Administration

This guide is intended for administrators who are responsible for managing user accounts in their Microsoft Active Directory environment. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Policy.

Key Components

Specops Password Policy can be configured from any computer in the domain where the Specops Password Policy Administration Tools are installed. The administration tool can be used to configure different aspects of the product.

Domain Administration tool: The Domain Administration tool controls domain wide settings for Specops Password Policy.

Group Policy snap-in: Manages Specops Password Policy settings.

Domain Administration Tool

You can use the Domain Administration tool to manage configurations that apply to your entire domain. Once you have modified the settings, your changes are automatically saved.

You can access the Domain Administration tool via the start menu.

Current user information

In the bottom left of the Domain Adminstration tool, you can see information on the signed in user. It will show the current user's name, as well as the role that user is running as (Domain Admin or Specops Password Policy Admin Group).

Roles and permissions

As Domain Admin you can perform all tasks in Specops Password Policy. The Specops Password Policy Admin Group permissions are restricted to the following:

  • Enable/disable SPP in the domain
  • Edit some of the Domain Settings:
    • Configure SMTP and sending test emails for the SMTP configuration
    • Configure custom user attributes
    • Select another DC for User counting
    • Enable/disable ”Save password with reversible encryption”
  • Manage Arbiters
  • Download Express list
  • Start Express scan
  • Update language files
  • Update the license (First time add will still require Domain Admin)
  • Get a limited view of the Sentinel status on the Password Policy Sentinel state tab (Only if Web API is enabled on a DC, to get correct version status will still require Domain Admin)
NOTE
If customers give the Specops Password Policy Admin group or an end user access to a GPO they will be able to edit/save existing password policies and send test emails from the policy.
NOTE
When creating the Specops Password Policy Admin, it can take up to 10 minutes for the Arbiter to register it.

Top menu [domain_name]

The top menu, indicated by your domain name, includes the following sections:

  • Change domains: switch between available domains.
  • Change domain controller: switch between available domain controllers.
  • Disable and enable Specops Password Policy: Applied to your entire domain and determines whether the Sentinel processes incoming password changes.
  • License: provides an overview of the current license.
  • Import license file: allows you to import new licesnses.

Password policies

You can use the Password policies tab to perform the following tasks:

  • Create a new Password Policy, or associate an existing policy with a new GPO.
  • View the list of all Group Policy Objects in your domain that contain password policy settings.
  • Get an overview of the password policy rules associated with each GPO listed.
  • Edit an existing policy.
  • Remove a policy from a GPO.

Creating a new Password Policy

NOTE
you can create a new policy through the Domain Administration Tool, or through the Group Policy Management Editor (expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy, then click Create New Password Policy).
  1. Click Create New Password Policy
  2. Select an existing GPO by clicking its name in the Group Policy Object list, or click New Group Policy Object… to create a new GPO to link to this OU and policy.Note that when you create a new GPO, you will get the option to name it, as well as associate it with an existing Organizational Unit. By default the GPO will apply to all users in the group. You can also filter which users the GPO applies to by adding security groups.
  3. Click OK.
  4. Select a template from the list, or choose Custom if you want to create a policy from scratch, then click Next.
  5. Configure the policy, then click OK.

For more information on policy configuration, please refer to the Policy Settings section.

Editing an existing policy

NOTE
The Default Domain Policy can not be edited and affects all users in the domain, unless they are affected by a fine-grained password policy.
NOTE
You can edit a policy through the Domain Administration Tool, or through the Group Policy Management Editor (expand User Configuration, Windows Settings node, and select Specops Password Policy, then click Create New Password Policy).
  1. Select the GPO whose policy you want to edit in the Password Policy column.
  2. Click Edit Policy
  3. Edit the policy, then click OK.

For more information on policy configuration, please refer to the Policy Settings section.

Removing a policy from a GPO

  1. Select the GPO whose policy you want to remove in the Password Policy column.
  2. Click Remove Policy.
  3. In the confirmation pop-up, click Yes. The policy will be removed from the list.

