Additional Administration

This page describes how to grant Dynamic Feedback UI access to read password policies, as well as how to configure the Client from the Administrative template.

Granting Dynamic Feedback UI access to read password policies

NOTE
The dynamic feedback UI requires Windows 10 or later, or Windows Server 2016

During a password change from Windows, the user is provided with live feedback about the password policy. The rules set in the policy are displayed on screen, with immediate feedback on which rules the user’s new password complies with, while they are typing it. To provide live feedback about password policy, the Rules UI resolves and reads the password affecting the user.

In order to do this, the Dynamic Feedback UI requires access the network with the computer’s credentials. The computers affected (e.g. through the built-in group “Domain Computers”) should be granted access to:

  • read Default Domain Policy (enabled by default)
  • When using Specops Password policy: to resolve a user’s SPP policy and read the policy. This is typically enabled by default.
  • When using fine-grained password policies (FGPP): to read on the user objects, and to read the FGPP container and the policies in it (CN=Password Settings Container, CN=System, DC=acme, DC=org)
  • When using FGPP: to read msDS-PSOApplied and msDS-ResultantPSO on user objects.

Configuring the Client from the Administrative template

The Client can be configured using the administrative template in the Group Policy Management Console.

  1. Open the GPMC and navigate to the GPO you want to edit.
  2. Right click on the GPO and select Edit…
  3. In the Group Policy Management Editor dialog box, expand Computer Configuration, Policies, Administrative Templates, and click Specops Specops Client.
  4. Select Specops Password Policy, and double-click the settings you want to configure.
  5. Make the desired changes, and click OK.

If you configure the settings, it is recommended to create a Central Store for Group Policy Administrative Templates and add the Specops Password Reset Administrative template.

Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store