Password Policy Enforcer

Frequently Asked Questions

Is PPE suitable for large networks?

Yes. Our largest three customers have almost two-million PPE user licenses between them.

Which operating systems is PPE supported on?

PPE V8.01 is supported on Windows Server 2016, 2012 R2, 2012, 2008 R2, 2008, 2003 R2, 2003, and Windows 10, 8.1, 8, 7, Vista, and XP.

Does Microsoft support systems with PPE, or the PPE client installed?

Yes. PPE only uses documented Microsoft APIs. PPE is installed on tens of thousands of domain controllers.

Does PPE extend the Active Directory schema when installed?

No. PPE only creates an Active Directory container object to hold configuration settings when it is used in a domain. If you want to enforce the History rule for domain accounts, then you will need to choose where PPE will store the password history. This can either be an existing AD attribute, or a new attribute. You can also use the Windows history rule with PPE if you do not want PPE to store a password history.

Does PPE make any other changes to Active Directory?

It sets the "User must change password at next logon" flag if the PPE Maximum Age rule is enabled when a user's password expires. PPE will also create an Active Directory Group called "PPE Extended Maximum Age Users" if you configure PPE to delay the expiry of long passwords. PPE automatically adds and removes users from this group. You can rename and move this group if needed. Windows handles all other account updates including password changes and account lockouts.

Does the Password Policy Server create a single point of failure?

No. One of our competitors uses this deceptive claim to criticize PPE. The nFront Password Filter page addresses the misleading claims made by nFront Security. Our published test results show that Password Policy Enforcer is more capable, efficient, and secure than nFront Password Filter.

Does PPE work with Windows Server Core and read-only domain controllers (RODC)?


Do I have to install client software to enforce a password policy?

No. PPE includes an optional Password Policy Client to help users choose a compliant password, but the PPC is not needed to enforce password policies.

Are users prompted to change their expiring password if the Password Policy Client is not installed?

Yes. Use the Prompt user to change password before expiration setting in Group Policy to control this feature. PPE can also send e-mail reminders to domain accounts before their passwords expire.

Is Password Policy Enforcer compatible with Remote Desktop Connection and Microsoft Terminal Services?


Does the Password Policy Client install a GINA DLL?


Can the password policy be relaxed for long passwords?

Yes. PPE can disable any number of rules when a user enters a passphrase. PPE can also delay the expiry of long passwords in a domain so that users do not have to change them as often as those with short passwords.

Can PPE expire passwords gradually?

Yes. PPE's Maximum Age rule has transitional modes that expire old domain passwords gradually.

Can PPE send e-mail reminders to users?

Yes. The PPE Mailer can send up to three customizable e-mail reminders to domain accounts before their passwords expire.

Can PPE stop a user from reusing a password for a specified time?

Yes. PPE's History rule can be enforced for a number of days, or a number of password changes.

Does PPE store passwords to enforce the History rule?

No. PPE only stores hashes of the passwords. The hashes are salted for additional security. PPE does not store password hashes if the History rule is disabled. You can use the Windows history rule with PPE if you do not want PPE to store a password history.

Does PPE store passwords to enforce the Similarity rule?

No. PPE does not store passwords or password hashes to enforce the Similarity rule.

Can PPE enforce a password policy for non-domain user accounts?

Yes. PPE V7.5 and later can enforce password policies for both domain and local user accounts. Local password policies can be enforced on standalone and domain member computers (servers and workstations). Most rules and features are compatible with both policy types, but there are some differences.

Does PPE allow users to reset forgotten passwords?

Not directly. It integrates with ANIXIS Password Reset to provide a secure self-service password reset system.

Can we use PPE's password policy enforcement in our applications?

Yes. Send an e-mail to to request information about the PPE Client API.

Can ANIXIS develop a new rule to help enforce our password policy?

Yes. We do sometimes modify PPE to enforce unusual password policies. Send your request to