain Administration Tool.

Other changes

  • Arbiters now listed as their own node (used to be under the Breached Password Protection Express node).
  • Reordered tree nodes in domain admin top navigation.
  • The setting Notification language on the Password Expiration tab has been deprecated. It was used for translating expiration emails. From now on, Client message language will be used instead.

Released February 21, 2023


Fixed issues

  • Browsing for a computer could fail with an error message.

Released January 23, 2023


New functionality

  • Sending test email: Added support to send test email to a selected user to preview how email will appear, while editing a policy.
  • Interval for password expiration notifications: Password expiration email can now be sent on selected number of days before a password expires, e.g. days "1-3, 5, 7" rather than sending every day.
  • Select specific DC: From Admin Tool, a specific DC can now be selected. Configuration read/write by the admin tool will use that DC. By default, the PDC emulator is used.
  • DC for user counting: Another DC than the PDC emulator can be used for user counting, selectable from admin tools. It is recommended to use the PDC emulator (default).
  • New security group "Specops Password Policy Admins": In the Domain Admin Tool users with Domain Admin permissions will be able to create a new security group, "Specops Password Policy Admins". This group is optional. Domain admins will still be able to administrate SPP. If using the new group, members of that group (empty by default) will be able to administrate SPP, except when permissions are needed that require domain admin permissions (such as creating GPOs).
    After this group has been created, the Sentinel Service running the Web API (usually the PDC emulator) needs to be restarted for the group to take effect.

Improvements/Fixed Issues

  • Updated color scheme in admin tool.
  • Fixed incorrect version for SPP PowerShell module.
  • If email notifications were disabled for BPP complete, they could still get sent.
  • Certificate to encrypt Arbiter's Web API traffic is now signed with SHA2.
  • Certificate to encrypt Arbiter's Web API traffic now has a 2048 bit key.
  • Improved version check in grid of domain controllers in setup assistant.
  • Improved version check in grid of domain controllers in setup admin tools.
  • Improved performance when populating grid of domain controllers in setup assistant.
  • Improved performance when populating grid of domain controllers in Admin Tool.
  • Updated layout for Admin Tool domain settings page.
  • Improved Password Complexity Bar in Specops Password Policy Admin.
  • New option in Breached Password Protection Express daily scan to send email to users with breached password without enforcing expiration.

Breaking changes

  • Per-GPO SMTP settings, formally deprecated from SPP version 7.4.20065.1, have been partially working in GPOs configured before 7.4.20065.1. From now on, per-GPO SMTP settings are entirely deprecated. Make sure SMTP settings are set globally from the Admin Tool. For most SPP installations this has already been properly configured.

Released December 14, 2022


Fixed issues

  • Admin Tools: Importing license could fail or result in user counting not be updated.
  • Specops Password Policy Sentinel Service: License counting could fail to run if BPP Express leaked password scanning had been invoked.
  • Specops Password Policy Sentinel Filter: Changing password for the krbtgt built-in account could fail (See Microsoft KB article 2549833, Changing the Krbtgt password may fail when a custom password filter is installed)

Released August 11, 2022


Fixed issues

  • Client installation step was not working.

Released April 20, 2022


Fixed issues

  • The Get-PasswordExpiration cmdlet returned invalid result for users with length-based password aging that did not have a subobject.

Released March 30, 2022


New Functionality

  • Added support for Ukrainian language.

Fixed issues

  • Installing Sentinel on domain controllers from setup assistant could fail with access denied issues, if the administrator installing had 'account is sensitive and cannot be delegated' set.

Released July 05, 2021


Fixed issues

  • When installing Sentinel without a valid license, password changes/resets could fail.

New Functionality

  • Added new cmdlets Get-PasswordPolicyReversibleEncryption/Set-PasswordPolicyReversibleEncryption to enable/disable reversible encryption.

Other changes

  • Increased max for “Minimum number of changed characters” rule from 5 to 99.

Released June 09, 2021


This release contains Sentinel Password Filter version 7.6.21091.2

Before installing Specops Password Policy, note that a new license is required from Specops.

