What it costs you today
In a domain of 1,200 accounts with a 90-day rotation policy, a typical sample finds 22% of accounts with PasswordNeverExpires, 14% with passwords not rotated in over 12 months and 7% with passwords that expire and never get changed. The operational problem is that AD policy does not audit itself: a user with PasswordNeverExpires that inherits SCCM admin permissions opens a lateral window to the attacker, and an attacker with credentials leaked in a 6-month-old dump still finds a valid account. Modern pentests automate the test of leaked credentials against AD: the typical metric is 4 to 8% compromised accounts. A SOC 2 audit asks for evidence of "policy reviewed at least quarterly" and the IT team answer is usually a manual spreadsheet consolidated at 3 am. "We have 240 accounts with a 3-year-old password and nobody touches them" is the most common finding in audits. How many credentials leaked in 2023 are still valid today?
What changes when you have it
On day one the script delivers an Excel with a maturity scorecard per account: password age, days to expire, presence in public dumps, complexity and match with weak patterns (Password1, Q1, season-year). Each row proposes an owner and a remediation plan: force rotation, disable, migrate to a protected group. The owner of the process is the security team, which now has live evidence for quarterly audits. The visible output is the Excel with traffic light, the prioritized remediation CSV and the signed log of executed actions. An insurer with 3,500 users cleared 1,180 passwords in the first quarter and credited the remediation with timestamp to the regulator. The investment pays back before the first external audit, typically 2 to 4 months.
Password policy maturity scorecard
I want to implement this
Let's talk 20 minutes about your environment and review scope, architecture and the work plan together. No commitment.
Related projects
Morning Active Directory health check
One daily email with the real state of your AD: replication, lockouts, expired passwords, new GPOs.
Automated onboarding and offboarding
One script creates the user in AD, M365, groups, license and mailbox — or removes them cleanly in 30 seconds.
Installed software inventory + license reconciliation
Weekly CSV with all software installed across the fleet, compared against the authorized software list.