Compromised Users Report

Enzoic for Active Directory v3.5

This report shows you a list of all the users with out-of-policy passwords or compromised credentials. For each user, you can see when the compromised password was detected and what remediation action was taken in response, along with the current status of that remediation action. The More Info link next to each user will bring up a dialog with additional details.

The Monitoring Policy filter dropdown at the top right allows you to further filter the report, so you can filter down to just the users under a specific monitoring policy. The Update button in the header allows you to refresh the report. Since this report can be time-consuming to generate for larger domains, it is only refreshed on demand. If the data is stale (more than 15 minutes out of date), you will see a red warning message next to this Update button reminding you that you need to regenerate the report to see current data.

Compromised Users Report Fields

Field	Description
Username	The user’s username in AD.
Compromised On	The time the compromise was detected, in your local timezone
Policy Applied	The monitoring policy the user was under at the time of the detection
Original Action Taken	The remediation action specified on the policy at the time of the compromise
Remediation Action State	The current status of the remediation action. In the case of delayed remediation actions, this indicates whether the delay period has expired or not and whether the action was applied. In the case where an administrator has manually applied a remediation from this console, that will appear here as well.

Field

Description

Username

The user’s username in AD.

Compromised On

The time the compromise was detected, in your local timezone

Policy Applied

The monitoring policy the user was under at the time of the detection

Original Action Taken

The remediation action specified on the policy at the time of the compromise

Remediation Action State

The current status of the remediation action. In the case of delayed remediation actions, this indicates whether the delay period has expired or not and whether the action was applied. In the case where an administrator has manually applied a remediation from this console, that will appear here as well.

You can use the checkboxes on the left side of each row to select one or more compromised users and manually apply one of the three remediation actions available by clicking the buttons at the bottom of the grid:

Action Button	Effect
Force Password Change Now	Sets the account(s) to Force Password Change on Next Login in Active Directory
Disable Account(s) Now	Disables the selected account(s) in Active Directory
Notify User(s) by Email	Resends the email notification users receive letting them know they need to change their password. This will use the custom email content you have specified for the applied policy.

Action Button

Effect

Force Password Change Now

Sets the account(s) to Force Password Change on Next Login in Active Directory

Disable Account(s) Now

Disables the selected account(s) in Active Directory

Notify User(s) by Email

Resends the email notification users receive letting them know they need to change their password. This will use the custom email content you have specified for the applied policy.

Clicking the More Info... link on a row brings up the Compromise Details dialog:

This dialog contains more detailed info about the compromised password, including an Event Log of all events that have occurred from the time of detection. You can take the same manual remediation actions from this dialog.

PreviousMonitored Users Report NextUsers Sharing Passwords

Last updated 1 month ago