Administration

This guide is intended for administrators who are responsible for managing user accounts in their Microsoft Active Directory environment. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Policy.

Key components

Specops Password Policy can be configured from any computer in the domain where the Specops Password Policy Administration Tools are installed. The administration tool can be used to configure different aspects of the product.

Domain Administration tool: The Domain Administration tool controls domain wide settings for Specops Password Policy.

Group Policy snap-in: Manages Specops Password Policy settings.

Domain Administration Tool

You can use the Domain Administration tool to manage configurations that apply to your entire domain. Once you have modified the settings, your changes are automatically saved.

You can access the Domain Administration tool via the start menu.

Domain Administration

You can use the Domain Administration tab to perform the following tasks:

  • Disable and enable Specops Password Policy: Applied to your entire domain and determines if the Sentinel processes incoming password changes.
  • Edit license information: Used to view, add, or edit your license information.

Domain Settings

You can use the Domain Settings tab to perform the following tasks:

  • Save previous password with reversible encryption: Allows you to save the user’s previous password with reversible encryption in Active Directory.
    • Reversible encryption is needed for the following settings:
      • Disallow reusing part of the current password
      • Minimum number of changed characters

Note: If the checkbox isn’t checked, the password is saved with one way encryption.

  • Email Settings: Here the global SMTP settings for all email notifications can be configured. The following settings need to be configured:

    Note: It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.

    • The SMTP Server
    • Use TLS (if enabled, communication between the client and the SMTP server are encrypted)
    • Port (port outgoing emails are to be sent through; default is port 25)
    • Authentication (sets the method for authenticating with the SMTP server: Anonymous Access, Basic Authentication, or Integrated Windows Authentication)
    • Default Sender Email Address
    • Default Sender Display Name

For more information on all notification settings, please refer to the Notifications page.

  • Custom user attributes
    If email and telephone number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden here.

Password Policy Sentinel state

You can use the Password Policy Sentinel state tab to verify that you have installed the Sentinel on all writable domain controllers. If you notice a domain controller is missing the Sentinel component, you can:

  • Run the Setup Assistant again to install it, or
  • Manually install the Sentinel Component on the affected domain controller

Configured password policies

You can use the Configured password policies tab to perform the following tasks:

  • View the list of all Group Policy Objects in your domain that contain password policy settings.
  • Edit an existing Group Policy Object.

Edit selected GPO

  1. Click Edit selected GPO to launch the Group Policy Object Editor.
  2. In the Group Policy Object Editor, expand User Configuration, Windows Settings, and select Specops Password Policy.
  3. Click Configure Password Policy.
  4. Edit the settings, and click OK.

Language files

You can use the Language files tab to update to new versions of language files. This will only update if there are new versions of language files available on the computer where the Domain Administration tool is installed after an upgrade.

Password policy templates

You can use the Password policy templates node to create a new password policy template, or view an existing template with NIST, NCSC, Microsoft, and NSA recommendations. A password policy template will help keep your policy settings consistent throughout your domain.

Create a new Password Policy Templates

  1. Click Create New Password Policy Template.
  2. In the Template name field, enter a name for the template.
  3. In the Description field, enter a description for the template.
  4. Specify the settings, and click Save.

Use an existing password policy template

  1. In the Group Policy Management Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
  2. Click Create New Password Policy from Template. Select a Password Policy Template to use for the Group Policy.
  3. If the Microsoft or NSA templates are selected, you will be taken to the policy settings page for additional configuration options. If the NIST, and NCSC templates are selected, you will be prompted to:
    1. Create a list of disallowed words.
    2. Download the password dictionary for the template. The dictionary is a combination of password lists designed for penetration tests.
    3. Set a maximum password age for users affected by the policy to proactively check against password dictionaries, and prevent the creation of vulnerable passwords. This is a Specops recommendation that can help you stay protected against the latest dictionary lists.
    4. If the NCSC template is selected, you will be prompted to set a minimum password length for users affected by the policy.
    5. You will be taken to the policy settings page for additional configuration options. Click OK when you are done.

Specops Password Auditor

You can use Specops Password Auditor to scan your Active Directory and detect security related weaknesses, specifically related to password policies.

Click Start Specops Password Auditor to get started.

For more information about Specops Password Auditor, click here.

Group Policy Snap-In

The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Policy settings in Group Policy Objects. The settings are stored as a part of the GPO. Managing Specops Password Policy settings in Group Policy allows you to control how and where the policies are applied.

Create a Specops Password Policy GPO

  1. In the GPMC, expand your domain node and locate the Group Policy Object.
  2. Right click on the GPO node and select New.
  3. Enter a name for the Group Policy Object and click OK.

Applying policy settings

The password policy will apply to all user accounts in locations where your GPO is linked.

If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed. If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict.  Group Policy Objects are applied in the following order; The GPO closest to the user object in AD will have the highest precedence:

  • Local Group Policy Objects
  • Site linked Group Policy Objects
  • Domain linked Group Policy Objects
  • OU linked Group Policy Objects

If the above order does not enable you to apply your preferred settings, you can use security filtering to control on a permission level which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings to objects located on the same level in Active Directory.

Policy Settings

In the Group Policy Management Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy. Click Create New Password Policy to configure the policy. You can use policy settings to manage password security for users in your organization.

Start

You can configure a password policy to use classic password rules, and/or passphrases. A passphrase is a special type of password based on a sentence, or a series of words. The requirements of a passphrase, by default, are that it needs to be long.

General Settings

Password history

Note: If you enable remember passwords, we create a leaf object where the password history is stored. By default, the leaf object is locked down, and subordinate to the user. For more information, click here.

