When it comes to Enzoic it is not uncommon to see discrepancies between our Enzoic for Active Directory Lite product and Enzoic for Active Directory. This is because the Lite is strictly comparing NTLM hashes to our database. We do this in our free product because it is less invasive for someone trialing the software, as it doesn’t require users to change their password. But NTLM checks are limited in their scope. Enzoic doesn’t actually ‘know’ the password, it is simply initiating a one to one hash check against our NTLM database, and isn’t leveraging any of our other databases or password policies that Enzoic for AD uses. For best practices we suggest using Enzoic for Active Directory Lite as a quick baseline to see your worst offending user passwords but know that when you install and tune Enzoic for Active Directory, you will most likely have more.