Reference Material | Specops Authentication Scripted Install

To get started with Specops Authentication, you will need to install the Gatekeeper component in your Active Directory. The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure. This guide will walkthrough the script based installation procedure.


Your organization’s environment must meet the following requirements:

  • Gatekeeper server computer:
    • Joined to your Active Directory domain
    • Windows Server 2012 R2 or newer (core or with desktop experience)
    • .NET Framework 4.7 or later
  • Administrative privileges: To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
  • Account options: There are two options for the account the Gatekeeper Windows service will “run as”. Prepare to use any of the following:
    • Managed Service Account (recommended): Using a managed service account for the Specops Authentication Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
    • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Security groups: The installation script will create security groups used by Specops Authentication. There is no action required by you.
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Specops Authentication web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.

Create your customer account

To get started with Specops Authentication, you will require a customer account. You can create your customer account, from:

  1. Enter the following information:
    • Your organization’s name
    • Your organization’s domain name
  2. Click Save.

Download the Gatekeeper setup

On the Gatekeeper download page, use the Download script based installation (.zip) option. Remember to write down or save the Activation code. The code is only valid for 24 hours after creating your customer account.

  1. Unblock the downloaded zip file after download. From Windows Explorer, right-click the file, Properties, General tab, and click Unblock.
    Unblock the zip file
  2. Copy/extract the zip to the Gatekeeper computer’s C:TempGatekeeper folder, or another folder you select.
  3. The script-based installation can be started from a PowerShell remote session or from the Hyper-V console.
    Note: when installing using a remote session initiated with the Enter-PsSession command, it is likely that you will run into an ‘Access Denied’ error. This can be resolved by using CredSSP instead: Enter-PsSession -Authentication CredSSP.

    If CredSSP has not been enabled on your client and server, it can be enabled by issuing the following commands:

    On the client

    Enable-WSManCredSSP -Role Client -DelegateComputer server

    where server designates the server’s fully qualified machine name

    On the server

    Enable-WSManCredSSP -Role Server

    To start the installation, start PowerShell (either remotely or from the console), run Install.ps1 with the proper parameters, depending on your installation type. See example usages below:

    • Managed Service Account:C:TempGatekeeperInstall.ps1 -ManagedServiceAccount -ActivationCode:'12345678'Optionally, to restrict Gatekeeper permission to a specific organization unit, and its children in Active Directory, use the “-ScopeDn” parameter. If “-ScopeDn” is not provided, users from the entire Active Directory domain can use Specops Authentication.C:TempGatekeeperInstall.ps1 -ManagedServiceAccount -ActivationCode:'12345678' -ScopeDn:'DC=test,DC=acme,DC=org'
    • Domain Account: The installation script will prompt for the provided account’s password, so have it available when running the script.C:TempGatekeeperInstall.ps1 -DomainServiceAccount -DomainServiceAccountName:'Gatekeeper' -ActivationCode:'12345678'
  4. Once the installation procedure is ready, start the Specops Authentication Gatekeeper Admin tool, and remotely connect to the Gatekeeper. The admin tool installation MSI is available in the downloaded zip file, under MSISpecopssoft.Authentication.Gatekeeper.Admin-x64.msi.