You can use the Domain Administration tool to manage configurations that apply to your entire domain. Once you have modified the settings, your changes are automatically saved.
You can access the Domain Administration tool via the start menu.
In the bottom left of the Domain Adminstration tool, you can see information on the signed in user. It will show the current user's name, as well as the role that user is running as (Domain Admin or
Specops Password Policy Admin Group).
Roles and permissions
As Domain Admin you can perform all tasks in
Specops Password Policy. The
Specops Password Policy Admin Group permissions are restricted to the following:
- Enable/disable SPP in the domain
- Edit some of the Domain Settings:
- Configure SMTP and sending test emails for the SMTP configuration
- Configure custom user attributes
- Select another DC for User counting
- Enable/disable ”Save password with reversible encryption”
- Manage Arbiters
- Download Express list
- Start Express scan
- Update language files
- Update the license (First time add will still require Domain Admin)
- Get a limited view of the Sentinel status on the Password Policy Sentinel state tab (Only if Web API is enabled on a DC, to get correct version status will still require Domain Admin)
NOTE
If customers give the
Specops Password Policy Admin group or an end user access to a GPO they will be able to edit/save existing password policies and send test emails from the policy.
NOTE
When creating the
Specops Password Policy Admin, it can take up to 10 minutes for the Arbiter to register it.
Top menu [domain_name]
The top menu, indicated by your domain name, includes the following sections:
- Change domains: switch between available domains.
- Change domain controller: switch between available domain controllers.
- Disable and enable Specops Password Policy: Applied to your entire domain and determines whether the Sentinel processes incoming password changes.
- License: provides an overview of the current license.
- Import license file: allows you to import new licesnses.
Password policies
You can use the Password policies tab to perform the following tasks:
- Create a new Password Policy, or associate an existing policy with a new GPO.
- View the list of all Group Policy Objects in your domain that contain password policy settings.
- Get an overview of the password policy rules associated with each GPO listed.
- Edit an existing policy.
- Remove a policy from a GPO.
Creating a new Password Policy
NOTE
you can create a new policy through the Domain Administration Tool, or through the Group Policy Management Editor (expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy, then click Create New Password Policy).
- Click Create New Password Policy
- Select an existing GPO by clicking its name in the Group Policy Object list, or click New Group Policy Object… to create a new GPO to link to this OU and policy.Note that when you create a new GPO, you will get the option to name
it, as well as associate it with an existing Organizational Unit. By default the GPO will apply to all users in the group. You can also filter which users the GPO applies to by adding security groups.
- Click OK.
- Select a template from the list, or choose Custom if you want to create a policy from scratch, then click Next.
- Configure the policy, then click OK.
For more information on policy configuration, please refer to the Policy Settings section.
Editing an existing policy
NOTE
The Default Domain Policy can not be edited and affects all users in the domain, unless they are affected by a fine-grained password policy.
NOTE
You can edit a policy through the Domain Administration Tool, or through the Group Policy Management Editor (expand User Configuration, Windows Settings node, and select Specops Password Policy, then click Create New Password Policy).
- Select the GPO whose policy you want to edit in the Password Policy column.
- Click Edit Policy
- Edit the policy, then click OK.
For more information on policy configuration, please refer to the Policy Settings section.
Removing a policy from a GPO
- Select the GPO whose policy you want to remove in the Password Policy column.
- Click Remove Policy.
- In the confirmation pop-up, click Yes. The policy will be removed from the list.
Domain Settings
You can use the Domain Settings menu to perform the following tasks:
Password Policy Sentinel state
You can use the Password Policy Sentinel state tab to verify that you have installed the Sentinel on all writable domain controllers. If you notice a domain controller is missing the Sentinel component, you can:
- Run the Setup Assistant again to install it, or
- Manually install the Sentinel Component on the affected domain controller
Checking the Sentinel status
Sentinel status can be checked both in the Setup Assistant, as well as in the Domain Administration Tool.
Checking the status in the Domain Administration Tool
- Click on Password Policy Sentinels.
- Click on the Domain Controller you want to check.
- In the table to the right, you can see two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).
Checking the status in the Setup Assistant
- Click on Domain Controller Sentinel.
- Right-click on the Sentinel state column for the DC you want to check, and choose Show Details.
- The pop-up message shows two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).
Sentinel status messages
- Unreachable
- Access Denied
- Unknown error
- Not installed
- Old version
- Newer version installed
- Reboot required
- OK
Sentinel status sorting
In order to make Sentinels that require your attention more identifiable in long lists of Domain Controllers in the table, the list is displayed dynamically. Those sentinels whose status is not OK, will show up at the top of the table. The
table sorts on Sentinel status first, then on name.
Enabling and disabling the Sentinel Web API
For information on how to to enable or disable the Sentinel Web API, please refer to the Password Policy Sentinel page.
Password policy templates
You can use the Password policy templates node to create a new password policy template, or view an existing template with NIST, NCSC, Microsoft, and NSA recommendations. A password policy template will help keep your policy settings consistent
throughout your domain.
Viewing existing templates
- Expand the Password policy template menu by clicking the plus icon.
- Select an existing template in the list to view its settings.
Creating a new Password Policy Template
- Click New Password Policy Template.
- In the Template name field, enter a name for the template.
- In the Description field, enter a description for the template.
- Specify the settings, and click Save.
Use an existing password policy template
- In the Group Policy Management Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
- Click Create New Password Policy from Template. Select a Password Policy Template to use for the Group Policy.
- If the Microsoft or NSA templates are selected, you will be taken to the policy settings page for additional configuration options. If the NIST, and NCSC templates are selected, you will be prompted to:
- Create a list of disallowed words.
- Download the password dictionary for the template. The dictionary is a combination of password lists designed for penetration tests.
- Set a maximum password age for users affected by the policy to proactively check against password dictionaries, and prevent the creation of vulnerable passwords. This is a Specops recommendation that can help you stay protected
against the latest dictionary lists.
- If the NCSC template is selected, you will be prompted to set a minimum password length for users affected by the policy.
- You will be taken to the policy settings page for additional configuration options. Click OK when you are done.
Language files
You can use the Language files tab to update to new versions of language files. This will only update if there are new versions of language files available on the computer where the Domain Administration tool is installed after an upgrade.
Specops Password Auditor
You can use Specops Password Auditor to scan your Active Directory and detect security related weaknesses, specifically related to password policies.
Click Start Specops Password Auditor to get started.
For more information about Specops Password Auditor, click here.
Breached Password Protection
Breached Password Protection Complete
With Specops Breached Password Protection Complete you can make sure that users cannot use passwords that are known to be compromised. In the Domain Administration Tool you can:
- Import API Key
- Test cloud connection
- Unregister
- Register a new Arbiter
Breached Password Protection Express
The Breached Password Express list is a large collection of compromised passwords that you can download in order to prevent users from using any passwords on the list. In the Domain Administration Tool you can:
- Download the latest version of the list