Domain Settings

You can use the Domain Settings menu to perform the following tasks:

  • Save previous password with reversible encryption: Allows you to save the user’s previous password with reversible encryption in Active Directory.
    Reversible encryption is needed for the following settings:
    • Disallow reusing part of the current password
    • Minimum number of changed characters
      NOTE
      If the checkbox isn’t checked, the password is saved with one way encryption.
  • SMTP Settings: Here the global SMTP settings for all email notifications can be configured. The following settings need to be configured:
    NOTE
    It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.
    • The SMTP Server
    • Use TLS (if enabled, communication between the client and the SMTP server are encrypted)
    • Port (port outgoing emails are to be sent through; default is port 25)
    • Authentication (sets the method for authenticating with the SMTP server: Anonymous Access, Basic Authentication, or Integrated Windows Authentication)
    • Default Sender Email Address
    • Default Sender Display Name
    • Admin Notification Email Address

    For more information on all notification settings, please refer to the Notifications page.

  • Custom user attributes
    If email and telephone number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden here.

Password Policy Sentinel state

You can use the Password Policy Sentinel state tab to verify that you have installed the Sentinel on all writable domain controllers. If you notice a domain controller is missing the Sentinel component, you can:

  • Run the Setup Assistant again to install it, or
  • Manually install the Sentinel Component on the affected domain controller

Checking the Sentinel status

Sentinel status can be checked both in the Setup Assistant, as well as in the Domain Administration Tool.

Checking the status in the Domain Administration Tool
  1. Click on Password Policy Sentinels.
  2. Click on the Domain Controller you want to check.
  3. In the table to the right, you can see two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).
Checking the status in the Setup Assistant
  1. Click on Domain Controller Sentinel.
  2. Right-click on the Sentinel state column for the DC you want to check, and choose Show Details.
  3. The pop-up message shows two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).
Sentinel status messages
  • Unreachable
  • Access Denied
  • Unknown error
  • Not installed
  • Old version
  • Newer version installed
  • Reboot required
  • OK
Sentinel status sorting

In order to make Sentinels that require your attention more identifiable in long lists of Domain Controllers in the table, the list is displayed dynamically. Those sentinels whose status is not OK, will show up at the top of the table. The table sorts on Sentinel status first, then on name.

Enabling and disabling the Sentinel Web API

For information on how to to enable or disable the Sentinel Web API, please refer to the Password Policy Sentinel page.

Password policy templates

You can use the Password policy templates node to create a new password policy template, or view an existing template with NIST, NCSC, Microsoft, and NSA recommendations. A password policy template will help keep your policy settings consistent throughout your domain.

Viewing existing templates

  1. Expand the Password policy template menu by clicking the plus icon.
  2. Select an existing template in the list to view its settings.

Creating a new Password Policy Template

  1. Click New Password Policy Template.
  2. In the Template name field, enter a name for the template.
  3. In the Description field, enter a description for the template.
  4. Specify the settings, and click Save.

Use an existing password policy template

  1. In the Group Policy Management Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
  2. Click Create New Password Policy from Template. Select a Password Policy Template to use for the Group Policy.
  3. If the Microsoft or NSA templates are selected, you will be taken to the policy settings page for additional configuration options. If the NIST, and NCSC templates are selected, you will be prompted to:
    1. Create a list of disallowed words.
    2. Download the password dictionary for the template. The dictionary is a combination of password lists designed for penetration tests.
    3. Set a maximum password age for users affected by the policy to proactively check against password dictionaries, and prevent the creation of vulnerable passwords. This is a Specops recommendation that can help you stay protected against the latest dictionary lists.
    4. If the NCSC template is selected, you will be prompted to set a minimum password length for users affected by the policy.
    5. You will be taken to the policy settings page for additional configuration options. Click OK when you are done.