SettingDescription
Number of remembered passwordsSpecify the number of passwords the system will remember. Users will be prevented from reusing the stored passwords.
Minimum passwords age (days)Specify the number of days that must elapse before the user is allowed to change their password.
Disallow incremental passwordsPrevent users from selecting new passwords that only differ from the old password by the last character.
Minimum number of changed charactersSpecify the number of characters that must be changed in a password.
Disallow reusing part of the current passwordSpecify the number of consecutive characters from the old password that are not allowed in the new password.

Note: After enabling this setting, you will need to reboot your PDC emulator DC to allow the setting to take effect.

Password expiration

SettingDescription
Maximum password age (days)Specify the time (in days) that can elapse before a password expires.
Warning at logon before expiration (days)Specify the time (in days) before the password expires that the user receives notifications to change their password by the Specops Client.
Send email warning (days)Specify the time (in days) before the password expires that the user receives emails with a reminder to change their passwords.

Note: For more detailed information about how to manage password expiration settings, including length-based password aging, click here.

Account lockout settings

SettingDescription
Disable account lockoutPrevent accounts from being locked out from Active Directory. This setting is commonly used for windows accounts running critical services.

Password reset options

SettingDescription
Ignore this policy on password resetIgnore policy settings when the password is being reset.
Note: Do not enable this setting if the user can reset passwords through a self-service solution such as Specops Password Reset.
Require user to change password on next logonRequire the user to change their password on the next logon after the password has been reset.
Unlock locked accounts automatically on resetAutomatically unlock user accounts when their passwords are reset.

Client message

This setting is used to control the contents of the message sent to the users when they fail to meet their password rules:

SettingDescription
Client message languageSpecify the language localization to use in the message.
User feedback on failed attemptDisplay the policy rules, failed rules, or a custom message after a failed attempt.
Additional information to end users at password changeSpecify any additional information you want to give the end users when they change their passwords.

Password Rules

Password length requirements

SettingDescription
Minimum password lengthSpecify the minimum number of characters in a password.
Maximum password lengthSpecify the maximum number of characters in a password.

Character group requirements

SettingDescription
Number of required character groupsSpecify the number of character groups that the password must have characters from.
Required alpha charactersSpecify the minimum number of alpha characters (A-Z) in a password.
Required upper case charactersSpecify the minimum number of upper case alpha characters in a password.
Required lower case charactersSpecify the minimum number of lower case alpha characters in a password.
Required non alpha charactersSpecify the minimum number of non-alpha characters (digits, special characters, Unicode characters) in a password.
Required digitsSpecify the minimum number of digits (0-9) in a password.
Required special charactersSpecify the minimum of special characters in a password.
Required Unicode charactersSpecify the minimum number of Unicode characters that must be present in the password.
Note: Enable this feature only if the user has the ability to enter Unicode characters directly from their keyboards.

Regular expressions

SettingDescription
Use regular expressionsAllows the use of Regular Expression (RegEX) string matching against password.

Password content restrictions

SettingDescription
Disallow username in passwordPrevent the use of the username in the password.
Disallow full username in passwordPrevent the use of full account name (first name, last name, display name) in the password.
Disallow part of username in passwordPrevent the use of parts (three or more consecutive characters) of the account name (first name, last name, display name) in the password.
Disallow digit as first character in a passwordPrevent the use of a digit as the first character in a password.
Disallow digit as last character in a passwordPrevent the use of a digit as the last character in a password.
Disallow consecutive identical charactersSpecify the number of identical consecutive characters that can be used in a password.

Dictionary

SettingDescription
Use custom dictionariesUsing a custom dictionary allows you to add, configure, and remove password lists and password hash lists. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
Use online dictionariesUsing an online dictionary allows you to add, configure, and remove password lists and password hash lists that have been published on the Specops website. Browse for a password list and password hash list to import. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
Show failed dictionary word to userWhen dictionaries are used and configure to use partial match, this setting will display the part of the password found in a dictionary following a failed password change attempt.

Note: For more information about dictionaries, see Configure custom and online dictionaries.

Passphrase

Passphrase requirements

SettingDescription
Minimum passphrase lengthThe minimum number of characters in the passphrase.
Require one or more lower case charactersOne or more lower case characters in the passphrase.
Require one or more upper case charactersOne or more upper case characters in the passphrase.
Require one or more digitsOne or more digits in the passphrase.
Require one or more special charactersOne or more special characters in the passphrase.
Passphrase messageA description of the policy that will be displayed to end users when changing their password. The message should explain the policy requirements the passphrase should meet.

Custom requirements

SettingDescription
Use custom passphrase requirementsWhen this option is enabled, you can add additional requirements, such as regular expressions, to the passphrase policy.
Custom Regular ExpressionsCreate the regular expressions that will be used to validate passphrases.
Sample passphraseType a sample passphrase to test against the regular expression.

Blacklist (add-on)

You can enable Blacklist validation during a password reset, and/or password change.

For more information about the Blacklist settings, click here.

Configuring the Client from the Administrative Template

The Client can be configured using the administrative template in the Group Policy Management Console.

  1. Open the GPMC and navigate to the GPO you want to edit.
  2. Right click on the GPO and select Edit…
  3. In the Group Policy Management Editor dialog box, expand Computer Configuration, Policies, Administrative Templates, and click Specops Authentication Client.
  4. Select Specops Password Policy, and double-click the settings you want to configure.
  5. Make the desired changes, and click OK.

If you configure the settings, it is recommended to create a Central Store for Group Policy Administrative Templates and add the Specops Password Reset Administrative template.

Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841