New functionality

  • Added support to manage and link group policies as part of setting up Specops Password Policy.
  • Added new placeholder %ManagerEmail% to send email to manager about users with about to expire passwords.
  • New setting if rules or phrases should be displayed first. Available together from Specops Authentication 8.20 or Specops Authentication Client 7.15.
  • Added support to manually type domain name in domain admin tool.
  • New cmdlets Update-SppLanguageFiles/Update-PasswordPolicyLanguageFiles to update language files in sysvol.
  • New cmdlets Get-SppEnabled/Set-SppEnabled to enable/disable Specops Password Policy for the domain.
  • New cmdlets Get-SppPasswordExpirationGroup/Set-SppPasswordExpirationGroup for configuration of ‘Specops Password Policy Custom Expiration Readers’ security group.
  • Added support for Hindi and Slovak languages

Improvements/Fixed issues

  • Selected domain was not honoured when loading arbiters.
  • Improved usability of policies page.
  • The Get-SppPasswordExpiration cmdlet could crash on policies with length-based expiration enabled.
  • Improved error message when trying to install on non-supported operating systems.
  • If languages folder in sysvol was missing, it was not possible to update language files.
  • Fixed issue with policy not being editable when starting from Domain Admin.
  • Fixed crash when clicking the domain incompatibility link in SPP GPO snap-in.
  • Improved handling of invalid ProxyUrl configuration for Arbiter.
  • Fixed the issue with password phrase regular expressions being reordered on save.
  • Made admin tools more sticky to the same domain controller.
  • Improved logging if Arbiter failed to send email.
  • Minor bug fixes and usability improvements.

Updated requirements

  • Sentinel package on domain controllers now requires .Net 4.5

Other changes

  • License email, enabled sending compliance mail to both Specops and custom address.
  • Changed schedule for Continuous Breached Password Protection Express to run at every user counting interval.
  • Downloadable online dictionary support has been deprecated for new policies in favor of Specops Breached Password Protection.
  • Renamed 'password complexity' to 'password strength.'
  • User counting moved to the Sentinel Service. The ‘DailyUserCountTime’ under ‘SOFTWARE\Specopssoft\Specops Password Policy\SentinelService’ is read at startup, thus requires service restart but no longer reboot if updated.
  • Emails that can’t be sent are no longer saved in queue. Emails are either sent, or discarded if sending fails (e.g. if SMTP server is down)
  • Moved log path for the Arbiter service to local appdata folder for the service account.
  • Changed from password strength to entropy algorithm.
  • Improved documentation for cmdlets’ built-in help.

Released May 27, 2021


Fixed issues

  • Default mobile number country code, when sending text message notifications for Breached Password Protection Complete, could only contain two digits (1-99).
  • Effective expiration for passwords could be displayed incorrectly for users with length based password expiration enabled. This applies when choosing “Specops Password Policy” for a user from “Active Directory Users and Computers” and the PowerShell cmdlet Get-PasswordExpiration/Get-SppPasswordExpiration.

New functionality

  • Added support for Azerbaijani language.
  • Added support for Slovenian language.

Released February 09, 2021


Fixed issues

  • Translations were incorrectly encoded, causing incorrect encoding in password expiration emails.

Released December 08, 2020


New functionality

  • Added support for Thai language.

Released November 12, 2020


Fixed issues

  • German translation was incorrectly encoded, causing incorrect encoding in password expiration emails.
  • English translation had incorrect version, causing admin tools to not show it as outdated.

Released September 29, 2020


New functionality

  • New Cmdlet, Get-SppPasswordExpiration, to check for user password expiration.

Improvements/Fixed Issues

  • If user lacked mail address when sending e-mail, not even the CC address, if defined in the policy, would receive the e-mail.
  • When sending expiration email, for users affected by a policy defining a custom SMTP port and saved by an old version of SPP admin tools, an error message occurred in the event log.
  • The install button was not always clickable when installing Sentinel from Setup Assistant.
  • Saving regular expressions changed order, causing unexpected order in Specops Authentication Client.
  • Entering proxy URL for Specops Arbiter without prefixing with url scheme caused an error and was difficult to troubleshoot.