Language files

You can use the Language files tab to update to new versions of language files. This will only update if there are new versions of language files available on the computer where the Domain Administration tool is installed after an upgrade.

Specops Password Auditor

You can use Specops Password Auditor to scan your Active Directory and detect security related weaknesses, specifically related to password policies.

Click Start Specops Password Auditor to get started.

For more information about Specops Password Auditor, click here.

Breached Password Protection

Breached Password Protection Complete

With Specops Breached Password Protection Complete you can make sure that users cannot use passwords that are known to be compromised. In the Domain Administration Tool you can:

  • Import API Key
  • Test cloud connection
  • Unregister
  • Register a new Arbiter

Breached Password Protection Express

The Breached Password Express list is a large collection of compromised passwords that you can download in order to prevent users from using any passwords on the list. In the Domain Administration Tool you can:

  • Download the latest version of the list

Group Policy Snap-In

NOTE
You can also create and manage Specops Password Policy settings from the Password policies tab in the Domain Administration tool. See the Domain Administration Tool section for more information.

The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Policy settings in Group Policy Objects. The settings are stored as a part of the GPO. Managing Specops Password Policy settings in Group Policy allows you to control how and where the policies are applied.

Create a Specops Password Policy GPO

  1. In the GPMC, expand your domain node and locate the Group Policy Object.
  2. Right click on the GPO node and select New.
  3. Enter a name for the Group Policy Object and click OK.

Applying policy settings

The password policy will apply to all user accounts in locations where your GPO is linked.

If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed. If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; The GPO closest to the user object in AD will have the highest precedence:

  • Local Group Policy Objects
  • Site linked Group Policy Objects
  • Domain linked Group Policy Objects
  • OU linked Group Policy Objects

If the above order does not enable you to apply your preferred settings, you can use security filtering to control on a permission level which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings to objects located on the same level in Active Directory.

Configuring a password policy


This procedure describes the configuration of an entirely new password policy linked to a newly created GPO.

For creating a policy for an existing GPO, skip to step 7.

For editing existing policies, select the policy in the list, then click Edit, and skip to step 9.

  1. In the Domain Adminstration tool, Password Policies click Create new Password Policy.
  2. Choose an existing GPO from the list and click OK (skip to step 8), or click New Group Policy object....
  3. Give the new GPO a name.
  4. Select the OU from the list on the left if the policy should apply only to users in a particular OU.
  5. If the policy needs to apply only to users within the selected OU who are also members of a particular security group, click Add in the right column. Enter the name of the security group and click OK. Select the Security group.
  6. Click OK.
  7. The correct GPO is selected in the list. Click OK.
  8. Choose from the list of templates (or choose Custom to start with a blank policy), then click Next.
  9. In the Start section, configure the policy to use password rules, passphrases, or both.
  10. Configure the General Settings.
  11. Configure when passwords are set to expire and what notifications should be sent under Password Expiration.
  12. Configure what rules passwords should adhere to (length, required characters, dictionaries etc.) under Password Rules.
  13. Click OK.
NOTE
For a more detailed description of all the settings available for policies, please refer to the Policy Settings section below.

Policy Settings


You can create or edit password policies in two ways:

From the Domain Administration Tool

  1. Open the Domain Administration Tool
  2. In the left navigation, click Password policies
  3. Click Create new password policy, or select a GPO in the Password policy list, then click Edit Policy.

From the Group Policy Management Editor

  1. Access the Group Policy Management Editor for the GPO you want to associate a policy with
  2. Expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
  3. Click Configure Password Policy, or Create New Password Policy (if the GPO does not yet have a policy associated with it).

Start

You can configure a password policy to use classic password rules, and/or passphrases. A passphrase is a special type of password based on a sentence, or a series of words. The requirements of a passphrase, by default, are that it needs to be long.

