The Release Notes provide a summary of new features and changes since the last release. The Release Notes can help you evaluate whether an upgrade is necessary. For the Specops Authentication Client Release Notes, click here.
- Added support for Ukrainian language.
- Installing Sentinel on domain controllers from setup assistant could fail with access denied issues, if the administrator installing had 'account is sensitive and cannot be delegated' set.
Released July 05, 2021
- When installing Sentinel without a valid license, password changes/resets could fail.
- Added new cmdlets Get-PasswordPolicyReversibleEncryption/Set-PasswordPolicyReversibleEncryption to enable/disable reversible encryption.
- Increased max for “Minimum number of changed characters” rule from 5 to 99.
Released June 09, 2021
This release contains Sentinel Password Filter version 7.6.21091.2
- Added support to manage and link group policies as part of setting up Specops Password Policy.
- Added new placeholder %ManagerEmail% to send email to manager about users with about to expire passwords.
- New setting if rules or phrases should be displayed first. Available together from Specops Authentication 8.20 or Specops Authentication Client 7.15.
- Added support to manually type domain name in domain admin tool.
- New cmdlets Update-SppLanguageFiles/Update-PasswordPolicyLanguageFiles to update language files in sysvol.
- New cmdlets Get-SppEnabled/Set-SppEnabled to enable/disable Specops Password Policy for the domain.
- New cmdlets Get-SppPasswordExpirationGroup/Set-SppPasswordExpirationGroup for configuration of ‘Specops Password Policy Custom Expiration Readers’ security group.
- Added support for Hindi and Slovak languages
- Selected domain was not honoured when loading arbiters.
- Improved usability of policies page.
- The Get-SppPasswordExpiration cmdlet could crash on policies with length-based expiration enabled.
- Improved error message when trying to install on non-supported operating systems.
- If languages folder in sysvol was missing, it was not possible to update language files.
- Fixed issue with policy not being editable when starting from Domain Admin.
- Fixed crash when clicking the domain incompatibility link in SPP GPO snap-in.
- Improved handling of invalid ProxyUrl configuration for Arbiter.
- Fixed the issue with password phrase regular expressions being reordered on save.
- Made admin tools more sticky to the same domain controller.
- Improved logging if Arbiter failed to send email.
- Minor bug fixes and usability improvements.
- Sentinel package on domain controllers now requires .Net 4.5
- License email, enabled sending compliance mail to both Specops and custom address.
- Changed schedule for Continuous Breached Password Protection Express to run at every user counting interval.
- Downloadable online dictionary support has been deprecated for new policies in favor of Specops Breached Password Protection.
- Renamed 'password complexity' to 'password strength.'
- User counting moved to the Sentinel Service. The ‘DailyUserCountTime’ under
‘SOFTWARE\Specopssoft\Specops Password Policy\SentinelService’is read at startup, thus requires service restart but no longer reboot if updated.
- Emails that can’t be sent are no longer saved in queue. Emails are either sent, or discarded if sending fails (e.g. if SMTP server is down)
- Moved log path for the Arbiter service to local appdata folder for the service account.
- Changed from password strength to entropy algorithm.
- Improved documentation for cmdlets’ built-in help.
Released May 27, 2021
- Default mobile number country code, when sending text message notifications for Breached Password Protection Complete, could only contain two digits (1-99).
- Effective expiration for passwords could be displayed incorrectly for users with length based password expiration enabled. This applies when choosing “Specops Password Policy” for a user from “Active Directory Users and Computers” and the PowerShell cmdlet Get-PasswordExpiration/Get-SppPasswordExpiration.
- Added support for Azerbaijani language.
- Added support for Slovenian language.
Released February 09, 2021
- Translations were incorrectly encoded, causing incorrect encoding in password expiration emails.
Released December 08, 2020
- Added support for Thai language.
Released November 12, 2020
- German translation was incorrectly encoded, causing incorrect encoding in password expiration emails.
