Wednesday, 17 Jul 2024

How to Secure Passwords with Specops Password Policy

specops authentication client

Password hygiene is crucial for maintaining the security of an organization. However, finding the right balance between weak and overly complicated passwords can be a challenge. Fortunately, Specops Password Policy (SPP) takes the guesswork out of implementing strong passwords with its robust features.

With Specops Password Policy, you have the ability to create password rules that adhere to industry-standard templates. This level of control allows you to enforce password policies that go beyond the default Windows password policy.

In this article, we will walk you through the process of installing, configuring, and creating Specops Password Policy to effectively protect the passwords of your Active Directory users. Let’s get started!


Before diving into the tutorial, make sure you have the following requirements in place:

  • A Windows Server 2012 R2 (or later) domain controller (DC). For this tutorial, we will be using a Windows Server 2019 DC.
  • A Windows 7 (or later) domain-joined computer. This computer will be used to test how Specops Password Policy works from the user’s perspective.
  • The Specops Password Policy installer, which can be downloaded from this link.
  • The trial license for Specops Password Policy, which you can request by filling out the form on the Specops Password Policy product page.

Installing Specops Password Policy

Specops Password Policy consists of multiple components that need to be installed individually. However, you don’t have to download these installers separately, as you can install them all from one place.

Installing Administration Tools

The administration tools allow you to manage the Specops Password Policy configurations, such as installing the license or creating new policies. To install the administration tools, follow these steps:

  1. Locate the specopspasswordpolicy_setup.exe file you downloaded and double-click it.
  2. In the pop-up window, choose the desired location to extract the installation files and click OK.
  3. After the extraction, the Specops Setup Assistant window will appear. Click Start installation.
  4. Accept the End User License Agreement (EULA).
  5. On the installer menu, click the Administration Tools button.
  6. Click Add menu ext to enable Specops-specific context menu items in the Active Directory User and Computers (ADUC) console.
  7. Click Install to install the Specops Password Policy Administration Tools.
  8. After the installation is complete, click OK.

Installing Specops Arbiter

Specops Arbiter is a component that enables the use of the Specops Breached Password Protection (BPP) add-on. This add-on provides access to Specops’ online list of leaked and compromised passwords. Please note that you only need to install this component if you plan to use the Breached Password Protection.

To install Specops Arbiter on your domain controller (DC), follow these steps:

  1. On the Specops Password Policy installation menu, click Specops Arbiter.
  2. Click Install next to the Specops Arbiter installation.
  3. Finally, click OK after the installation is complete.

Installing Specops Password Policy Sentinel

Specops Password Policy Sentinel is a component that filters and verifies new passwords against your Specops Password Policy settings. This component also checks if the password is on the breached password list, but only if you have configured Specops Arbiter as well.

Tham Khảo Thêm:  How to Get Temperature on Snapchat: Use the Weather Forecast Sticker to Spruce Up Your Snaps

Follow these steps to install Specops Password Policy Sentinel on all writable domain controllers in production:

  1. On the main installation menu, click Domain Controller Sentinel.
  2. Select the domain controllers on which you want to install Specops Password Sentinel.
  3. Click Install and wait for the installation to complete.
  4. Finally, reboot the affected domain controllers.

Installing Specops Authentication Client

While the Specops Authentication Client is an optional component, installing it on client computers enhances the user experience when changing passwords. The client has three main functions: displaying the password policy rules, evaluating new passwords in real-time, and notifying users of expiring passwords.

To install Specops Authentication Client manually on a client PC, follow these steps:

  1. Log in to the client computer with administrator access.
  2. Open a new PowerShell window as administrator and navigate to the Downloads folder.
  3. Run the command to download the Specops Authentication Client installer.
  4. Type in the installer file name, append the switch /passive, and press Enter.
  5. Wait for the installation to complete.

Importing the Specops Password Policy Product License

Now that you have installed all the necessary components, it’s time to import the license for Specops Password Policy. This license is required before you can start configuring password rules and other general settings.

To import the license, follow these steps:

  1. Launch the Specops Password Policy administration tool by clicking Start -> Specops Software -> Password Policy Administration.
  2. Upon opening the administration tool for the first time, you will see a License Error message. This is normal, as you haven’t imported the license yet. Click OK to close the message.
  3. Click the Import license file button on the administration tool window.
  4. Browse for the license file (with a JSON extension) and click Open.

After importing the license, you will see that Specops Password Policy is now enabled. You will also notice the different configuration menu items on the left pane, which were previously missing.

Enabling the Breached Password Protection Add-on

In addition to password rules, Specops Password Policy can check user passwords against a list of breached passwords, whether online or through an offline database. However, you need to enable this feature first.

Importing the Breached Password Protection API Key

After importing the product license, you can access the Breached Password Protection configuration page. This page allows you to enter the API key, granting the Arbiter access to the online breached password list.

To import the API key, follow these steps:

  1. Click Breached Password Protection on the left pane.
  2. Under the Complete API tab, click the Register new Arbiter button.
  3. Search for or specify the domain controller name to register and click OK.
  4. The registered DC will now appear on the list. Click the Import API key button.
  5. Open the API key file in a text editor, copy the API key, paste it into the Add API Key box, and click OK.

Downloading the Breached Password Express List

Alternatively, you can choose to use the Breached Password Express List instead of an online list. The Express List allows Specops Password Policy to check passwords using a local dictionary and enables real-time password checking.