Other changes

  • Made event source names consistent.
  • New service name for the Specops Arbiter, “SpecopsArbiter”
  • New hostname for breached password protection, see Installation (section Requirements)

Released September 16, 2020


Fixed Issues

  • Using custom dictionaries with hash format NTLM was not working.
  • Downloading Specops Authentication Client from Setup Assistant failed because TLS 1.2 was not used.
  • After having migrated users with Dell Migration Manager, there could be misleading eventlog errors with id 309.
  • Importing license could fail if the license file encoding had been changed (for instance if changed by mail server when sending the license file by mail).

Released August 27, 2020


Fixed Issues

  • The grid view with domain controllers listing Sentinel versions could incorrectly show “Connection error”.

Released April 22, 2020


Fixed Issues

  • After rejecting a new password by dictionary rule, the failed rule was not always reported back, resulting in all rules displayed to end user indicating success, even though the new password was rejected.
  • The Sentinel Service could log too noisy information, with an event with id 1008 every minute.

Released April 08, 2020



  • Centralized and simplified SMTP configuration
  • “Select all” button when installing Sentinel to Domain Controllers
  • Admin tools now list Sentinel installation state for all Domain Controllers
  • UI simplifications (Expiration settings are now contained within their own tab)
  • Moved test sending of SMTP email from Sentinel service on Domain Controller. Test send requires .Net 4.6.2 on the Domain Controller, and domain admin tool (or corresponding PowerShell cmdlets) must be running on a Domain Controller.
  • Improved usability for HTML editor

Added support for

  • Current password scanning upon database update with alerts for leaked passwords (Breached Password Protection Express)
  • HTML formatting and templates for password expiration emails
  • Integrated windows authentication for SMTP server
  • Breached Password Protection Complete notifications can be sent via local SMTP server
  • PowerShell cmdlets for SMTP configuration
  • Active Directory “mail” attribute override
  • Active Directory “mobile” attribute override
  • Default country code for when mobile country code is not included in Active Directory attribute value

Other changes

  • .Net 4.7.2 or later is required
  • Using maximum 2 parallel requests when sending to SMTP
  • From this release, SMTP settings per-policy have been deprecated in favor of per-domain SMTP settings

Released March 11, 2020


Fixed issues

  • When using multiple dictionaries, where at least one was configured to use ”Reverse of the new password”, passwords containing dictionary words could incorrectly be allowed.

Released January 09, 2020


Fixed Issues

  • Improved error message when saving password policy settings without a description for regular expression.
  • Help for PowerShell module was sometimes not available.
  • Minor bug fixes in domain admin tool and password policy snap-in.
  • Fixed an issue where the domain admin tool and policy snap-in editor could crash when importing a new SPP license without having enabled SPP in the domain.

Other Changes

  • Password Auditor is no longer built into the setup package; instead it is downloaded from the setup assistant.

Released October 03, 2019


For updates to the Specops Password Auditor component, click here.

New Features

  • Leaked Password Scanning feature within the Breached Password Protection Express setting. This scan is done on at night whenever the Breached Password Protection database has been updated, or is manually initiated, by the PDC emulator in the domains. Users affected by the policy will be prompted to change their password at next logon.
    • Leaked Password Scanning requires a Specops Password Breached Password Protection license.
    • Leaked Password Scanning can be triggered from the Domain Admin Tool, and the “Start-PasswordPolicyLeakedPasswordScanning” PowerShell cmdlet. The Domain Admin Tool, and PowerShell cmdlet, must be running on the PDC emulator.
  • Configuration of mail recipients To/CC when sending mail notifications about passwords found in the Breached Password Protection.
  • New PowerShell cmdlet “Get-PasswordPolicyAffectingUser” to resolve a given user’s Specops Password Policy. The username can be provided as sAMAccountName or userPrincipalName.
  • Added support to configure end-user message for passphrase custom regular expressions.

Fixed Issues

  • The Password Auditor component failed to start if FIPS compliance was enabled.

Other changes

  • Various improvement to proxy support from the Specops Arbiter component.
  • PowerShell snap-in changed to PowerShell Module.

Released June 26, 2019


New Features

  • New reports in the Specops Password Auditor component. For more information, click here.

