When it comes to Enzoic it is not uncommon to see discrepancies between our AD Lite product and Enzoic for Active Directory. This is because AD Lite is strictly comparing NTLM hashes to our database. We do this in our free product because it is less invasive for someone trialing the software, as it doesn’t require users to change their password. But NTLM checks are limited in their scope. Enzoic doesn’t actually ‘know’ the password, it is simply initiating a one to one hash check against our NTLM database, and isn’t leveraging any of our other databases or password policies that Enzoic for AD uses. For best practices we suggest using AD Lite as a quick baseline to see your worst offending user passwords but know that when you install and tune Enzoic for AD, you will most likely have more.