This is a simplified version of the Specops Support pages, optimized for users of Internet Explorer (version 10 and 11). To view the full version, please access this page using another browser, such
as Chrome, Edge or Firefox.
Specops Password Reset can be configured from any computer in the domain where the
Specops Password Reset Administration Tool are installed. The administration tools can be used to configure different aspects of the product.
Specops Password Reset Configuration Tool
The
Specops Password Reset Configuration tool is used to control system wide settings for each
Specops Password Reset Server.
Domains
Specops Password Reset Servers can only serve requests from domain which have been configured for use through the
Specops Password Reset Configuration tool.
You can use the Domains tab to perform the following tasks:
Configure New Domain
Edit Selected Domain Configuration
Configure a new domain
This option allows you to enable a new domain. Using the system with multiple domains requires a bi-directional trust between the additional domains and the domain where the
Specops Password Reset Server is located.
From the
Specops Password Reset Configuration tool, select Domains , and click Configure New Domain .
From the list of available domains, select the domain you want to add.
Click OK .
Edit domain configuration settings
From the
Specops Password Reset Configuration tool, select Domains , and click
Edit Selected Domain Configuration .
In the Domain Friendly Name field enter the name of the domain you want presented to users.
NOTE
The name of the domain will be visible to the users during enrollment, password changes, and password reset operations.
If the value is left blank, the FQDN name of the domain will be shown to the user instead.
Select the Scope of Management. The Scope of Management is the root in Active Directory where the
Password Reset Service will be used.
Select Enable Challenge Question in Helpdesk to allow helpdesk users to see the
Secret Questions for enrolled users to verify the identity of a calling user. The default behavior is not enabled.
Select Hide Users Mobile Number to hide the mobile number of users from all web pages.
NOTE
In some environments, depending on security standards, you may want to hide the mobile number from the users.
Select Restrict access to caller’s domain to restrict access to user data in other domains for administrators using the helpdesk or reporting pages in
Specops Password Reset Web.
If you changed the scope of management to a higher level in your Active Directory hierarchy, click
Delegate Security to assign the necessary permissions for your service account to the new Scope of Management. You can use the below table to verify whether the necessary permissions have been applied to the
Specops Password Reset Server service:
Permission
Scope
Create and Delete
classStore objects beneath user objects
Read
userAccountControl attribute on user objects msDS-User-Account-Control-Computed attribute on user objects
Change and Reset password
User objects
Unlock account
User objects
Change password at next logon
User objects
List child objects
User objects
Read and Write
Mobile attribute on user objects
Email settings
You can change the server email settings using the Configuration tool. The email settings are used when the
Specops Password Reset Server sends emails to users.
Edit email settings
From the
Specops Password Reset Configuration Tool, select Email Settings , and click Edit .
Specify the FQDN or IP-address of your SMTP server in the
SMTP Server Name text field.
Specify a non-standard port to connect to the server in the
SMTP Port Number
Optionally, you can configure more advanced settings:
Enable TSL Security
Use Custom SMTP Credentials
NOTE
You can use custom credentials if you not want to use the service account of the
Specops Password Reset server for sending email.
Enter the email address that will be used to send email in the
Email Sender Address
Enter the sender display name in the Email Sender Display name field. This is the name that will appear in the email.
Enter the email address that will be receive license expiration emails in the License reminder email address .
NOTE
License reminders are sent to administrators to report license compliance issues such as nearing or exceeding the allowed license count.
Helpdesk settings
To configure the settings for mobile verification messages, you must use a third-party SMS service provider. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.
Edit Mobile Verification Email Settings
From the
Specops Password Reset Configuration Tool, select Helpdesk Settings , and click Edit .
In the From email text field, enter the email address that will be used to send the validation message.
Configure the To email , Subject , and
Body settings according to the specifications of your SMS provider.
From the Insert placeholder code drop box you can select the information that will be different for each user.
Click OK .
License
You can use the
Specops Password Reset Configuration Tool to view license information and update your license key. You will be required to add more licenses if you have added additional users or if you have upgraded the product to a new major version in accordance with your
Support and Maintenance agreement.
Specops Password Reset Web Customization Tool
The
Specops Password Reset Web application contains a customization tool which gives you control over the
Specops Password Reset end user interface. The customization tool can be used to customize the following:
Graphical appearance of the user interface by modifying the theme.
