Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Specops Password Reset

Unable to Delete Users with Leaf Objects

Specops Password Policy, Password Reset, and uReset/Specops Authentication all use leaf objects under user accounts for the purposes of storing user specific information — for Password Policy this includes password history and length-based password age information; for Password Reset and uReset/Specops Authentication the leaf object contains user enrollment data. The advantage of using a leaf...

Specops Is Not Accurately Displaying my Domain Password Policy or Fine-Grained Password Policy

In Specops Password policy administrative tools or in Specops uReset/Password Reset you may find that the displayed password policy rules from Active Directory do not appear accurate. All Specops password products respect both the default and fine-grained password policies as configured in Active Directory and are displayed by reading the relevant configuration attributes directly from...

Replacing the Specops Password Reset Web Server Certificate

Specops Password Reset web runs within IIS, typically under the Default Web Site. Specops recommends using a certificate issued by a commercial or enterprise internal certificate authority to secure traffic to the web server, and if doing so, the administrator of that system should be able to provide guidance on how to create a certificate...

“Identity check failed for outgoing message” error when accessing any Password Reset Webpage after an upgrade or opening the Configuration tool

Complete message reads: “Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘’ but the remote endpoint provided DNS claim ‘’ If this is a legitimate endpoint, you can fix the problem by explicitly specifying DNS identity ‘’ as the identity property of EndpointAddress when creating channel proxy.” Possible...

An error occurred when serving the request. Please contact your administrator – Specops Password Reset service will not start.

Description: Users attempt to go to the Specops Password Reset page, and they encounter the error below: You check the Specops Password Reset Service on your Specops Password Reset Server and find that it is not running. When you attempt to start it, the service fails to start. In the Event Viewer, Windows Logs, Application...

When the user follows the enrollment reminder link, they are told that they do not have a configured enrollment policy

The service account has lost permissions to read the Specops Password Reset Group Policy Object. Possible solution From the Group Policy Management Console, add the service account to the Delegation Tab of the Specops Password Reset Group Policy Object with Read rights.

User receives “the certificate revocation list server could not be reached” message when they click the reset password link at the logon screen, but not when they browse to the reset page when logged in.

User is not connected to the internet at the logon screen. Possible solution You can use one of the following three options below to solve this issue: Add a new rule to your proxy that allows “domain computers” to reach the CRL servers on the internet. The rule will look similar to the example below:...

“Access denied” message when enrolling with an admin account

Admin accounts are affected by the adminSDHolder rule, which resets the security permissions on privileged AD accounts every 15 minutes. Possible solution Log in with an account with Domain Admin permissions and run the following command. dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;" "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;" Example: dsacls "CN=AdminSDHolder, CN=System, DC=example,...

Access denied message on helpdesk webpage

Delegated Helpdesk does not work against an alias: You must access the page through the FQDN. Possible solution Add another CN to the certificate. “CN=hostname.domain.local” if using https://hostname.domain.local/specopspassword/helpdesk; Or “CN=hostname” if using just the server name https://hostname/specopspassword/helpdesk.

Always get prompted for windows credentials when opening the Helpdesk/Reporting page

You have not added the FQDN of the server (or * to the local intranet site using the GPO site to Zone Assignment. Possible solution You will need to complete the steps under “Enabling authentication to the Password Reset Web Server” in the Specops Password Reset Installation Guide.
Next Page »