- English translation had incorrect version, causing admin tools to not show it as outdated.
Released September 29, 2020
- New Cmdlet, Get-SppPasswordExpiration, to check for user password expiration.
- If user lacked mail address when sending e-mail, not even the CC address, if defined in the policy, would receive the e-mail.
- When sending expiration email, for users affected by a policy defining a custom SMTP port and saved by an old version of SPP admin tools, an error message occurred in the event log.
- The install button was not always clickable when installing Sentinel from Setup Assistant.
- Saving regular expressions changed order, causing unexpected order in Specops Authentication Client.
- Entering proxy URL for Specops Arbiter without prefixing with url scheme caused an error and was difficult to troubleshoot.
- Made event source names consistent.
- New service name for the Specops Arbiter, “SpecopsArbiter”
- New hostname for breached password protection, see Installation (section Requirements)
Released September 16, 2020
- Using custom dictionaries with hash format NTLM was not working.
- Downloading Specops Authentication Client from Setup Assistant failed because TLS 1.2 was not used.
- After having migrated users with Dell Migration Manager, there could be misleading eventlog errors with id 309.
- Importing license could fail if the license file encoding had been changed (for instance if changed by mail server when sending the license file by mail).
Released August 27, 2020
- The grid view with domain controllers listing Sentinel versions could incorrectly show “Connection error”.
Released April 22, 2020
- After rejecting a new password by dictionary rule, the failed rule was not always reported back, resulting in all rules displayed to end user indicating success, even though the new password was rejected.
- The Sentinel Service could log too noisy information, with an event with id 1008 every minute.
Released April 08, 2020
- Centralized and simplified SMTP configuration
- “Select all” button when installing Sentinel to Domain Controllers
- Admin tools now list Sentinel installation state for all Domain Controllers
- UI simplifications (Expiration settings are now contained within their own tab)
- Moved test sending of SMTP email from Sentinel service on Domain Controller. Test send requires .Net 4.6.2 on the Domain Controller, and domain admin tool (or corresponding PowerShell cmdlets) must be running on a Domain Controller.
- Improved usability for HTML editor
Added support for
- Current password scanning upon database update with alerts for leaked passwords (Breached Password Protection Express)
- HTML formatting and templates for password expiration emails
- Integrated windows authentication for SMTP server
- Breached Password Protection Complete notifications can be sent via local SMTP server
- PowerShell cmdlets for SMTP configuration
- Active Directory “mail” attribute override
- Active Directory “mobile” attribute override
- Default country code for when mobile country code is not included in Active Directory attribute value
- .Net 4.7.2 or later is required
- Using maximum 2 parallel requests when sending to SMTP
- From this release, SMTP settings per-policy have been deprecated in favor of per-domain SMTP settings
Released March 11, 2020
- When using multiple dictionaries, where at least one was configured to use ”Reverse of the new password”, passwords containing dictionary words could incorrectly be allowed.
Released January 09, 2020
- Improved error message when saving password policy settings without a description for regular expression.
- Help for PowerShell module was sometimes not available.
- Minor bug fixes in domain admin tool and password policy snap-in.
- Fixed an issue where the domain admin tool and policy snap-in editor could crash when importing a new SPP license without having enabled SPP in the domain.
- Password Auditor is no longer built into the setup package; instead it is downloaded from the setup assistant.
Released October 03, 2019
For updates to the Specops Password Auditor component, click here.
Leaked Password Scanning feature within the Breached Password
Protection Express setting. This scan is done on at night whenever
the Breached Password Protection database has been updated, or is
manually initiated, by the PDC emulator in the domains. Users
affected by the policy will be prompted to change their password at
- Leaked Password Scanning requires a Specops Password Breached Password Protection license.
- Leaked Password Scanning can be triggered from the Domain Admin Tool, and the “Start-PasswordPolicyLeakedPasswordScanning” PowerShell cmdlet. The Domain Admin Tool, and PowerShell cmdlet, must be running on the PDC emulator.