Fixed Issues

  • Custom and online dictionaries were not saved correctly when configuration changes were made in the GPO.
  • Lower limit setting for the “Minimum passphrase length” had been removed.
  • The “Show failed dictionary word to user” setting was erroneously listed as a rule in the default domain password policy in the Domain Admin console.

Released June 12, 2019


New Features

  • Support for length-based password aging. Administrators can apply length-based password aging on top of the standard password age limit. Length-based password aging rewards users who create longer and more secure passwords, by giving them extra time before their password expires. For more information, click here.
    • Length-based password aging is not supported for installations using Specops Password Policy extended schema.
    • You must upgrade to the latest version of the Specops Authentication Client (7.13.19095.2 at the time of this writing) to receive password expiration reminders with the length-based password aging settings.
    • Customers using Specops Password Policy with Specops uReset (version 8.4 and later) can display the length-based password aging setting to users during password change.
  • Support for Breached Password Protection Express. Breached Password Protection Express validates passwords against a dictionary with more than 600 million known leaked password hashes. The Admin Tool manages the automatic download of the list from the Specops Password Domain Admin tool and the list is replicated to each domain controller for immediate access. This enables the Specops Password Policy Sentinel to instantly verify whether a user’s password is breached or not. For more information, click here.
    • If using Specops uReset, upgrade the Gatekeeper (applies for both Specops uReset 7.12 and Specops uReset 8) before enabling the Breached Password Protection Express rule in a policy.
    • Breached Password Protection Express requires an updated license. Please contact your account representative for more information.

Fixed issues

  • The Specops Arbiter component failed to install on non-English Windows.


  • Subobject permission changes: Previously, the subobject created by Specops Password Policy was only accessible by the system account (full control for all domain controllers). This has been changed with the following:
    • Existing subobject from previous versions of Specops Password Policy will be updated the next time users change their password.
    • New subobjects will be given the following permissions:
      • Domain admins will be able to delete the subobject.
      • The user will be able to read the flags attribute on their own subobject (used by the Specops Authentication Client).
      • The group configured under “Domain Settings”> “Security Settings” in the Specops Password Domain Administration tool, if configured, will be granted read access to the flags attribute. To enable the User Management pages in Specops uReset 8 to display custom password expiration, drop the Specops Authentication Gatekeepers in this group.

Released May 15th, 2019


Fixed Issues

  • On computers with removed weak or deprecated TLS protocols, it was no longer possible to download dictionaries from the Specops online library. This issue has now been resolved and the admin tools have been updated to support TLS 1.2.

Released January 9th, 2019


Fixed Issue

  • When administrators enabled “Reversible Encryption” using the Domain Admin tool, the encryption key was not always created.

Released November 14, 2018


Fixed Issue

  • If (Default) was selected as the Client message language in a password policy, the Specops Authentication Client displayed the failed password rules in English, instead of the default language of the computer.


  • Removed redundant trace logging.

Released September 19, 2018


New Features

  • Added message placeholders, such as username, to customize content when sending Breached Password Protection notifications via email and SMS.
  • New GPO setting to enable/disable the display of the part of the new password found in the dictionary following a failed password change.


  • Importing hash dictionaries could fail with a message “Dictionary ‘hashes.txt.bin’ does not exist, the dictionary has to be removed from Dictionaries before the policy can be saved.”
  • Following a password change with a policy containing the “Reverse of the new password” setting, the failed word displayed to the user was incorrect.
  • Updated Breached Password Protection validation protocol to further increase privacy.
  • Added encryption of the stored API key for Breached Password Protection.

Released August 23, 2018


Upgrading to 7.0 will require a new license key. Contact your account representative for more information.

New Features

  • Compatibility with the Specops Password Breached Password Protection service. This add-on provides a continuously updated password Breached Password Protection list with 1 billion leaked passwords. Contact your account representative for more information.


  • UI enhancements when configuring the Specops provided dictionaries.

Released July 30, 2018


New Features

  • Support for configuring leetspeak and character substitutions within password dictionaries.
  • Support for various European keyboard patterns, for example, the AZERTY-layout used by French speakers.
  • Updates to the language files.
    After updating the Administration Tools, open the Domain Administration tool to update the language files.


