Administration | Administrator configurations

Specops Password Reset can be configured from any computer in the domain where the Specops Password Reset Administration Tool are installed. The administration tools can be used to configure different aspects of the product.

Specops Password Reset Configuration tool

The Specops Password Reset Configuration tool is used to control system wide settings for each Specops Password Reset Server.

Domains

Specops Password Reset Servers can only serve requests from domain which have been configured for use through the Specops Password Reset Configuration tool.

You can use the Domains tab to perform the following tasks:

  • Configure New Domain
  • Edit Selected Domain Configuration

Configure a new domain

This option allows you to enable a new domain. Using the system with multiple domains requires a bi-directional trust between the additional domains and the domain where the Specops Password Reset Server is located.

  1. From the Specops Password Reset Configuration tool, select Domains, and click Configure New Domain.
  2. From the list of available domains, select the domain you want to add.
  3. Click OK.

Edit domain configuration settings

  1. From the Specops Password Reset Configuration tool, select Domains, and click Edit Selected Domain Configuration.
  2. In the Domain Friendly Name field enter the name of the domain you want presented to users.

Note:

  • The name of the domain will be visible to the users during enrollment, password changes, and password reset operations.
  • If the value is left blank, the FQDN name of the domain will be shown to the user instead.
  1. Select the Scope of Management. The Scope of Management is the root in Active Directory where the Password Reset Service will be used.
  2. Select Enable Challenge Question in Helpdesk to allow helpdesk users to see the secret questions for enrolled users to verify the identity of a calling user. The default behavior is not enabled.
  3. Select Hide Users Mobile Number to hide the mobile number of users from all web pages.

Note: In some environments, depending on security standards, you may want to hide the mobile number from the users.

  1. Select Restrict access to caller’s domain to restrict access to user data in other domains for administrators using the helpdesk or reporting pages in Specops Password Reset Web.
  2. If you changed the scope of management to a higher level in your Active Directory hierarchy, click Delegate Security to assign the necessary permissions for your service account to the new Scope of Management. You can use the below table to verify whether the necessary permissions have been applied to the Specops Password Reset Server service:
    PermissionScope
    Create and DeleteclassStore objects beneath user objects
    ReaduserAccountControl attribute on user objects
    msDS-User-Account-Control-Computed attribute on user objects
    Change and Reset passwordUser objects
    Unlock accountUser objects
    Change password at next logonUser objects
    List child objectsUser objects
    Read and WriteMobile attribute on user objects

Email settings

You can change the server email settings using the Configuration tool. The email settings are used when the Specops Password Reset Server sends emails to users.

Edit email settings

  1. From the Specops Password Reset Configuration Tool, select Email Settings, and click Edit.
  2. Specify the FQDN or IP-address of your SMTP server in the SMTP Server Name text field.
  3. Specify a non-standard port to connect to the server in the SMTP Port Number
  4. Optionally, you can configure more advanced settings:
  • Enable TSL Security
  • Use Custom SMTP Credentials

Note: You can use custom credentials if you not want to use the service account of the Specops Password Reset server for sending email.

  1. Enter the email address that will be used to send email in the Email Sender Address
  2. Enter the sender display name in the Email Sender Display name field. This is the name that will appear in the email.
  3. Enter the email address that will be receive license expiration emails in the License reminder email address.

Note: License reminders are sent to administrators to report license compliance issues such as nearing or exceeding the allowed license count.

Helpdesk settings

To configure the settings for mobile verification messages, you must use a third-party SMS service provider. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.

Edit Mobile Verification Email Settings

  1. From the Specops Password Reset Configuration Tool, select Helpdesk Settings, and click Edit.
  2. In the From email text field, enter the email address that will be used to send the validation message.
  3. Configure the To email, Subject, and Body settings according to the specifications of your SMS provider.
  4. From the Insert placeholder code drop box you can select the information that will be different for each user.
  5. Click OK.

License

You can use the Specops Password Reset Configuration Tool to view license information and update your license key. You will be required to add more licenses if you have added additional users or if you have upgraded the product to a new major version in accordance with your Support and Maintenance agreement.

Specops Password Reset Web Customization tool

The Specops Password Reset Web application contains a customization tool which gives you control over the Specops Password Reset end user interface. The customization tool can be used to customize the following:

  • Graphical appearance of the user interface by modifying the theme.
  • Text used in the product by editing the selected language.

Themes

The graphical elements on the Specops Password Reset web pages, such as images, colors, and fonts can be modified using the theme editor.

Set current theme

The Set Current Theme button will make the selected theme the active theme in the web application.

  1. From the Specops Password Reset Web Customization tool, select an available theme.
  2. Click Set Current Theme.

Add new theme

You can create new themes using the Add New Theme button.

  1. From the Specops Password Reset Web Customization tool, click Add New Theme.
  2. Select a theme template using the drop-box.
  3. Enter a theme name and click OK.

Edit theme

The Edit Theme button will launch the theme editor and allow you to modify an existing theme.