- Configuration of mail recipients To/CC when sending mail notifications about passwords found in the Breached Password Protection.
- New PowerShell cmdlet “Get-PasswordPolicyAffectingUser” to resolve a given user’s Specops Password Policy. The username can be provided as sAMAccountName or userPrincipalName.
- Added support to configure end-user message for passphrase custom regular expressions.
- The Password Auditor component failed to start if FIPS compliance was enabled.
- Various improvement to proxy support from the Specops Arbiter component.
- PowerShell snap-in changed to PowerShell Module.
Released June 26, 2019
- New reports in the Specops Password Auditor component. For more information, click here.
- Custom and online dictionaries were not saved correctly when configuration changes were made in the GPO.
- Lower limit setting for the “Minimum passphrase length” had been removed.
- The “Show failed dictionary word to user” setting was erroneously listed as a rule in the default domain password policy in the Domain Admin console.
Released June 12, 2019
Support for length-based password aging. Administrators can apply
length-based password aging on top of the standard password age
limit. Length-based password aging rewards users who create longer
and more secure passwords, by giving them extra time before their
password expires. For more information, click
- Length-based password aging is not supported for installations using Specops Password Policy extended schema.
- You must upgrade to the latest version of the Specops Authentication Client (7.13.19095.2 at the time of this writing) to receive password expiration reminders with the length-based password aging settings.
- Customers using Specops Password Policy with Specops uReset (version 8.4 and later) can display the length-based password aging setting to users during password change.
Support for Breached Password Protection Express. Breached Password
Protection Express validates passwords against a dictionary with
more than 600 million known leaked password hashes. The
Admin Tool manages the automatic download of the list from
the Specops Password Domain Admin tool and the list is
replicated to each domain controller for immediate access. This
enables the Specops Password Policy Sentinel to instantly verify
whether a user’s password is breached or not. For more information,
- If using Specops uReset, upgrade the Gatekeeper (applies for both Specops uReset 7.12 and Specops uReset 8) before enabling the Breached Password Protection Express rule in a policy.
- Breached Password Protection Express requires an updated license. Please contact your account representative for more information.
- The Specops Arbiter component failed to install on non-English Windows.
Subobject permission changes: Previously, the subobject created by
Specops Password Policy was only accessible by the system account
(full control for all domain controllers). This has been changed
with the following:
- Existing subobject from previous versions of Specops Password Policy will be updated the next time users change their password.
New subobjects will be given the following permissions:
- Domain admins will be able to delete the subobject.
- The user will be able to read the flags attribute on their own subobject (used by the Specops Authentication Client).
- The group configured under “Domain Settings”> “Security Settings” in the Specops Password Domain Administration tool, if configured, will be granted read access to the flags attribute. To enable the User Management pages in Specops uReset 8 to display custom password expiration, drop the Specops Authentication Gatekeepers in this group.
Released May 15th, 2019
- On computers with removed weak or deprecated TLS protocols, it was no longer possible to download dictionaries from the Specops online library. This issue has now been resolved and the admin tools have been updated to support TLS 1.2.
Released January 9th, 2019
- When administrators enabled “Reversible Encryption” using the Domain Admin tool, the encryption key was not always created.
Released November 14, 2018
- If (Default) was selected as the Client message language in a password policy, the Specops Authentication Client displayed the failed password rules in English, instead of the default language of the computer.
- Removed redundant trace logging.
Released September 19, 2018
- Added message placeholders, such as username, to customize content when sending Breached Password Protection notifications via email and SMS.
- New GPO setting to enable/disable the display of the part of the new password found in the dictionary following a failed password change.
- Importing hash dictionaries could fail with a message “Dictionary ‘hashes.txt.bin’ does not exist, the dictionary has to be removed from Dictionaries before the policy can be saved.”
