The big "gotchas" I discuss in today's episode are:
If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.
If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with:
Get-Content ".\pwnedpasswords.txt" | select -First 100
- As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?