Text used in the product by editing the selected language.
Themes
The graphical elements on the
Specops Password Reset web pages, such as images, colors, and fonts can be modified using the theme editor.
Set current theme
The Set Current Theme button will make the selected theme the active theme in the web application.
From the
Specops Password Reset Web Customization tool, select an available theme.
Click Set Current Theme .
Add new theme
You can create new themes using the Add New Theme button.
From the
Specops Password Reset Web Customization tool, click Add New Theme.
Select a theme template using the drop-box.
Enter a theme name and click OK .
Edit theme
The Edit Theme button will launch the theme editor and allow you to modify an existing theme.
From the
Specops Password Reset Web Customization tool, click Edit Theme .
To modify the text display elements, click the
Theme Path The text display elements are contained in the cascading style sheets. You can edit the style sheets in any text editor.
The theme folder contains the following style sheets:
Style Sheet
Where it is used
Default.css
Reset, Change, and Enrollment pages
HelpDesk.css
Helpdesk pages
MasterPage.css
Master pages
Reporting.css
Reporting pages
Wizard.css
Wizard elements on the Reset, Change, and Enrollment pages.
Import the following graphic elements:
Element
Size
Where it is used
Wizard background
800x600 pixels
Background image on the Reset, Change, and Enrollment pages.
Wizard top left logo
128x109 pixels
The logo image used on the Reset, Change, and Enrollment pages.
Helpdesk top left logo
128x109 pixels
ID card logo seen on the main page of the Helpdesk tool.
Helpdesk logo
381x109 pixels
The header image used in the Helpdesk tool.
NOTE
Specops Password Reset uses the PNG and GIF format for product graphics.
All the graphics used in the theme can be found in the Images folder in each theme folder.
Click OK .
Languages
You can use the
Specops Password Reset Web Customization tool to manage the languages that the product is translated into.
Edit selected language
You can use the language editor to change any string used on the
Specops Password Reset web pages. The strings are divided into tabs depending on where they are used in the system. The text fields support HTML, including HTML links for further customization.
From the
Specops Password Reset Web Customization tool, select an available language.
Click Edit Selected Language .
Select a string.
Double-click the text you want to change.
WARNING
Some of the strings contain placeholders, such as {0}, to variables retrieved by the
Specops Password Reset server, such as the mobile telephone number from the user object.
Once you have made the necessary changes, click OK .
Restart the web site application pool to apply the changes.
NOTE
This can be done through the IIS manager on the web server.
Add new language
You can add new languages to
Specops Password Reset. All strings for the new language must be entered manually in the language editor.
From the
Specops Password Reset Web customization tool, click Add New Language .
Select the language you want to add, and click OK .
Use the language editor to add the text for the new language.
Group Policy snap-in
The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage
Specops Password Reset settings in group policy objects. These settings are stored as a part of the GPO. Managing SPR settings in Group Policy allows you to control how and where the policies are applied.
Create a
Specops Password Reset GPO
In the GPMC, expand your domain node and locate the Group Policy Objects node.
Right click on the GPO node, and select New .
Enter a name for the Group Policy Object, and click
OK .
Expand User Configuration , Policies ,
Windows Settings , and select
Specops Password Reset. Use the settings to manage password reset for users in your organization.
Applying policy settings
Specops Password Reset settings will apply to all user accounts in locations where your GPO is linked.
If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed.
If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; the GPO closest to the user object in AD will have the highest precedence.
Local Group Policy Objects
NOTE
Specops Password Reset settings cannot be created on this level.
Site linked Group Policy Objects
Domain linked Group Policy Objects
OU linked Group Policy Objects
If the above order does not enable you to apply your preferred settings, you can use security filtering, to control on a permission level, which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings
to objects located on the same level in Active Directory.
Policy settings
Group policy settings determine how the system should behave when accessed by a user. The
Specops Password Reset Server queries Active Directory to determine which settings to use for each visiting user.
NOTE
Specops Password Reset creates a leaf object in Active Directory, under the user object, to store enrollment information. For more information, click
here.
General
You can configure the following items from the General tab.
