Authentication Client- Specops Password Policy

NOTE
The Authentication Client requires installation/silent deployment. You can download the installation files here. There are no configs or msi parameters required for roll-out.

Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console.

Specops Authentication Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).

ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to Specops Authentication Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.

Accessing the Specops ADMX templates

To access the ADMX templates associated with Specops Authentication Client:

  1. Open the Group Policy Management tool (GPMC).
  2. Right-click the Group Policy Object (GPO) you want to change, and select Edit.
  3. In the tree navigation, navigate to Computer Configuration > Policies > Administrative templates: Policy definitions (ADMX files) > Specops Authentication Client. There you will find all the ADMX templates associated with Specops Authentication Client.

Hiding the reset password link on the logon page

Start menu shortcut creation


Location:General Client settings > Create start menu shortcuts to enroll/change/reset

With Specops Authentication Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.

Enroll, reset and change password each have their own template file. The procedure below is the same for all three. The files are named as follows:

  • Create start menu shortcut to enroll
  • Create start menu shortcut to password reset
  • Create start menu shortcut to password change
  1. Open the file you want to change the bahavior for (see the list of files above).
  2. Select the Disabled radio button.
  3. Click OK.
    NOTE
    to enable the setting again, you can set the radio button to either Not configured or Enabled.
    Alt text for this image

Creating a Central Store for Group Policy Administrative Templates


The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841

For help in installing the product and the Client, please refer to the Installation section.

For downloads, please refer to the Downloads section.

Dynamic Feedback UI


NOTE
The dynamic feedback at password change is not supported if the Group Policy setting "Interactive Logon: Do not display last username" is set to Enabled.

Specops Authentication Client and Microsoft Entra SSPR


This section applies to organizations using Specops Password Policy, hybrid Microsoft Entra ID and use Microsoft Entra SSPR for password resets.

When Microsoft Entra SSPR resets a user's password in hybrid Microsoft Entra ID, the Specops Password Policy Sentinel is invoked to evaluate the new password.

Microsoft Entra SSPR will be informed if Specops Password Policy rejects the new password. Note however, that Microsoft Entra SSPR lacks knowledge about why the password reset was rejected. Consider implementing Specops uReset to get a better user experience.

If client computers already are configured using Intune or registry policy and use Microsoft Entra SSPR for the "Password Reset..." link, this configuration must be reverted.

To use Microsoft Entra SSPR to reset password from the "Password Reset..." link on the Windows logon screen, use the following configuration:

  • Deploy the Specops Authentication Client and the Specops CefSharp runtime MSIs
  • Make sure "AllowPasswordReset" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount" in registry value is disabled (non-existent or set to 0). This disables the built-in Microsoft Entra SSPR "Reset Password..." functionality.
  • Configure a Group policy affecting the computer, with "Use Microsoft Entra SSPR for password resets" set to "Enabled" from the Specops Client ADMX
  • Note that the features "VPN-less password reset with cached credential update" only works with Specops uReset, but not Microsoft Entra SSPR.