The Specops Authentication Client (version 7.15 and later) provide real-time feedback to end users as they are changing their passwords through CTRL+ALT+DEL Change Password… The client runs under the context of the machine’s system account and uses the computer... Read More
Configure Specops Authentication Client to Prefer SPR
In environments where both Specops uReset and Specops Password Reset are installed, Specops Authentication clients will by default direct users to uReset to enroll and reset/change their passwords. We can configure the client via Group Policy or Windows registry... Read More
Updating the Specops Arbiter Server Certificate
The Specops Arbiter service uses a self-signed certificate to encrypt communications from domain controllers to query the Specops API. If this certificate is expired or inadvertently deleted, the Arbiter server may not be able to start. Identify the Certificate... Read More
Specops Authentication Configuration Hardening Guide
Specops Authentication services (uReset, Secure Service Desk, Key Recovery) run on public cloud infrastructure and by default are accessible from anywhere on the internet. We offer several features that can enable admins to restrict access to certain features of... Read More
Granting Access to Specops Authentication Enrollment Data In Active Directory
Enrollment data in AD is locked down with a default permission set that should be sufficient for all Specops Authentication products to function. Use the instructions provided here only on guidance from Specops Support staff. The following PowerShell commands... Read More
Granting Access to Password Reset Leaf Objects
Password Reset stores each user’s enrollment data in a leaf object underneath the user’s account (specops-spp-pwdReset) By design, access to these leaf objects is restricted as follows: SYSTEM – Full Control Domain Admins – Full Control Password Reset Service... Read More
PowerShell Scripts to Force Password Change for All Users After a Security Incident
After a confirmed or even suspected security breach it may be advised to have all users change their passwords. In this post we’ll review how to confirm if users have changed their passwords and how to force users to complete... Read More
Enroll Users with Non-Corporate Email Addresses in Personal Email
In certain environments, external users or contractors may be configured with a non-corporate email address in the ‘mail’ attribute (for example, a company email for the contractor organization or a personal/private email address). These users cannot use the Email... Read More
Permissions Required To Administer Specops Password Policy
Specops Password Policy is designed to be administered by users with full administrative access in Active Directory. All administrative components run under the context of the user logged into Windows and interact directly with areas of Active Directory where... Read More
Hide All Specops Authentication Client Components
Organizations may wish to deploy the Specops Authentication Client but keep all features hidden until a scheduled go-live. The ADMX Templates for the client may be used for this purpose to hide enhancements to Windows logon and password change,... Read More