Enrollment options
These settings control the authentication method users affected by the policy should use:
Secret Questions
Mobile Verification Code
Both
You can also prompt the user for their current password before starting the enrollment wizard. Prompting the user for their current password is a good security practice.
Locked account options
You can use the locked account options to:
Allow locked user account to use the password reset service: If you enable this box alone, the user can reset their password and their account will be automatically unlocked.
Allow users to unlock their account without resetting their password: If you enable this box, the user can unlock their account and choose not to change their password.
Enrollment Enforcing
You can use the Enrollment Enforcing settings to control how you want your users to enroll. The Reminder Mode setting allows you to configure the type of reminders you want your users to receive.
Balloon tip : Reminder balloon tip that pops up from the taskbar tray. Clicking the reminder will take the user directly to the enrollment web page. This is the default setting in
Specops Password Reset.
Start browser : This setting causes the reminder to open a browser window with the enrollment web page.
Start unclosable fullscreen browser : This setting causes the reminder to open a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.
You can configure the reminder to appear only user logon, or during user logon and at regular intervals during the day. You can manage the intervals using the
Specops Password Reset Administrative Template. See
Configure Specops Client from the Administrative Template for more information.
Secret Questions
The Secret Question tab allows you to edit the
Secret Questions used in the GPO. You can configure the following items from the
Secret Questions tab.
Secret Question Settings
The following settings control the requirements on how users are allowed to select and answer the questions in the GPO.
Number of questions : The number of questions users are required to answer when they authenticate using the
Secret Questions mechanism. You must have more than the configured number of questions available in the policy in order for users to be able to meet this requirement.
Number of allowed custom questions : Controls the number of custom questions the user is allowed to user.
Custom question answer min length : If custom questions are allowed, this value controls the minimum length of the answers to the custom questions.
Lockout threshold : Number of failed password attempts allowed before locking the user out from
Password Reset. When the user exceeds the configured number of attempts the system will invalidate the enrollment information, preventing the user from using the system until a new enrollment has been created.
Allow identical answers : Allows users to use the same answer to more than one question in the question series.
Case sensitive answers : Requires users to provide answers to questions using the same case as when they enrolled.
Edit Questions
Specops Password Reset contains a selection of questions and language translations that can be made available to users affected by the GPO. The questions can be imported using the
Import Questions… button.
You can also manually create new questions using the
Add new Question… button.
If you have manually created new questions, you will have to provide your own translations. If you want to provide translations for your questions you can add more language translations using the
Edit Languages… button.
Mobile Verification Code
If “Use Mobile Verification code” is enabled, you can use the Mobile Verification code tab to configure how the system should connect to your SMS service provider.
Verification Code Message
The
Specops Password Reset Server uses these settings to create an email message, which will be sent to the SMS provider, and converted to an SMS message which the user will receive. Most of these settings are controlled by the SMS service provider. The below placeholders
are evaluated by the
Specops Password Reset Server service.
%MobileNumber%: Contains the mobile number retrieved by
Specops Password Reset from the user object of the target user in Active Directory.
%Code%: Contains the mobile verification code generated by the
Specops Password Reset. The code is only valid for use from the same session against the web server that it was requested from.
%Email%: Contains the email address retrieved by
Specops Password Reset from the user object of the target user in Active Directory.
Mobile Verification Settings
You can control how the mobile verification code is used by users affected by the GPO.
Bypass if mobile number missing : This option is only available if you Use Both mobile verification and
Secret Questions is enabled. If this option is selected, mobile verification codes will only be used for those users that have a mobile number configured in Active Directory. For others, the step will be bypassed.
Allow users to enter mobile number when enrolling : This option is only available if Use Mobile Verification code is enabled. If this option is selected, users without a registered mobile number in Active Directory will
be asked to enroll in the system by registering their mobile number.
Require verification of mobile phone number : This option is only available if
allow users to enter mobile number when enrolling is enabled. If this option is selected, users will have to verify that they have enrolled with the correct mobile number by receiving and responding with a verification code
during the enrollment process.
Email Notifications
When certain system events occur, such as a user enrolling with the system,
Specops Password Reset has the ability to generate and send emails to end users to confirm that the operation was successful. Event notification settings can be managed using the Email Notifications tab in your
Specops Password Reset user GPO in the GPMC. The text fields support HTML, including HTML links for further customization.