  • Support for the renamed Specops Authentication Client (formerly known as the uReset Client). For updates to the Specops Authentication Client, click here.
Specops Password Policy customers also using Specops Password Reset should upgrade both products to version 6.8.18106.1.

Released April 19, 2018


Fixed Issue

  • When downloading online dictionaries, the admin tool could crash due to lack of internet connectivity, or untrusted proxy certificate.

Released March 29, 2018


Fixed Issue

  • The Common keyboard combinations and sequences dictionary was validated against exact password matches, instead of partial password matches. Download the latest version of the Specops Password Policy Administration Tool, and the updated Common keyboard combinations and sequences dictionary, to resolve the issue.

Released March 16, 2018


New Features

  • Specops compliance dictionaries (NIST and NCSC). A combination of password lists from Daniel Miessler designed for penetration tests. The list is comprised of passwords with 8 or more characters, which is also the minimum character requirement to meet the NIST and NCSC guidelines.
  • New policy templates with NIST and NCSC password recommendations.
  • Keyboard/sequence dictionary consisting of the most common keyboard pattern passwords, for example 1qaz2wsx.
  • NCSC compliance report for Specops Password Auditor.
  • Changed the minimum character word length in custom dictionaries to allow blocking of 2 or 3 letter acronyms. This feature can be configured by organizations that want to prevent users from using acronyms, specifically those associated with their company name, in passwords.

Fixed Issues

  • In some scenarios, the online dictionary extraction failed on Windows 10 machines depending on regional settings.
  • The Sentinel state/version on the Specops Password Policy Administration Tool displayed a RPC unavailable error if a Domain Controller was not available.


  • Improved dictionary search performance during the password reset and change process.
  • Clean up operations when a dictionary is saved, including removal of duplicate entries and empty lines.
  • Improved user experience when upgrading online dictionaries.

Released March 7, 2018


Fixed Issue

  • Using the same online hash dictionary on more than one Group Policy resulted in an error.

Released May 10, 2017


Fixed Issue

  • The Specops Password Policy setup assistant did not install Specops Password Auditor.

Released February 8, 2017


New Features

  • Interactive reporting with Specops Password Auditor: This new component scans Active Directory and detects security related weaknesses, specifically related to password policies. Specops Password Auditor can be accessed from the Domain Administration Tool.


  • The Specops Password Policy Filter made compatible with domain controllers that have “Additional LSA Protection” configured.

Released February 7, 2017


Microsoft .Net requirements for the Specops Password Policy Domain Administration Tool have changed from version 3.5 to 4.5. You will need to install .Net 4.5 or later before installing the Specops Password Policy Administration Tools.

Fixes Issues

  • The eventlog message, following a check for expired passwords, was incorrect.
  • The “Part of the new password” dictionary setting contained help text that was incorrect.
  • When the dictionary settings were modified in a GPO, the password policy filter did not reread the settings and the changes were ineffective, even though the policy was updated.
  • The Domain Administration Tool could fail when browsing sentinel state.
  • Toggling between password rules and phrases could fail (If Specops Password Policy and Specops Password Reset were used together).


  • New step in the Setup Assistant for downloading the client installation files.
  • New step in the Setup Assistant for installing the client ADMX file.
  • The password rules that were not satisfied in a failed password change attempt will be added to the event log entry by default, regardless of the debug log level.

Released May 26, 2016

Version 6.4.60308.1

Fixed Issue

  • When the sentinel resolved details about a failed password change, the password requirements information displayed to the end user was incomplete.

Released March 10, 2016

Version 6.4.60303.1

Fixed Issue

  • The Sentinel Password Filter’s nightly password expiration reminder e-mail could fail for users with password dictionaries enabled.

Released March 3, 2016

Version 6.4

New Features

  • The installation for Specops Password Policy, Sync, and Reset is now separated to 3 different Setup Assistants.
  • Extended dictionary support through the introduction of Online Dictionaries which allows administrators to download password lists, and password hash lists from the Specops website. The lists available for download in this release are: Gawker, Adobe Top 100, and LinkedIn.
  • Added support for password hash dictionaries. You can import a list of hashed passwords to test against the hash of a new password. For example, testing against leaked LinkedIn password hashes.

