Administrator Enrollment

Specops Authentication for Specops uReset 8 allows administrators to enroll users to the system, without requiring users to go through the enrollment process. This can be achieved with any identity service that has identifier information stored in Active Directory.

  • Before using this guide, you need:
  • Basic knowledge of PowerShell
  • PowerShell 4.0 or later
  • Specops Authentication for Specops uReset 8 configured with an active Gatekeeper
  • Specops Authentication for uReset 8 admin group membership
  • The Specops Authentication for uReset 8 PowerShell module – installed with the administration tools C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Specops.Authentication.Gatekeeper.Admin

Identity services for enrollment

Administrators can enroll with the following identity services:

  • Personal Email
  • Mobile Code
  • Secret Questions
  • Yubikey
  • Mobile Bank ID
  • Google

Cmdlets

The cmdlets can be used by administrators when managing users, or enrolling them in batches in Specops Authentication for uReset 8.

To import the module, run the following command in PowerShell on your Gatekeeper server:

Copy
import-module specops.authentication.gatekeeper

Add-SpecopsAuthenticationIdentityServiceEnrollment

Takes the parameters Username, IdentityServiceId, and EnrollmentProof. Can be used to enroll with all identity services except: Secret Questions, Duo Security, Specops Fingerprint, Authenticators, Manager Identification, Symantec VIP, LinkedIn, and Windows Identity.
Use the Get-SpecopsAuthenticationIdentityServices cmdlet to find the IdentityServiceId of your Identity Service.

Usage example:

Copy

            Add-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId <span class="mc-variable ID_Services.tumblr variable">Tumblr</span> -EnrollmentProof MyTumblrAccount
Mobile Code (SMS) admin enrollment

Mobile Code (SMS) admin enrollment requires updating the mobile attribute on the user object and the enrollment data in the leaf object. An administrator can update the mobile attribute on a user account from the Active Directory management tool, or with PowerShell. If you use the default mobile phone attribute, use the following command:

Copy
Set-ADUser -Identity user0020 -MobilePhone '+1-202-555-0191'

If you store the mobile number in a custom attribute, you need to supply that attribute instead. If, for example, the mobile number is in the otherMobile attribute, you can use the following command:

Copy
Set-ADUser -Identity user0020 -Replace @{otherMobile='+1-202-555-0191'}

For Gatekeeper Admin Tool 8.23 and later: after updating the mobile attribute you can use PowerShell to add the proof in the leaf object.

Copy
Add-SAMobileCodeEnrollment -Username jane.doe -MobileNumber +123 -GatekeeperServer dc02.subaru.local

For Gatekeeper Admin Tool 8.22 and earlier: after updating the mobile attribute you can use PowerShell to add the proof in the leaf object.

Copy
Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId MobileCode -EnrollmentProof +12025550191
admin enrollment

Usage example:

Copy
Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId AlternateEmail -EnrollmentProof user@domain.com

                            

Add-SpecopsAuthenticationQuestionsEnrollment

Takes the parameters Username, Answers and Language. Language is an optional 2-digit language code. Answers takes an array of questions and answers.

Usage example:

Copy
$questionsAndAnswers = @{"Question"="Who are you?"; "Answer"="No one"},@{"Question"="Why are you here?"; "Answer"="I am not"}
            Add-SpecopsAuthenticationQuestionsEnrollment –Username mySamAccountName –Answers $questionsAndAnswers

                            

Get-SpecopsAuthenticationEnrollment

Lists the identity services that a user is enrolled with.

Usage example:

Copy
Get-SpecopsAuthenticationEnrollment -Username mySamAccountName

Get-SpecopsAuthenticationIdentityServices

Lists all identity services available in your Specops Authentication subscription.

Usage example:

Copy
Get-SpecopsAuthenticationIdentityServices

Remove-SpecopsAuthenticationEnrollment

Removes all enrolled identity services from a user, except automatically enrolled ones, like Windows Identity, Duo Security, Manager Identification or Symantec VIP.

Usage example:

Copy
Remove-SpecopsAuthenticationEnrollment -Username mySamAccountName

Remove-SpecopsAuthenticationIdentityServiceEnrollment

Removes an identity service enrollment from a user.

Usage example:

Copy
Remove-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId Fingerprint