Reference Material | Configure Throttling

The Specops Password Reset Server uses data from user objects in Active Directory to read and write information used in the system. You can control which attributes are used by the system by modifying the registry on the Specops Password Reset Server.

Session data and mobile verification code attributes

During the password reset process, the session data, such as the session ID and the mobile verification code, is stored in the “specops-spp-pwdReset” object beneath the user object in Active Directory.

If your organization only uses the mobile verification code mechanism, the creation of the sub object can be prevented by configuring the Specops Password Reset Server to use custom user attributes instead of the sub object when storing the session data.

These settings are controlled in the registry on the Specops Password Reset server:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

UseCustomAttributesForVerificationCode
Enables the use of custom attributes for session data. If the value is set to “1” the custom attribute setting will be enabled. If the value is set to “0” the sub object will be used to hold session data.

Default value: 0
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeSessionId
LDAP display name for the arbitrary user string attribute you wish to hold the session ID.

Default value: “”
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeVerificationCode
LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code.
Default value: “”

Run the following command to grant the SPR service account permission to read and write the attributes chosen above. These must be run in a command prompt (not a PowerShell prompt):

dsacls [DN_of_your_scope_of_management] /I:T /G [spr_service_account]:RPWP;[your_selected_sessionID_attribute];user

dsacls [DN_of_your_scope_of_management] /I:T /G [spr_service_account]:RPWP;[your_selected_verification_code_attribute];user

Example:

dsacls OU=Example,DC=example,DC=com /I:T /G example\sprsvc:RPWP;carLicense;user

dsacls OU=Example,DC=example,DC=com /I:T /G example\sprsvc:RPWP;assistant;user

The Specops Password Reset Server service should be restarted after this configuration has applied.

Email address and mobile phone attributes

By default the Specops Password Reset Server retrieves the email address of the user from the “mail” attribute. The mobile phone number of the user is retrieved from the “mobile” attribute. You can change the settings to other attributes on the user object:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeMail
Enables the use of a custom attribute for email address data if configured with a value. The specific value should match an attribute on the user object.

Default: “”
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeMobile
Enables the use of a custom attribute for mobile phone number if configured with a value. The specific value should match an attribute on the user object.

Default:””
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeVerificationCode
LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code.
Default value:””

Run the following command to grant the SPR service account permission to read and write the attributes chosen above:

dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:RPWP;[your_selected_email_attribute];user

dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:RPWP;[your_selected_mobile_phone_attribute];user

Example:

dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc:RPWP;carLicense;user

dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc:RPWP;assistant;user

The Specops Password Reset Server service should be restarted after this configuration has applied.

If the mobile attribute has been changes, the password client should be configured to use the custom attribute. This is controlled through the Specops Password Reset ADMX template and the “User object custom mobile attribute” setting.

Specops Password Reset Server call throttling

To prevent attackers from systematically probing the system for user names, the Specops Password Reset Server service automatically restricts the number of attempts a client may make to use the service within a specified sliding time window.

The sliding windows begins counting as soon as the first invalid request is detected and adds new requests when a new invalid attempt is detected. When the sliding time windows for a request has elapsed, the request will be available for use with the service.

To change these settings, you will need to modify the following registry keys:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

CallThrottlingMaxCalls
Specifies the maximum number of calls permitted from a single client during the specified sliding time window.

When the number is exceeded, the server will deny the request and generate an error message.

Default value: 200
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

CallThrottlingTimeWindowSeconds
Specifies the size of the sliding windows measured in seconds.

Default value: 300 (5 minutes)

Other Specops Password Reset Server registry settings

Registry keyDescription
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

Databasefilepath
Changes the location of the Specops Password Reset Reporting database.

Default value: blank
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

HelpdeskMaximumNumberOfUsersDisplayed
Controls the maximum number of user records to display in the Helpdesk tool. This setting is useful in large environments.

Default value: 500
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

IgnoreParenthesisContentInPhoneNumbers
This setting forces the Specops Password Reset server to ignore any digits entered between parenthesis characters in the mobile number.

Default value: 0
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

LogFilePath
Changes the location of the Specops Password Reset Server debug log file.

Default value: C:\PasswordResetServer.log
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

PollingTime
Controls the time of day the daily user count and enrollment reminder process starts.

Default value: 00:00
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

SearchPageSize
Controls the page size of searchers for users in the Helpdesk tool.

Default value: 1000
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

SendVerificationCodeEmailUsing7bitencoding
Specifies that 7-bit encoding should be used in the emails sent to the SMS provider. Useful when a provider does not support modern encoding formats.

Default value = 0
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

UseComplexMobileVerificationCode
Specifies that the mobile verification code should be generated in a complex format. This setting can be disabled by changing the value to “0”. Turning off the complexity causes a four digit pin code to be used as the mobile verification code.

Default value = 1
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

DefaultLanguage
Changes the default language of the server. Changing this setting also overrides any user language preference. The value should match the name of the language file on the web server.

Default value = blank.
HKLM\Software\Specopssoft\Specops Password
Reset\Server\

UseOnlyDefaultLanguage
Enables the default language as the only language used in Specops Password Reset.
Enabling this setting removes the language selection dropdown list from the Specops Password Reset web pages. You must configure a default language for this setting to work.

Default value = 0
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

UseDelegatedHelpdeskSecurity
Enables the delegated security model in the helpdesk. If the value is set to “1” the delegated security model will be enabled. If set to “0” the trusted subsystem security model will be used.

Default value: 0
HKLM\Software\Specopssoft\SpecopsPassword Reset\Server\Domains\preferred domain name\HelpdeskEnableChallengeQuestionEnables the helpdesk identity verification feature for challenge questions. This setting is enabled if the value is set to "1".

Default value: 0
  • Was this Helpful ?
  • Yes   No