Fixed Issue

  • When the password policy settings were removed from the GPO, the SpecopsPassword folder in SYSVOL was not removed. This created problems with the dictionary if a new policy was created in the same GPO.

Released February 24, 2016 | 6.4.60217.2

Version 6.3 Maintenance Release 4

New Feature

  • Full Windows 10 support.

Fixed Issue

  • The Specops ADUC menu extensions failed to load in certain environments.

Released August 18, 2015 | Build number: 6.3.50813

Version 6.3 Maintenance Release 3

Released May 11, 2015 | Build number: 6.3.50506

Version 6.3 Maintenance Release 2

New Features

  • Windows 10 support for the Specops Password Client and the Administration Tools.

Fixed Issues

  • When an administrator enabled password rules with “disallow words in dictionary,” the passphrase rules displayed the “disallow words in dictionary’ requirement, even though the rule is not applicable to passphrases.
  • The ADUC extension returned a null reference error when a user was not affected by a Specops Password Policy.
  • Autologon in credential provider failed after reboot.
  • Unlocking users failed if using more than 1000 Specops Password Policy enabled Group Policies.
  • Credential provider selected incorrect tile if group policy setting ‘Interactive logon: Do not display last user name’ was enabled.

Released April 17, 2015 | Build number: 6.3.50414

Version 6.3 Maintenance Release 1

Fixed Issues

  • Administration Tools: When an administrator imported a dictionary file into a new unsaved policy, they received an error message that the path could not be found.
  • Password Filter: In rare circumstances, when an administrator imported a dictionary, the Sentinel Password Filter rejected all password resets and change requests and the user received an error that the password reset/change did not meet policy requirements.
  • Credential Provider: When an end-user using picture password locked their screen, they had to re-select the picture password logon file when logging in.

Released August 6, 2014 | 6.3.40731

Version 6.3

New Features

  • Passphrase policy support.
  • Traditional and Simplified Chinese language support.
  • New tabbed menus in password policy configuration snap-in user interface to improve usability.

Fixed Issues

  • Administration Tools: When an administrator imported a license file, the “&” character was invisible in the “Licensed to” text field.
  • Setup Assistant: When an administrator started the Specops Setup Assistant on a server outside of the domain, the Setup Assistant failed to initialize.

Released June 17, 2014 | 6.3.40617

Version 6.2 Maintenance Release 1

New Features

  • Korean and Romanian language support.
  • New setting that allows you to specify how long, in milliseconds, Specops Password Policy can query the domain controllers for policy details before the operation times out.
  • Windows Server 2012 R2 support.

Fixed Issues

  • Administration Tools: In rare circumstances, when a user tried to change their password via the Domain Controller, they received the server’s default error message when the password change failed.
  • Administration Tools: In rare circumstances, when an administrator imported a dictionary, the Sentinel Password Filter rejected all password resets and change requests and the user received an error that the password reset/change did not meet policy requirements.

Released December 5, 2013 | 6.2.31205

Version 6.2

New Features

  • Stability improvements designed for really large environments.
  • Improved error logging in the password filter.

Fixed Issues

  • Fixed a minor bug where the GPMC snap-in would crash if trying to test the expiration email warning without specifying a SMTP server to send from.

Released June 25, 2013

Version 6.1

New Features

  • Fixed a permission problem when creating a share to remotely install the sentinel component.
  • Fixed a problem with sending localized e-mail reminders to users.
  • Fixed a problem with using the Admin tools from Windows XP.

Released November 27, 2012

Version 6.0

New Features

  • New password policy rules prevents the password from being too similar to the previous password.
  • Subscription License model introduced.

Released June 4, 2012

Version 4.5

New Features

  • Redesigned dictionary feature now allows easier dictionary management and using multiple dictionaries.
  • Configured password policies now stored in RAM for increased Sentinel performance.
  • Added ability to select language for password reminder messages,

Fixed Issues

  • Various minor UI bugs fixed.

Released June 30, 2011

Version 4.1

New Features

  • Updated Setup Assistant with accurate installation procedure descriptions.