  1. From the Specops Password Reset Web Customization tool, click Edit Theme.
  2. To modify the text display elements, click the Theme Path The text display elements are contained in the cascading style sheets. You can edit the style sheets in any text editor.
  3. The theme folder contains the following style sheets:
    Style SheetWhere it is used
    Default.cssReset, Change, and Enrollment pages
    HelpDesk.cssHelpdesk pages
    MasterPage.cssMaster pages
    Reporting.cssReporting pages
    Wizard.cssWizard elements on the Reset, Change, and Enrollment pages.
  4. Import the following graphic elements:
    ElementSizeWhere it is used
    Wizard background800x600 pixelsBackground image on the Reset, Change, and Enrollment pages.
    Wizard top left logo128x109 pixelsThe logo image used on the Reset, Change, and Enrollment pages.
    Helpdesk top left logo128x109 pixelsID card logo seen on the main page of the Helpdesk tool.
    Helpdesk logo381x109 pixelsThe header image used in the Helpdesk tool.

    Note:

    • Specops Password Reset uses the PNG and GIF format for product graphics.
    • All the graphics used in the theme can be found in the Images folder in each theme folder.
  5. Click OK.

Languages

You can use the Specops Password Reset Web Customization tool to manage the languages that the product is translated into.

Edit selected language

You can use the language editor to change any string used on the Specops Password Reset web pages. The strings are divided into tabs depending on where they are used in the system. The text fields support HTML, including HTML links for further customization.

  1. From the Specops Password Reset Web Customization tool, select an available language.
  2. Click Edit Selected Language.
  3. Select a string.
  4. Double-click the text you want to change.

Warning: Some of the strings contain placeholders, such as {0}, to variables retrieved by the Specops Password Reset server, such as the mobile telephone number from the user object.

  1. Once you have made the necessary changes, click OK.
  2. Restart the web site application pool to apply the changes.

Note: This can be done through the IIS manager on the web server.

Add new language

You can add new languages to Specops Password Reset. All strings for the new language must be entered manually in the language editor.

  1. From the Specops Password Reset Web customization tool, click Add New Language.
  2. Select the language you want to add, and click OK.
  3. Use the language editor to add the text for the new language.
Group Policy snap-in

The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Reset settings in group policy objects. These settings are stored as a part of the GPO. Managing SPR settings in Group Policy allows you to control how and where the policies are applied.

Create a Specops Password Reset GPO

  1. In the GPMC, expand your domain node and locate the Group Policy Objects node.
  2. Right click on the GPO node, and select New.
  3. Enter a name for the Group Policy Object, and click OK.
  4. Expand User Configuration, Policies, Windows Settings, and select Specops Password Reset. Use the settings to manage password reset for users in your organization.

 

Applying policy settings

Specops Password Reset settings will apply to all user accounts in locations where your GPO is linked.

If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed.

If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; the GPO closest to the user object in AD will have the highest precedence.

  • Local Group Policy Objects

Note: Specops Password Reset settings cannot be created on this level.

  • Site linked Group Policy Objects
  • Domain linked Group Policy Objects
  • OU linked Group Policy Objects

If the above order does not enable you to apply your preferred settings, you can use security filtering, to control on a permission level, which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings to objects located on the same level in Active Directory.

Policy settings

Group policy settings determine how the system should behave when accessed by a user. The Specops Password Reset Server queries Active Directory to determine which settings to use for each visiting user.

Note: Specops Password Reset creates a leaf object in Active Directory, under the user object, to store enrollment information. For more information, click here.

General

You can configure the following items from the General tab.

Enrollment options

These settings control the authentication method users affected by the policy should use:

  • Secret Questions
  • Mobile Verification Code
  • Both

You can also prompt the user for their current password before starting the enrollment wizard. Prompting the user for their current password is a good security practice.

Locked account options

You can use the locked account options to:

  • Allow locked user account to use the password reset service: If you enable this box alone, the user can reset their password and their account will be automatically unlocked.
  • Allow users to unlock their account without resetting their password: If you enable this box, the user can unlock their account and choose not to change their password.

Enrollment Enforcing

You can use the Enrollment Enforcing settings to control how you want your users to enroll. The Reminder Mode setting allows you to configure the type of reminders you want your users to receive.

  • Balloon tip: Reminder balloon tip that pops up from the taskbar tray. Clicking the reminder will take the user directly to the enrollment web page. This is the default setting in Specops Password Reset.
  • Start browser: This setting causes the reminder to open a browser window with the enrollment web page.
  • Start unclosable fullscreen browser: This setting causes the reminder to open a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.

You can configure the reminder to appear only user logon, or during user logon and at regular intervals during the day. You can manage the intervals using the Specops Password Reset Administrative Template. See Configure Specops Client from the Administrative Template for more information.

Secret Questions

The Secret Question tab allows you to edit the secret questions used in the GPO. You can configure the following items from the Secret Questions tab.

Secret Question Settings

The following settings control the requirements on how users are allowed to select and answer the questions in the GPO.

