Reference Material | Administrator Enrollment

Specops Authentication for uReset allows administrators to enroll users to the system, without requiring users to go through the enrollment process. This can be achieved with any identity service that has identifier information stored in Active Directory.

  • Before using this guide, you need:
  • Basic knowledge of PowerShell
  • PowerShell 4.0 or later
  • Specops Authentication for uReset configured with an active Gatekeeper
  • Specops Authentication for uReset admin group membership
  • The Specops Authentication for uReset PowerShell module – installed with the administration tools (


The cmdlets can be used by administrators when managing users, or enrolling them in batches in Specops Authentication for uReset.

To import the module, run the following command in PowerShell on your Gatekeeper server:

import-module specops.authentication.gatekeeper


Takes the parameters Username, IdentityServiceId, and EnrollmentProof. Can be used to enroll with all identity services except: Secret Questions, Duo Security, Specops Fingerprint, Authenticators, Manager Identification, Symantec VIP, Facebook, LinkedIn, and Windows Identity.
Use the Get-SpecopsAuthenticationIdentityServices cmdlet to find the IdentityServiceId of your Identity Service.

Usage example:

Add-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId Tumblr -EnrollmentProof MyTumblrAccount

Mobile code admin enrollment

Mobile code admin enrollment requires updating the mobile attribute on the user object and the enrollment data in the leaf object. An administrator can update the mobile attribute on a user account from the Active Directory management tool, or with PowerShell. If you use the default mobile phone attribute, use the following command:

Set-ADUser -Identity user0020 -MobilePhone '+1-202-555-0191'

If you store the mobile number in a custom attribute, you need to supply that attribute instead. If, for example, the mobile number is in the otherMobile attribute, you can use the following command:

Set-ADUser -Identity user0020 -Replace @{otherMobile='+1-202-555-0191'}

After updating the mobile attribute you can use PowerShell to add the proof in the leaf object.

Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId MobileCode -EnrollmentProof +12025550191

Personal email admin enrollment

Usage example:

Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId AlternateEmail -EnrollmentProof


Takes the parameters Username, Answers and Language. Language is an optional 2-digit language code. Answers takes an array of questions and answers.

Usage example:

$questionsAndAnswers = @{"Question"="Who are you?"; "Answer"="No one"},@{"Question"="Why are you here?"; "Answer"="I am not"}
 Add-SpecopsAuthenticationQuestionsEnrollment –Username mySamAccountName –Answers $questionsAndAnswers


Lists the identity services that a user is enrolled with.

Usage example:

Get-SpecopsAuthenticationEnrollment -Username mySamAccountName


Lists all identity services available in your Specops Authentication subscription.

Usage example:



Removes all enrolled identity services from a user, except automatically enrolled ones, like Windows Identity, Duo Security, Manager Identification or Symantec VIP.

Usage example:

Remove-SpecopsAuthenticationEnrollment -Username mySamAccountName


Removes an identity service enrollment from a user.

Usage example:

Remove-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId Fingerprint