- Following a password change with a policy containing the “Reverse of the new password” setting, the failed word displayed to the user was incorrect.
- Updated Breached Password Protection validation protocol to further increase privacy.
- Added encryption of the stored API key for Breached Password Protection.
Released August 23, 2018
Upgrading to 7.0 will require a new license key. Contact your account representative for more information.
- Compatibility with the Specops Password Breached Password Protection service. This add-on provides a continuously updated password Breached Password Protection list with 1 billion leaked passwords. Contact your account representative for more information.
- UI enhancements when configuring the Specops provided dictionaries.
Released July 30, 2018
- Support for configuring leetspeak and character substitutions within password dictionaries.
- Support for various European keyboard patterns, for example, the AZERTY-layout used by French speakers.
Updates to the language files.After updating the Administration Tools, open the Domain Administration tool to update the language files.
- Support for the renamed Specops Authentication Client (formerly known as the uReset Client). For updates to the Specops Authentication Client, click here.
Released April 19, 2018
- When downloading online dictionaries, the admin tool could crash due to lack of internet connectivity, or untrusted proxy certificate.
Released March 29, 2018
- The Common keyboard combinations and sequences dictionary was validated against exact password matches, instead of partial password matches. Download the latest version of the Specops Password Policy Administration Tool, and the updated Common keyboard combinations and sequences dictionary, to resolve the issue.
Released March 16, 2018
- Specops compliance dictionaries (NIST and NCSC). A combination of password lists from Daniel Miessler designed for penetration tests. The list is comprised of passwords with 8 or more characters, which is also the minimum character requirement to meet the NIST and NCSC guidelines.
- New policy templates with NIST and NCSC password recommendations.
- Keyboard/sequence dictionary consisting of the most common keyboard pattern passwords, for example 1qaz2wsx.
- NCSC compliance report for Specops Password Auditor.
- Changed the minimum character word length in custom dictionaries to allow blocking of 2 or 3 letter acronyms. This feature can be configured by organizations that want to prevent users from using acronyms, specifically those associated with their company name, in passwords.
- In some scenarios, the online dictionary extraction failed on Windows 10 machines depending on regional settings.
- The Sentinel state/version on the Specops Password Policy Administration Tool displayed a RPC unavailable error if a Domain Controller was not available.
- Improved dictionary search performance during the password reset and change process.
- Clean up operations when a dictionary is saved, including removal of duplicate entries and empty lines.
- Improved user experience when upgrading online dictionaries.
Released March 7, 2018
- Using the same online hash dictionary on more than one Group Policy resulted in an error.
Released May 10, 2017
- The Specops Password Policy setup assistant did not install Specops Password Auditor.
Released February 8, 2017
- Interactive reporting with Specops Password Auditor: This new component scans Active Directory and detects security related weaknesses, specifically related to password policies. Specops Password Auditor can be accessed from the Domain Administration Tool.
- The Specops Password Policy Filter made compatible with domain controllers that have “Additional LSA Protection” configured.
Released February 7, 2017
- The eventlog message, following a check for expired passwords, was incorrect.
- The “Part of the new password” dictionary setting contained help text that was incorrect.
- When the dictionary settings were modified in a GPO, the password policy filter did not reread the settings and the changes were ineffective, even though the policy was updated.
- The Domain Administration Tool could fail when browsing sentinel state.
- Toggling between password rules and phrases could fail (If Specops Password Policy and Specops Password Reset were used together).
- New step in the Setup Assistant for downloading the client installation files.
- New step in the Setup Assistant for installing the client ADMX file.
- The password rules that were not satisfied in a failed password change attempt will be added to the event log entry by default, regardless of the debug log level.
Released May 26, 2016
- When the sentinel resolved details about a failed password change, the password requirements information displayed to the end user was incomplete.
Released March 10, 2016
- The Sentinel Password Filter’s nightly password expiration reminder e-mail could fail for users with password dictionaries enabled.
