Reference Material | Specops uReset Scripted Install

To get started with Specops uReset, you will need to install the Gatekeeper component in your Active Directory. The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure. This guide will walkthrough the script based installation procedure.

Requirements

Your organization’s environment must meet the following requirements:

  • Gatekeeper server computer:
    • Joined to your Active Directory domain
    • .NET Framework 4.5.1 or later
  • Administrative privileges: To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
  • Account options: There are two options for the account the Gatekeeper Windows service will “run as”. Prepare to use any of the following:
    • Managed Service Account (recommended): Using a managed service account for the Specops uReset Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory.
    • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Security groups: The installation script will create security groups used by Specops uReset. There is no action required by you.
    • uReset Gatekeepers: Service accounts that are members of this group will have permission to read user information, and create sub objects with enrollment information. The account running the Gatekeeper will be added to the Gatekeepers security group.
    • uReset Admins: Users that are members of this group will be portal administrators. The current user will be automatically added to this group. You can also add other users to this group.
    • uReset Helpdesk Users: Users that are members of this group will be able to access the Helpdesk area.

Create your customer account

To get started with Specops uReset, you will require a customer account. You can create your customer account, from:

https://www.ureset.com/uReset.Web/Signup/Start

  1. Enter the following information:
    • Customer Name
    • Organization Email Domain Name
      Note: The domain name is the domain that corresponds to the email used by your organization.
    • Administrator Email
    • Password
      Note: Please remember this information. It will be required when installing the Gatekeeper.
  2. Click Sign up.

Download the Gatekeeper setup

On the Gatekeeper download page, download the zip file.

  1. Unblock the downloaded zip file. From Windows explorer, right-click the file, select Properties, General tab, and click Unblock.
  2. Copy/extract the zip to the Gatekeeper computer’s C:\Temp\Gatekeeper folder, or another folder you select. The remaining tasks will be performed on the Gatekeeper computer.
  3. Expand the archive:
     Expand-Archive 'C:\temp\Specops uReset Gatekeeper Installation.zip' -DestinationPath C:\temp\uResetGatekeeper
  4. Create the Installation Packages directory:
     New-Item "$env:ProgramData\Specopssoft\uReset\Installation Packages" -type Directory -Force
  5. Copy files into place:
     Copy-Item "C:\temp\uResetGatekeeper\Configuration" -Destination "$env:ProgramData\Specopssoft\uReset\Installation Packages\Configuration\" -Recurse -Force
     Copy-Item "C:\temp\uResetGatekeeper\MSIs\*.msi" -Destination "$env:ProgramData\Specopssoft\uReset\Installation Packages\" -Force
  6. Install Admin tools:
     msiexec /I "$env:ProgramData\Specopssoft\uReset\Installation Packages\Specops.uReset.Gatekeeper.Admin-x64.msi" /quiet
  7. Allow execution:
     Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
  8. Import Gatekeeper.Command module:
     Import-Module uReset.Gatekeeper
  9. Register the Gatekeeper:
    • Managed Service Account:
       Register-uResetGatekeeper -Verbose -ManagedServiceAccount -ManagedServiceAccountName “uResetGk”

      The command will prompt for the Admin password you have entered when creating the customer.Optionally, to restrict Gatekeeper permission to a specific organization unit, and its children in Active Directory, use the “-AdRoot” parameter. If “-AdRoot” is not provided, users from the entire Active Directory domain can use Specops uReset.

      Register-uResetGatekeeper -Verbose -ManagedServiceAccount -ManagedServiceAccountName “uResetGk” -AdRoot 'DC=test,DC=acme,DC=org'
    • Domain Account:
       Register-uResetGatekeeper -Verbose -DomainServiceAccount

      The command will prompt for the Admin password you have entered when creating the customer, so have it available when running the script. The command will prompt for the domain account credentials, so have it available when running the script. Alternatively, you can specify the domain user credentials as parameter. In the example below, change the DomainUserName to the actual user name and the VerySecretPassword to the user’s password.

      $domainUserCredentials=New-Object System.Management.Automation.PSCredential -ArgumentList @('DomainUserName', (ConvertTo-SecureString -AsPlainText -Force 'VerySecretPassword'))
      
      Register-uResetGatekeeper -Verbose -DomainServiceAccount -DomainServiceAccountCredentials $domainUserCredentials
      

      Optionally, you can restrict Gatekeeper permission to a specific organization unit, and its children in Active Directory by using the “-AdRoot” parameter.

  10. Once the installation procedure is ready, start the Specops uReset Admin tool, and remotely connect to the Gatekeeper. The admin tool installation MSI is available in the downloaded zip file, under MSI\ Specops.uReset.Gatekeeper.Admin-x64.msi.