# Compromised Users Report

<div align="left"><figure><img src="/files/hti4EEw9qKtoce3TvHc5" alt="" width="375"><figcaption><p>Sample Compromised Users Report</p></figcaption></figure></div>

This report shows you a list of all the users with out-of-policy passwords or compromised credentials.  For each user, you can see when the compromised password was detected and what remediation action was taken in response, along with the current status of that remediation action.  The *More Info*  link next to each user will bring up a dialog with additional details.

The *Monitoring Policy* filter dropdown at the top right allows you to further filter the report, so you can filter down to just the users under a specific monitoring policy.  The Update button in the header allows you to refresh the report. Since this report can be time-consuming to generate for larger domains, it is only refreshed on demand. If the data is stale (more than 15 minutes out of date), you will see a red warning message next to this Update button reminding you that you need to regenerate the report to see current data.

#### **Compromised Users Report Fields**

<table><thead><tr><th width="226">Field</th><th>Description</th></tr></thead><tbody><tr><td>Username</td><td>The user’s username in AD.</td></tr><tr><td>Compromised On</td><td>The time the compromise was detected, in your local timezone</td></tr><tr><td>Policy Applied</td><td>The monitoring policy the user was under at the time of the detection</td></tr><tr><td>Original Action Taken</td><td>The remediation action specified on the policy at the time of the compromise</td></tr><tr><td>Remediation Action State</td><td>The current status of the remediation action.  In the case of delayed remediation actions, this indicates whether the delay period has expired or not and whether the action was applied.  In the case where an administrator has manually applied a remediation from this console, that will appear here as well.</td></tr></tbody></table>

You can use the checkboxes on the left side of each row to select one or more compromised users and manually apply one of the three remediation actions available by clicking the buttons at the bottom of the grid:

| Action Button             | Effect                                                                                                                                                                                |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Force Password Change Now | Sets the account(s) to *Force Password Change on Next Login* in Active Directory                                                                                                      |
| Disable Account(s) Now    | Disables the selected account(s) in Active Directory                                                                                                                                  |
| Notify User(s) by Email   | Resends the email notification users receive letting them know they need to change their password.  This will use the custom email content you have specified for the applied policy. |

Clicking the *More Info...* link on a row brings up the Compromise Details dialog:

<div align="left"><figure><img src="/files/HTUHH7x7AaAa59vYig84" alt="" width="375"><figcaption><p>Sample of the Compromise Details dialog</p></figcaption></figure></div>

This dialog contains more detailed info about the compromised password, including an Event Log of all events that have occurred from the time of detection.  You can take the same manual remediation actions from this dialog.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enzoic.com/enzoic-for-active-directory/product-usage/enzoic-installed-product-console/reporting/compromised-users-report.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.