General Settings

Password history

NOTE
If you enable remember passwords, we create a leaf object where the password history is stored. By default, the leaf object is locked down, and subordinate to the user.
Password history
Setting Description
Number of remembered passwords Specify the number of passwords the system will remember. Users will be prevented from reusing the stored passwords.
Minimum passwords age (days) Specify the number of days that must elapse before the user is allowed to change their password.
Disallow incremental passwords Prevent users from selecting new passwords that only differ from the old password by the last character.
Minimum number of changed characters Specify the number of characters that must be changed in a password.
Disallow reusing part of the current password Specify the number of consecutive characters from the old password that are not allowed in the new password.
Note: After enabling this setting, you will need to reboot your PDC emulator DC to allow the setting to take effect.

Account lockout settings

Account lockout settings
Setting Description
Disable account lockout revent accounts from being locked out from Active Directory. This setting is commonly used for windows accounts running critical services.a

Password reset options

Password reset options
Setting Description
Ignore this policy on password reset Ignore policy settings when the password is being reset.
Note: Do not enable this setting if the user can reset passwords through a self-service solution such as Specops Password Reset.
Require user to change password on next logon Require the user to change their password on the next logon after the password has been reset.
Unlock locked accounts automatically on reset Automatically unlock user accounts when their passwords are reset.

Client message

This setting is used to control the contents of the message sent to the users when they fail to meet their password rules:

Client message
Setting Description
Client message language Specify the language localization to use in the message.
User feedback on failed attempt Display the policy rules, failed rules, or a custom message after a failed attempt.
Additional information to end users at password change Specify any additional information you want to give the end users when they change their passwords.

Password expiration

Password expiration
Setting Description
Maximum password age (days) Specify the time (in days) that can elapse before a password expires.
Length based password aging Toggle length based password aging on or off. Length based password aging rewards users who use longer passwords with a later password expiration. More information on this topic can be found on the Password Expiration page.
Number of expiration levels Sets the number of expiration levels. More levels allow for more differentiation and different expiration rewards.
Characters per level Value representing password length range for each expiration level.
Extra days per level Extra days rewarded beyond default expiration for every level the user attains in their password length.
Disable expiration for the last level Disables expiration for users who have met the criteria for the highest level set.

Password expiration notifications (See Also: Notifications

Password expiration notifications
Setting Description
Notify at login (days before expiration) When this option is enabled, users will be notified when their password is about to expire when they log in to Windows
Send email notification (days before expiration) Specifies whether the user receives an email notification that their password is aout to expire. Users will receive an email once a day until they change their password. Number value determines number of days before expiration when the users should start getting emails.
From email Sender email address. Set in Domain Settings in Domain Administration Tool.
From name Email sender name.
To email Recipient's email adddress. %UserEmail% placeholder should be used.
CC Optional CC email addresses, comma-separated.
Subject Email subject line. Placeholders can be used.
Body Email body text. Placeholders can be used.
NOTE
For more detailed information about how to manage password expiration settings, including length-based password aging, visit the Password Expiration page.

Password Rules

Password length requirements

Password length requirements
Setting Description
Minimum password length Specify the minimum number of characters in a password.
Maximum password length Specify the maximum number of characters in a password.

Character group requirements

Character group requirements
Setting Description
Number of required character groups Specify the number of character groups (upper case, lower case, digits, special characters, and Unicode characters) that the password must have characters from.
Required alpha characters Specify the minimum number of alpha characters (A-Z) in a password.
Required upper case characters Specify the minimum number of upper case alpha characters in a password.
Required lower case characters Specify the minimum number of lower case alpha characters in a password.
Required non alpha characters Specify the minimum number of non-alpha characters (digits, special characters, Unicode characters) in a password.
Required digits Specify the minimum number of digits (0-9) in a password.
Required special characters Specify the minimum of special characters in a password.
Required Unicode characters Specify the minimum number of Unicode characters that must be present in the password.
Note: Enable this feature only if the user has the ability to enter Unicode characters directly from their keyboards.