Released November 18, 2010

Version 4.0

New Features

  • Rewritten setup for an easier, intuitive installation. The Setup Assistant has been rewritten to make the installation even easier and intuitive.
  • The new Specops theme The new Specops theme has been applied to the administration tools.
  • Command-line tool to manage SPP objects The administration tool now contains a command-line utility (SPOBJMGR.EXE) that can be used to manage SPP sub-objects in Active Directory.
  • Turkish language added.

Fixed Issues

  • Space (blank) character considered as a special character The space (blank) character is no longer considered as a special character by SPP. Microsoft doesn’t either consider space as a special character.
  • Double login issue automatically handled Connecting to a server where the client component was installed forced the user to enter the credentials twice. Only applies when connecting from a Vista/Windows 7 client to a Windows Server 2008 (or later).

Released May 5, 2010

Version 3.2.92

New Features

  • Support for installing the client component on Citrix servers (Client).

Fixed Issues

  • The client did not show the “Additional client message” option if it was configured in the GPO [Sentinel].
  • The Administrative Template was missing from the Admin Tools setup [Admin Tools].
  • If the client component was installed on a Windows Server 2008 (or higher), a Remote Desktop Connection (using the RDP 6.0 client or higher) to that server would require two logins [Client]

Released September 9, 2009

Version 3.2.915

Fixed Issues

  • If there are more than one thousand (1000) Group Policy Objects (GPO) in the domain, then the Domain Administration tool might not be able to show all configured Specops Password policies.

Released June 16, 2009

Version 3.2.912

New Features

  • Hungarian language added.

Fixed Issues

  • DCPROMO fails on Windows Server 2008.
  • If SPP is installed in the domain and trying to promote a Windows Server 2008 to a domaincontroller, the operation fails when trying to set the Directory Services Restore Mode (DSRM) password.

Released May 5, 2009

Version 3.1

New Features

  • Improved Setup Assistant to simplify the installation process.
  • The implementation of the “Disallow username in password” rule has been changed. The rule is now divided into two options; “Disallow full user name in password” or “Disallow part of user name in password”. The “Disallow part of user name in password” prohibits the use of any 3 character part of any user name in the password.

Fixed Issues

  • Misleading client message text for the “Disallow consecutive identical characters.”
  • The message text has been changed to “Must not contain <number> or more consecutive identical characters”.
  • NetBIOS domain names containing a punctuation character.
  • The client now works as expected if the NetBIOS domain name contains a punctuation character.
  • Empty body in password expiration warning e-mail.
  • Some SMTP servers sent e-mails where the body was empty. An extra carrige return/line feed (CR/LF) has been added after the “content-transfer-encoding” MIME command, as specified in the RFC.
  • Disjointed namespace issue (computers primary DNS suffix is not the same as the DNS domain name).
  • When finding the domain DNS domain name to operate on, the computers primary DNS suffix is not longer used. Instead the API LsaQueryInformationPolicy is used to get correct DNS domain name. Caused the error “Failed to translate name <username>” on domain controllers.
  • Shortcuts to Specops Password Reset web pages are no longer created when the client is deployed.

Released December 18, 2008

Version 3.0

New Features

  • Support for Windows Server 2008
  • Support for Remote Server Administration Tools (RSAT)
  • Integration with Specops Password Reset
  • Additional password policy requirements
    • Regular expressions
    • Disallow backward words in wordlist
    • Disallow digit as last character
  • New password expiration warning e-mail settings
    • Fully configurable sender address
    • Exclude password policy requirement

Fixed Issues

  • “License outdated” issue.

Released July 1, 2008

Version 2.1.1

Fixed Issues

  • The password expiration warning balloon don’t show up on a Windows 2000 client.
  • When sending password expiration warning e-mails, the domain name is not provided during the SMTP session initialization.

Released September 1, 2007

Version 2.1.0

New Features

  • The password expiration warning message is now shown as a balloon in the notification area, instead of a dialog box during logon.
  • Support for Windows Vista.
  • Support for x64

Fixed Issues

  • The password expiration message is shown for users with the flag “password cannot expire” configured.
  • Password expiration warning e-mails are sent to users with the flag “password cannot expire” configured.

Released May 10, 2007