- Free Edition
- Quick Links
- MFA
- Self-Service Password Management
- Single Sign-On
- Password Synchronizer
- Password Policy Enforcer
- Employee Self-Service
- Reporting and auditing
- Integrations
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
Why AD needs a password policy enforcer
Over 19 billion passwords were exposed in just one year, with only 6% being unique. Yet, AD has no mechanism to screen against exposed credentials.
AD's built-in password controls were designed for a different era. Out of the box, the Default Domain Policy in AD provides only a limited set of controls:
- Minimum and maximum password age
- Minimum password length
- Password history count
- Complexity requirements (three of four character categories; no username substring)
- Reversible encryption toggle
- Account lockout threshold, duration, and observation window
Fine-grained password policies extend these rules to specific users and groups through Password Settings Objects, but they don't expand the types of password checks AD can perform.
As a result, passwords such as Welcome2025! can satisfy every native requirement while still being weak and commonly used.
Native AD can't screen passwords against breach databases, detect predictable patterns, prevent users from building passwords around personal information, or provide real-time password feedback. Users receive only a generic rejection message after submission, with no indication of which rule failed.
ManageEngine ADSelfService Plus' Password Policy Enforcer extends native AD with capabilities such as compromised password detection, dictionary attack prevention, AD attribute restrictions, and additional, granular password rules for specific OUs and groups. These controls are enforced consistently across password resets and password changes, whether users update credentials through a browser, mobile app, or the Windows Ctrl+Alt+Del screen.
How ADSelfService Plus' Password Policy Enforcer works
ADSelfService Plus extends native AD password policies with a centralized Password Policy Enforcer that applies advanced password controls across every password reset and password change channel. While AD continues to enforce its baseline requirements, ADSelfService Plus adds compromised password detection, dictionary attack prevention, granular password rules, real-time password feedback, and compliance enforcement capabilities that native AD lacks.
Policies can be targeted to specific OUs and groups and enforced consistently whether users change passwords through the self-service portal, mobile app, Windows Ctrl+Alt+Del screen, or administrator tools. This enables organizations to strengthen password security, improve user experience, and align password policies with frameworks such as NIST SP 800-63B, HIPAA, and PCI DSS.
Restrict characters and AD attributes
With ADSelfService Plus, admins can bock specific characters, require a minimum number of unique characters, and prevent users from embedding AD attributes such as display name, email address, department, or custom fields within passwords. This helps eliminate passwords based on directory information that attackers can easily discover and strengthens compliance with organizational password standards.
Restrict repetition
ADSelfService Plus lets admins restrict consecutive repeated characters and total character repeats. Passwords such as aaaa1234 and 1qaz1qaz can be rejected before they reach AD, reducing the use of predictable password structures.
Restrict patterns and dictionary words
ADSelfService Plus helps prevent users from choosing passwords that contain dictionary words, keyboard walks, sequential characters, palindromes, and other predictable patterns. Built-in dictionaries can be supplemented with custom entries such as organization names, product names, project names, and other business-specific terms. ADSelfService Plus also provides regex support and enables administrators to create highly targeted password restrictions that go beyond standard dictionary checks.
Length, complexity, and granular targeting
Define minimum and maximum password lengths, character category requirements, unique character counts, and other restrictions for specific OUs or AD groups. Different departments, user types, and risk levels can follow different password requirements, all managed centrally from a single console.
Have I Been Pwned? integration
Every password creation, reset, and change event is screened through compromised password detection with Have I Been Pwned? before the credential reaches AD. The Password Policy Enforcer performs a breach database lookup against regularly updated breach corpuses and blocks leaked password candidates before they can be stored.
This compromised password check applies to self-service resets, admin-initiated resets, change-on-login workflows, mobile password resets, ADUC operations, and standard password changes. By enforcing leaked password blocking at every password write event, organizations can prevent users from selecting credentials already known to attackers and satisfy compliance requirements that prohibit compromised passwords.
Real-time password feedback
As users create a new password, ADSelfService Plus provides real-time password feedback that displays password strength indicators and policy requirements directly on the password change screen. Users can immediately see which password rules have been satisfied and which still require attention, reducing failed password changes and password-related help desk tickets.
The same feedback appears on the self-service portal, iOS and Android apps, and Windows login agent, ensuring consistent enforcement regardless of how users change their passwords.
Why password regulatory compliance is easier with ADSelfService Plus
Password compliance isn't optional, it's audited. NIST, HIPAA, and PCI DSS each define specific requirements for how passwords must be created, changed, stored, and screened, and native AD doesn't fully satisfy any of them out of the box. ADSelfService Plus closes every gap, enforcing breach screening, granular complexity rules, history controls, and expiration policies at the OU or group level across every password entry point: password change from Ctrl+Alt+Del, password reset from ADUC, and self-service password reset.
| Requirement | Compliance standard | ADSelfService Plus enforcement |
|---|---|---|
| Enforce uppercase, lowercase, numeric, and special characters, as well as Unicode. | X (All types cannot be enforced together) | X(All types cannot be enforced together) |
| Minimum password length | NIST: Mandates a minimum of eight characters and recommends supporting passphrases up to 64+ characters.