Released March 3, 2016
- The installation for Specops Password Policy, Sync, and Reset is now separated to 3 different Setup Assistants.
- Extended dictionary support through the introduction of Online Dictionaries which allows administrators to download password lists, and password hash lists from the Specops website. The lists available for download in this release are: Gawker, Adobe Top 100, and LinkedIn.
- Added support for password hash dictionaries. You can import a list of hashed passwords to test against the hash of a new password. For example, testing against leaked LinkedIn password hashes.
- When the password policy settings were removed from the GPO, the SpecopsPassword folder in SYSVOL was not removed. This created problems with the dictionary if a new policy was created in the same GPO.
Released February 24, 2016 | 6.4.60217.2
Version 6.3 Maintenance Release 4
- Full Windows 10 support.
- The Specops ADUC menu extensions failed to load in certain environments.
Released August 18, 2015 | Build number: 6.3.50813
Version 6.3 Maintenance Release 3
Released May 11, 2015 | Build number: 6.3.50506
Version 6.3 Maintenance Release 2
- Windows 10 support for the Specops Password Client and the Administration Tools.
- When an administrator enabled password rules with “disallow words in dictionary,” the passphrase rules displayed the “disallow words in dictionary’ requirement, even though the rule is not applicable to passphrases.
- The ADUC extension returned a null reference error when a user was not affected by a Specops Password Policy.
- Autologon in credential provider failed after reboot.
- Unlocking users failed if using more than 1000 Specops Password Policy enabled Group Policies.
- Credential provider selected incorrect tile if group policy setting ‘Interactive logon: Do not display last user name’ was enabled.
Released April 17, 2015 | Build number: 6.3.50414
Version 6.3 Maintenance Release 1
- Administration Tools: When an administrator imported a dictionary file into a new unsaved policy, they received an error message that the path could not be found.
- Password Filter: In rare circumstances, when an administrator imported a dictionary, the Sentinel Password Filter rejected all password resets and change requests and the user received an error that the password reset/change did not meet policy requirements.
- Credential Provider: When an end-user using picture password locked their screen, they had to re-select the picture password logon file when logging in.
Released August 6, 2014 | 6.3.40731
- Passphrase policy support.
- Traditional and Simplified Chinese language support.
- New tabbed menus in password policy configuration snap-in user interface to improve usability.
- Administration Tools: When an administrator imported a license file, the “&” character was invisible in the “Licensed to” text field.
- Setup Assistant: When an administrator started the Specops Setup Assistant on a server outside of the domain, the Setup Assistant failed to initialize.
Released June 17, 2014 | 6.3.40617
Version 6.2 Maintenance Release 1
- Korean and Romanian language support.
- New setting that allows you to specify how long, in milliseconds, Specops Password Policy can query the domain controllers for policy details before the operation times out.
- Windows Server 2012 R2 support.
- Administration Tools: In rare circumstances, when a user tried to change their password via the Domain Controller, they received the server’s default error message when the password change failed.
- Administration Tools: In rare circumstances, when an administrator imported a dictionary, the Sentinel Password Filter rejected all password resets and change requests and the user received an error that the password reset/change did not meet policy requirements.
Released December 5, 2013 | 6.2.31205
- Stability improvements designed for really large environments.
- Improved error logging in the password filter.
- Fixed a minor bug where the GPMC snap-in would crash if trying to test the expiration email warning without specifying a SMTP server to send from.
Released June 25, 2013
- Fixed a permission problem when creating a share to remotely install the sentinel component.
- Fixed a problem with sending localized e-mail reminders to users.
- Fixed a problem with using the Admin tools from Windows XP.
Released November 27, 2012
- New password policy rules prevents the password from being too similar to the previous password.
- Subscription License model introduced.
Released June 4, 2012
- Redesigned dictionary feature now allows easier dictionary management and using multiple dictionaries.
- Configured password policies now stored in RAM for increased Sentinel performance.