Dictionaries

Dictionary
Setting Description
Use custom dictionaries Using a custom dictionary allows you to add, configure, and remove password lists and password hash lists. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
Use online dictionaries Using an online dictionary allows you to add, configure, and remove password lists and password hash lists that have been published on the Specops website. Browse for a password list and password hash list to import. The list is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary.
Show failed dictionary word to user When dictionaries are used and configure to use partial match, this setting will display the part of the password found in a dictionary following a failed password change attempt.
NOTE
For more information about dictionaries, see Configure custom and online dictionaries.

Password content restrictions

nPassword content restrictions
Setting Description
Disallow username in password Prevent the use of the username in the password.
Disallow full username in password Prevent the use of full account name (first name, last name, display name) in the password.
Disallow part of username in password Prevent the use of parts (three or more consecutive characters) of the account name (first name, last name, display name) in the password.
Disallow digit as first character in a password Prevent the use of a digit as the first character in a password.
Disallow digit as last character in a password Prevent the use of a digit as the last character in a password.
Disallow consecutive identical characters Specify the number of identical consecutive characters that can be used in a password.

Regular expressions

Regular expressions
Setting Description
Use regular expressions Allows the use of Regular Expression (RegEX) string matching against password.

Entropy bar

The entropy bar is shown on the left side of the Password rules tab. It changes according to the settings input in this part of the tool. It is a graphical representation of the relative complexity of the policy in a mathematical sense. The height of the bar corresponds to the combinatorial complexity of the weakest possible password that the policy would accept.

This is not an absolute measure of the policy strength and should mostly be used to compare how different settings in the password rules affect the complexity.

Passphrase

Passphrase requirements

Passphrase requirements
Setting Description
Minimum passphrase length The minimum number of characters in the passphrase.
Require one or more lower case characters One or more lower case characters in the passphrase.
Require one or more upper case characters One or more upper case characters in the passphrase.
Require one or more digits One or more digits in the passphrase.
Require one or more special characters One or more special characters in the passphrase.
Passphrase message A description of the policy that will be displayed to end users when changing their password. The message should explain the policy requirements the passphrase should meet.

Custom requirements

Custom requirements
Setting Description
Custom Regular Expressions Create the regular expressions that will be used to validate passphrases.
Sample passphrase Type a sample passphrase to test against the regular expression.

Breached Password Protection (add-on)

You can enable Breached Password Protection validation during a password reset, and/or password change.

For more information about the Breached Password Protection settings, click here.

Granting Dynamic Feedback UI access to read password policies


NOTE
The dynamic feedback UI requires Windows 10 or later, or Windows Server 2016

During a password change from Windows, the user is provided with live feedback about the password policy. The rules set in the policy are displayed on screen, with immediate feedback on which rules the user’s new password complies with, while they are typing it. To provide live feedback about password policy, the Rules UI resolves and reads the password affecting the user.

In order to do this, the Dynamic Feedback UI requires access the network with the computer’s credentials. The computers affected (e.g. through the built-in group “Domain Computers”) should be granted access to:

  • read Default Domain Policy (enabled by default)
  • When using Specops Password policy: to resolve a user’s SPP policy and read the policy. This is typically enabled by default.
  • When using fine-grained password policies (FGPP): to read on the user objects, and to read the FGPP container and the policies in it (CN=Password Settings Container, CN=System, DC=acme, DC=org)
  • When using FGPP: to read msDS-PSOApplied and msDS-ResultantPSO on user objects.

Configuring the Client from the Administrative template


The Client can be configured using the administrative template in the Group Policy Management Console.

  1. Open the GPMC and navigate to the GPO you want to edit.
  2. Right click on the GPO and select Edit…
  3. In the Group Policy Management Editor dialog box, expand Computer Configuration, Policies, Administrative Templates, and click Specops Authentication Client.
  4. Select Specops Password Policy, and double-click the settings you want to configure.
  5. Make the desired changes, and click OK.

If you configure the settings, it is recommended to create a Central Store for Group Policy Administrative Templates and add the Specops Password Reset Administrative template.

Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841