Password Policy Enforcer with PasswordPing
Download the installer from https://cdn.passwordping.com/files/PPE910_PasswordPing.exe
To install PPE with PasswordPing, perform the following steps on your Domain Controller(s):
- Run the installer, PPE900_PasswordPing.exe, and then reboot the DC when prompted (this will need to be done on each DC in the domain).
- Open the PPE Configuration application from the Password Policy Enforcer with PasswordPing program group.
- Select the PPS item in the left pane of the console and click PPS Properties.
- On the PasswordPing tab of the PPS Properties dialog, enter the API key and Secret you were provided.
- Close the PPS Properties dialog.
- Create a PPE policy by highlighting Policies in the left hand pane, right clicking and selecting New Policy. Give the policy a name. The only thing necessary to change in the Policy Properties dialog is to assign the policy to desired users, groups or OUs on the Assigned To tab.
- Select the new policy in the left pane. Enable PasswordPing on the new policy by double clicking the Compromised item in the right hand pane. Check the Enabled box and add a path to the provided Compromised.txt file in the first edit box (this file is installed into C:\Program Files (x86)\Password Policy Enforcer with PasswordPing 9.0). This file is a list of SHA-1 password hashes that will automatically be rejected in addition to those rejected by the PasswordPing service. You can add any custom passwords you would like to reject by adding the SHA1 for the password to this file.
- Test the new password policy by attempting to change a user password or using the PPE Test Policies dialog (accessible by right clicking the Policies item in the left hand tree view). Try entering Password-123 as a password and ensuring it is rejected.
Multiple Domain Controllers
In the case of multiple domain controllers, you just need to install PPE on each controller. PPE stores its settings in Active Directory, so once it is configured on one controller, the configuration settings will replicate to all the DCs in the domain.
Deploying via GPO
If you select the Advanced install option when you run PPE900_PasswordPing.exe, it will guide you more info about setting up GPO push installs for both server and client installations for your environment.
PasswordPing must be able to contact its servers to look up the compromised status for passwords. The IP addresses below should be whitelisted for outbound communications over TCP ports 80 and 443 from your domain controllers.