To download the Breached Password Express List, follow these steps:

  1. Click the Express List tab within the Breached Password Protection page.
  2. Click Download latest version.
  3. Specify the temporary directory where you want to save the Express List and click OK.
  4. Confirm the download by clicking Continue.
  5. Wait for the download and copy process to complete.
  6. Click OK after the download is complete.
Tham Khảo Thêm:  How To View Comments On Facebook Ads?

Configuring SMTP Settings for Email Notifications

Specops Password Policy includes email notifications to inform users about password-related actions. If you plan to use email notifications, follow these steps to configure the SMTP settings:

  1. Click Domain Settings on the left pane and click Edit under the SMTP Settings section.
  2. Enter the necessary information about your SMTP server and email addresses.
  3. Click Test Settings to verify the SMTP settings.
  4. Enter a recipient email address for testing and click Send.
  5. Once the test is successful, click Close.
  6. Click OK to save the changes.

Creating a New Password Policy

Finally, it’s time to create a new password policy using Specops Password Policy. By creating a new policy, you can enforce strong password rules and apply them to your domain.

To create a new password policy, follow these steps:

  1. Open the administration tool and click Password Policies.
  2. You will see the existing password policies inside the Default Domain Policy GPO. If your Specops password policy has a lower entropy score, make sure to set the Default Domain Policy to the lowest level.
  3. Click the Create new Password Policy button.
  4. On the Create a new Password Policy window, choose whether to create a new GPO or use an existing one. In this example, we will create a new GPO called SPP.
  5. Enter the name of the new GPO and select the organizational unit (OU) where the GPO should apply. The GPO name in this example is SPP, and it will apply to the domain root [].
  6. Select the GPO you created and click OK.
  7. Next, choose the starting template for your new password policy. There are four pre-defined templates: Microsoft, NCSC, NIST, and NSA. Select the Microsoft Recommendation – high security template for this example and click Next.

Configuring General Settings

  1. Under the Start tab, choose whether to enable password rules, passphrase rules, or both. For this example, leave the default choice as Enable Password Rules.
  2. Click the General Settings tab. Leave the default settings under the Password history section.
  3. Also, leave the default settings under the Client message section. This determines the message users will see after a failed password attempt.

Configuring Password Expiration

  1. Click the Password Expiration tab. Leave the Maximum password age (days) value at its default setting.
  2. Under Password expiration notifications, check the Notify at login box and change the value to 10. This setting will display a desktop notification to users when their password is about to expire (only works with Specops Authentication Client).
  3. If you have configured an SMTP server for email notifications, check the Send email notification box and set the value to 10. This will send a daily email reminder to users about their expiring password.

Configuring Password Rules

Next, click the Password Rules tab and review the default settings. These settings require a minimum password length of 8 characters and enforce a mix of uppercase, lowercase, digits, and special characters.

Tham Khảo Thêm:  How to Encrypt a USB Flash Drive—and Why You Should

Configuring Breached Password Protection

Specops Password Policy offers two versions of the Breached Password Protection: Express List and Complete API.

To enable the BPP Express List:

  1. Check the Prevent users from changing to a leaked password option. This will prevent password changes if the new password matches a leaked password in the Express List.
  2. Check the Continuously check for leaked passwords and force users to change them option. This will automatically expire the passwords of accounts with passwords found in the Express List, prompting users to change their passwords.
  3. Customize the Notify user when they are forced to change password option if you want to enable email notifications for users who need to change their passwords.

To configure the BPP Complete API:

  1. Click the Complete API tab.
  2. Check the Enable Breached Password Complete API option to enable online password checking.
  3. Check the Enable Breach Protection when passwords are reset option to apply the BPP online checking during password resets.
  4. Check the Require that users with leaked passwords change them at next logon option to automatically expire users’ passwords and force a password change.
  5. (Optional) Check the Send emails to users with passwords on the breach list option and change the Email transport mode to SMTP if you have configured an SMTP server.
  6. (Optional) Leave the Send text messages to users with passwords on the breach list option unchecked. This option sends text messages to users’ mobile phone numbers if they follow the international format.

Click OK to save the new password policy.

Congratulations! You have successfully configured a fine-grained password policy with built-in notification features using Specops Password Policy. Now you can protect your users’ passwords and ensure the security of your organization.

Frequently Asked Questions

Q: Can I install Specops Password Policy on any version of Windows Server?

A: Specops Password Policy is compatible with Windows Server 2012 R2 and later versions. Please check the system requirements before installing.

Q: Is it necessary to install all components of Specops Password Policy?

A: It is recommended to install all the components to take full advantage of Specops Password Policy’s features. However, certain components are optional depending on your specific requirements.

Q: How can I download the trial license for Specops Password Policy?

A: You can request the trial license by filling out the form on the Specops Password Policy product page. Someone from Specops will send you an email with the trial license and trial API key for Arbiter.


In today’s digital landscape, using strong passwords is essential for maintaining the security of your organization. However, creating and implementing a strong password policy can be challenging. Fortunately, Specops Password Policy simplifies this process by providing pre-defined templates and powerful features.

With the Breached Password Protection add-on, you can ensure that your users do not use compromised passwords. You can even customize the policy by adding disallowed passwords to a custom dictionary.

Take the time to explore Specops Password Policy further and tweak the rules to fully understand how this product can help protect your users’ passwords and, in turn, safeguard your organization.

For more information, visit Eireview.