PCI DSS 4.0: Minimum of 12 characters—up from seven under the previous version. |
Configurable minimum and maximum length per OU or group. No character-set restrictions block passphrases or non-English characters. |
| Breach and compromised password screening | NIST: Requires that new passwords be screened against lists of known compromised credentials and rejected if found.
PCI DSS 4.0: Requires that new passwords be screened against a lists of known compromised credentials and rejected if found. HIPAA: Access control provisions imply that credentials already in attacker wordlists cannot be considered secure. |
Compromised password detector screens hold every new password against the Have I Been Pwned? database and blocks the candidate before it is ever written to AD or Microsoft Entra ID. |
| Blocking dictionary words and predictable patterns | NIST: Organizations must reject commonly used passwords, dictionary words, and passwords containing repetitive or sequential characters because they pass complexity checks while remaining trivially guessable. | Built-in and custom dictionary filters reject common words. A pattern checker independently blocks sequential strings, keyboard walks, repeated characters, and palindromes. Both controls apply at every password write. |
| Blocking context-specific passwords | NIST: Passwords not contain the user's own name, username, or service name—personally guessable credentials that complexity rules do nothing to stop. | AD attribute restrictions reject any password containing the user's own directory attributes, including display name, username, and email. |
| Password expiration policy | NIST: Discourages forced periodic rotation as the pressure it creates drives reuse and predictable increments like appending a number.
PCI DSS 4.0: Mandates rotation every 90 days for accounts not protected by MFA. HIPAA: Defaults to 90-day cycles but permits longer intervals when active breach screening is in place. |
Expiration is configurable per domain OU and group. It can set to never for NIST-aligned environments or to a defined cycle for PCI DSS and HIPAA compliance. MFA exemptions are supported. |
| Password history and recycling prevention | PCI DSS 4.0: Requires that users cannot reuse any of their last four passwords.
NIST and HIPAA: Intends to discourage reusing previous passwords. |
Password history enforcement prevents reuse of prior credentials. Recycling prevention stops the single-character increment workaround that standard AD history controls don't catch. |
| Real-time guidance during password creation | NIST: Recommends that users receive feedback during password entry.
HIPAA: Requires documented procedures for password creation; real-time guidance is a direct operationalization of that requirement. |
Pass or fail feedback for each active rule displays as the user types, before submission. Failed attempts drop. Self-service reset completions increase. Help desk tickets follow. |
| Audit trail and compliance reporting | HIPAA: Technical Safeguards require audit controls covering authentication events, including password changes and resets.
PCI DSS 4.0: Requires event logs with sufficient detail to reconstruct access history. |
Every reset and change event is logged with timestamp, IP address, and user identity. Reports are exportable to CSV or PDF and can be scheduled for delivery so audit evidence is always ready. |
ADSelfService Plus turns compliance from a manual audit exercise into a continuously enforced policy. The same rule set that satisfies NIST's breach-screening requirements also covers PCI DSS's 12-character minimum and HIPAA's documented change procedures, with no duplicate configuration across entry points. When users understand what a password needs to do before they submit it, failed attempts drop and self-service completions increase. Scheduled audit reports deliver the exact evidence sets auditors request most often. With ADSelfService Plus, when a review cycle arrives, the data is already there.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
FAQ
An enforced password policy is a set of rules, including minimum length, complexity, or breach screening, automatically applied every time a user creates or changes a password. Rather than relying on guidelines users might ignore, a password policy enforcement tool like ADSelfService Plus blocks weak passwords at the point of creation. In AD, native enforcement covers length, complexity, history, and lockout. A password policy enforcer extends that with dictionary checks, pattern detection, breach screening, and per-group targeting.
A password policy enforcement tool that layers fine-grained password rules on top of native AD settings, blocking dictionary words and weak passwords, screening against breach databases, and enforcing granular password rules per group. This AD password policy software lets admins define per-group complexity requirements, block dictionary words, and screen against breach databases—capabilities that go beyond AD's built-in fine-grained password policy. ADSelfService Plus, Netwrix, Specops, and Lithnet are the main options on the market.
Follow NIST password best practices: a minimum of eight characters (12 or more is the practical recommendation), support for up to 64 characters and Unicode, screening against breach databases and common dictionaries for compromised password detection, blocking sequential and repetitive patterns, and dropping forced periodic rotation unless you have evidence of a compromise. These NIST password guidelines form the baseline-layer in organization-specific dictionary terms and pattern restrictions for stronger protection. Add MFA, as PCI DSS 4.0 exempts MFA-protected accounts from the 90-day rotation requirement.
How do I comply with NIST 800-63B password requirements? Start by enabling compromised password screening, removing forced periodic rotation, and setting a minimum length of eight or more characters. ADSelfService Plus automates NIST password compliance by mapping each NIST password recommendation to an enforceable policy rule applied consistently across every channel that writes a password to AD.
NIST sets the floor at eight characters and requires systems to support at least 64. Most enterprises now set 12 to 14 as the practical minimum—GPU-based cracking has significantly reduced the time to brute-force shorter passwords. ADSelfService Plus lets you set different minimums per OU or group, so higher-risk accounts run stricter requirements without applying them universally.