Email Server Settings
These settings can be used to override the server email configuration specified during the installation of the
Specops Password Reset Server component. This is useful in scenarios where you want a specific part of the organization to use a specific SMTP server.
Events
Specops Password Reset can send email notification for the following events:
Password Reset by user : This event triggers every time a user resets their password through
Specops Password Reset. By default, a confirmation email is sent to the user with details about the reset operation.
Password Reset from helpdesk : This event triggers when the
Specops Password Reset Helpdesk tool is used to reset the password of a user. No emails are configured by default for this event.
User has enrolled : This event triggers when a user successfully completes the enrollment process in Specops Password Reset. By default, a confirmation email is sent to the user with details about the enrollment operation.
User account locked out from
Specops Password Reset: This event triggers when a user has exceeded the allowed number of attempts to answer the
Secret Questions correctly. No emails are configured by default for this event.
Account unlocked : This event triggers when a user unlocks their account through
Specops Password Reset. No emails are configured by default for this event.
Enrollment reminder : This event triggers during the daily enrollment status check if the system discovers a user who has not yet enrolled. No emails are configured by default for this event, but it is strongly recommended to add
a customized reminder email that will be sent to the user.
Custom Wizard Messages
The settings in the Custom Wizard Messages tab allows you to create your own custom message to be displayed to the end users when they have successfully completed an enrollment, password change/reset operation. The custom message you create can either
be appended to the default message or used to replace the default message entirely.
Configuring the Client from the Administrative Template
Specops Authentication can be configured using the administrative template in the Group Policy Management Console.
Specops Authentication Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows
Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).
ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to
Specops Authentication Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.
Accessing the Specops ADMX templates
To access the ADMX templates associated with
Specops Authentication Client, open the Group Policy Management tool, right-click the Group Policy Object you want to change, and select Edit . In the tree navigation, navigate to
Computer Configuration > Policies >
Administrative templates: Policy definitions (ADMX files) > Specops Authentication Client. There you will find all the ADMX templates associated with
Specops Authentication Client.
Hiding the reset password link on the logon page
Location: Enhance Windows logon and password change >
Show the Password Reset Link
At Windows logon, under the username/password fields, a “Reset password…” link allows users in organizations running
Specops uReset or
Specops Password Reset to reset their passwords. This setting allows you to show or hide the reset password link shown on the Windows logon page.
Open the
Show the Password Reset Link
file.
Select the Disabled radio button.
Click OK .
NOTE
to enable the setting again, you can set the radio button to either
Not configured or Enabled.
Start menu shortcut creation
Location: General Client settings >
Create start menu shortcuts to enroll/change/reset
With
Specops Authentication Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or
Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.
Open the
Create start menu shortcuts to enroll/change/reset file.
Select the Disabled radio button.
Click OK .
NOTE
to enable the setting again, you can set the radio button to either
Not configured or Enabled.
Create a Central Store for Group Policy Administrative Templates
The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates,
copy the Specops Client ADMX/ADML files from %windir%PolicyDefinitions.
The Specops Secured Browser is used to reset passwords for a user from the Windows logon screen. It comes in two flavors, based on CefSharp and Internet Explorer browser engines, respectively. It is recommended to use the CefSharp-based Secured Browser for better security and user experience.
To use the CefSharp-based Secured Browser, the Specops Authentication Client CefSharp runtime must be deployed. The runtime has been tested by Specops to be compatible with the Secured Browser, and is a separate MSI from the Specops Authentication Client.
NOTE
If the CefSharp runtime isn't installed, an error message will be displayed if attempting to reset a password from the Windows logon screen by pressing the 'Reset Password...' link. It is possible to enforce using the Internet Explorer based browser, but strongly not recommended.
Usage
The CefSharp-based browser supports Specops uReset 8 and Specops Password Reset. Organizations that have not yet migrated to Specops uReset 8 must use the Internet Explorer-based Secured Browser, and should therefore not deploy the MSI for Specops the CefSharp runtime.
Organizations using Specops uReset 8 or Specops Password Reset
It is recommended to deploy the Specops Authentication Client CefSharp runtime on x64 Windows 10 or newer client computers.
Organizations using Specops Password Policy only
If no reset solution is used, there is no need deploy the Specops Authentication Client CefSharp runtime (not applicable).