  • Number of questions: The number of questions users are required to answer when they authenticate using the secret questions mechanism. You must have more than the configured number of questions available in the policy in order for users to be able to meet this requirement.
  • Number of allowed custom questions: Controls the number of custom questions the user is allowed to user.
  • Custom question answer min length: If custom questions are allowed, this value controls the minimum length of the answers to the custom questions.
  • Lockout threshold: Number of failed password attempts allowed before locking the user out from Password Reset. When the user exceeds the configured number of attempts the system will invalidate the enrollment information, preventing the user from using the system until a new enrollment has been created.
  • Allow identical answers: Allows users to use the same answer to more than one question in the question series.
  • Case sensitive answers: Requires users to provide answers to questions using the same case as when they enrolled.

Edit Questions

Specops Password Reset contains a selection of questions and language translations that can be made available to users affected by the GPO. The questions can be imported using the Import Questions… button.

You can also manually create new questions using the Add new Question… button.

If you have manually created new questions, you will have to provide your own translations. If you want to provide translations for your questions you can add more language translations using the Edit Languages… button.

Mobile Verification Code

If “Use Mobile Verification code” is enabled, you can use the Mobile Verification code tab to configure how the system should connect to your SMS service provider.

Verification Code Message

The Specops Password Reset Server uses these settings to create an email message, which will be sent to the SMS provider, and converted to an SMS message which the user will receive. Most of these settings are controlled by the SMS service provider. The below placeholders are evaluated by the Specops Password Reset Server service.

  • %MobileNumber%: Contains the mobile number retrieved by Specops Password Reset from the user object of the target user in Active Directory.
  • %Code%: Contains the mobile verification code generated by the Specops Password Reset. The code is only valid for use from the same session against the web server that it was requested from.
  • %Email%: Contains the email address retrieved by Specops Password Reset from the user object of the target user in Active Directory.

Mobile Verification Settings

You can control how the mobile verification code is used by users affected by the GPO.

  • Bypass if mobile number missing: This option is only available if you Use Both mobile verification and secret questions is enabled. If this option is selected, mobile verification codes will only be used for those users that have a mobile number configured in Active Directory. For others, the step will be bypassed.
  • Allow users to enter mobile number when enrolling: This option is only available if Use Mobile Verification code is enabled. If this option is selected, users without a registered mobile number in Active Directory will be asked to enroll in the system by registering their mobile number.
  • Require verification of mobile phone number: This option is only available if allow users to enter mobile number when enrolling is enabled. If this option is selected, users will have to verify that they have enrolled with the correct mobile number by receiving and responding with a verification code during the enrollment process.

Email Notifications

When certain system events occur, such as a user enrolling with the system, Specops Password Reset has the ability to generate and send emails to end users to confirm that the operation was successful. Event notification settings can be managed using the Email Notifications tab in your Specops Password Reset user GPO in the GPMC. The text fields support HTML, including HTML links for further customization.

Email Server Settings

These settings can be used to override the server email configuration specified during the installation of the Specops Password Reset Server component. This is useful in scenarios where you want a specific part of the organization to use a specific SMTP server.

Events

Specops Password Reset can send email notification for the following events:

  • Password Reset by user: This event triggers every time a user resets their password through Specops Password Reset. By default, a confirmation email is sent to the user with details about the reset operation.
  • Password Reset from helpdesk: This event triggers when the Specops Password Reset Helpdesk tool is used to reset the password of a user. No emails are configured by default for this event.
  • User has enrolled: This event triggers when a user successfully completes the enrollment process in Specops Password Reset. By default, a confirmation email is sent to the user with details about the enrollment operation.
  • User account locked out from Specops Password Reset: This event triggers when a user has exceeded the allowed number of attempts to answer the secret questions correctly. No emails are configured by default for this event.
  • Account unlocked: This event triggers when a user unlocks their account through Specops Password Reset. No emails are configured by default for this event.
  • Enrollment reminder: This event triggers during the daily enrollment status check if the system discovers a user who has not yet enrolled. No emails are configured by default for this event, but it is strongly recommended to add a customized reminder email that will be sent to the user.

Custom Wizard Messages

The settings in the Custom Wizard Messages tab allows you to create your own custom message to be displayed to the end users when they have successfully completed an enrollment, password change/reset operation. The custom message you create can either be appended to the default message or used to replace the default message entirely.

Configuring the Client from the Administrative Template

The Specops Client can be configured using the administrative template in the Group Policy Management Console.

  1. Open the GPMC and navigate to the GPO you want to edit.
  2. Right click on the GPO and select Edit…
  3. In the Group Policy Management Editor dialog box, expand Computer Configuration, Policies, Administrative Templates, and click Specops Authentication Client.
  4. Select Specops Password Reset, and double-click the settings you want to configure.
    Note: If you are an existing Specops Password Reset customer and testing Specops uReset, Prefer SPR over uReset must be enabled in the General Client settings.
  5. Make the desired changes, and click OK.

If you configure the settings, it is recommended to create a Central Store for Group Policy Administrative Templates and add the Specops Password Reset Administrative template.

Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops Client ADMX/ADML files from  %windir%PolicyDefinitions.

The ADMX should be copied to:

\<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitions

The ADML should be copied to:

\<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitionsen-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/92984

  • Was this Helpful ?
  • Yes   No