- Added ability to select language for password reminder messages,
- Various minor UI bugs fixed.
Released June 30, 2011
- Updated Setup Assistant with accurate installation procedure descriptions.
Released November 18, 2010
- Rewritten setup for an easier, intuitive installation. The Setup Assistant has been rewritten to make the installation even easier and intuitive.
- The new Specops theme The new Specops theme has been applied to the administration tools.
- Command-line tool to manage SPP objects The administration tool now contains a command-line utility (SPOBJMGR.EXE) that can be used to manage SPP sub-objects in Active Directory.
- Turkish language added.
- Space (blank) character considered as a special character The space (blank) character is no longer considered as a special character by SPP. Microsoft doesn’t either consider space as a special character.
- Double login issue automatically handled Connecting to a server where the client component was installed forced the user to enter the credentials twice. Only applies when connecting from a Vista/Windows 7 client to a Windows Server 2008 (or later).
Released May 5, 2010
- Support for installing the client component on Citrix servers (Client).
- The client did not show the “Additional client message” option if it was configured in the GPO [Sentinel].
- The Administrative Template was missing from the Admin Tools setup [Admin Tools].
- If the client component was installed on a Windows Server 2008 (or higher), a Remote Desktop Connection (using the RDP 6.0 client or higher) to that server would require two logins [Client]
Released September 9, 2009
- If there are more than one thousand (1000) Group Policy Objects (GPO) in the domain, then the Domain Administration tool might not be able to show all configured Specops Password policies.
Released June 16, 2009
- Hungarian language added.
- DCPROMO fails on Windows Server 2008.
- If SPP is installed in the domain and trying to promote a Windows Server 2008 to a domaincontroller, the operation fails when trying to set the Directory Services Restore Mode (DSRM) password.
Released May 5, 2009
- Improved Setup Assistant to simplify the installation process.
- The implementation of the “Disallow username in password” rule has been changed. The rule is now divided into two options; “Disallow full user name in password” or “Disallow part of user name in password”. The “Disallow part of user name in password” prohibits the use of any 3 character part of any user name in the password.
- Misleading client message text for the “Disallow consecutive identical characters.”
- The message text has been changed to “Must not contain <number> or more consecutive identical characters”.
- NetBIOS domain names containing a punctation character.
- The client now works as expected if the NetBIOS domain name contains a punctation character.
- Empty body in password expiration warning e-mail.
- Some SMTP servers sent e-mails where the body was empty. An extra carrige return/line feed (CR/LF) has been added after the “content-transfer-encoding” MIME command, as specified in the RFC.
- Disjointed namespace issue (computers primary DNS suffix is not the same as the DNS domain name).
- When finding the domain DNS domain name to operate on, the computers primary DNS suffix is not longer used. Instead the API LsaQueryInformationPolicy is used to get correct DNS domain name. Caused the error “Failed to translate name <username>” on domain controllers.
- Shortcuts to Specops Password Reset web pages are no longer created when the client is deployed.
Released December 18, 2008
- Support for Windows Server 2008
- Support for Remote Server Administration Tools (RSAT)
- Integration with Specops Password Reset
Additional password policy requirements
- Regular expressions
- Disallow backward words in wordlist
- Disallow digit as last character
New password expiration warning e-mail settings
- Fully configurable sender address
- Exclude password policy requirement
- “License outdated” issue.
Released July 1, 2008
- The password expiration warning balloon don’t show up on a Windows 2000 client.
- When sending password expiration warning e-mails, the domain name is not provided during the SMTP session initialization.
Released September 1, 2007
- The password expiration warning message is now shown as a balloon in the notification area, instead of a dialog box during logon.
- Support for Windows Vista.
- Support for x64
- The password expiration message is shown for users with the flag “password cannot expire” configured.
- Password expiration warning e-mails are sent to users with the flag “password cannot expire” configured.
Released May 10, 2007