Installation

This document will guide you through the process of installing Specops Password Policy.

Key Components

Specops Password Policy flow

Specops Password Policy consists of the following components and does not require any additional servers or resources in your environment.

Specops Password Policy Administration Tools: Used to configure the central aspects of the solution and enable the creation of Specops Password Policy Settings in Group Policy Objects.

Specops Password Policy Sentinel: The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

  • Sentinel Password Filter: The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.
  • Sentinel Service: The Sentinel Service is always installed as part of the Specops Sentinel, but effective only if the Breached Password Protection add-on is configured.

Specops Authentication Client (formerly known as the Specops Password Client or the uReset Client): Displays the password policy rules when a user fails to meet the policy criteria when changing their password. The Client also notifies users when their passwords are about to expire.

NOTE
The Specops Client is an optional component.

Specops Arbiter: The Specops Arbiter should only be installed if you are using the Specops Breached Password Protection add-on.

The Specops Arbiter acts as a gateway between the Sentinel Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Specops Arbiter uses a customer unique API key to communicate with the Breached Password Protection Cloud API.

Requirements


Requirements
Component Requirement
Administration Tools
  • Windows 10 or later
  • .Net Framework 4.7.1 or later
  • Active Directory and Users and Computers snap-in
  • Group Policy Management Console (GPMC)
  • (For managing Online Dictionaries only) Internet access to download.specopssoft.com. Note: proxy SSL interception is not supported.
  • Windows Powershell 5.1
Specops Password Policy Sentinel
  • Windows Server 2012 R2 or later
  • .Net Framework 4.7.1 or later
  • Writable domain controller
Specops Authentication Client
  • Supported on Windows 10/11 x64
    NOTE
    When running on a server, Windows Server 2016 is required.
  • .Net Framework 4.7.1 SP1 or later
  • For password resets with uReset 8 and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed.
Specops Arbiter
  • .Net 4.7.1
  • Windows Server 2012 R2 or later

Installing Specops Password Policy


Installing Specops Password Policy

During installation, Specops Password Policy will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Policy:

  • Administration Tools
  • Specops Arbiter
  • Sentinel
  • Client
  1. Download the Setup Assistant.
  2. Save and Run the Setup Assistant on your server.
    NOTE
    By default, the file is extracted to C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]
  3. Double click SpecopsPasswordPolicy.Setup.exe to launch the Setup Assistant.
  4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Administration Tools

Installing the Administration Tools will install the Domain Administration tool and the GPMC snap-in, as well as the powershell module. You can use the Domain Administration tool to manage configurations that apply to your entire domain including your license information, templates, and Password Policy Sentinel installations. You can use the GPMC snap-in to configure password policies in a Group Policy Object (GPO). The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

NOTE
This machine requires Internet access to download the online dictionaries.
  1. In the main menu, select Administration tools.
    NOTE
    The installer will indicate whether installation prerequisites are met with a green checkmark in front of the prerequisites. If any display a red cross, please install or update that component in your system.
  2. If you want Specops Password Policy to register the Specops Active Directory Users and Computers (ADUC) Menu Extension, click Add menu ext.
    NOTE
    This will allow Specops to add the Specops Display Specifiers in the configuration partition of your Active Directory forest allowing you to administer the product directly from the right-click menu of Active Directory objects. In order to add the menu extension to Active Directory the user running the Setup Assistant must be an Enterprise Administrator.
  3. Click Install.
  4. In the Installation succeeded dialog box, click OK.

For information on how to set up policies, please refer to the Adminsitration documentation

Installing the Specops Arbiter

NOTE
The Specops Arbiter should only be installed if you are using the Specops Breached Password Protection add-on.
  1. In the main menu, select Specops Arbiter.
  2. Click Install.
  3. In the Installation succeeded dialog box, click OK.

Installing the Sentinel

The Sentinel is a password filter at the domain controllers which verifies whether the new password matches the Specops Password Policy settings assigned to the user. You should install the Sentinel on all writable domain controllers in your domain. All Domain Controllers should have the same version of the Sentinel.

  1. In the main menu, select Domain Controller Sentinel.
  2. To install the Sentinel on all writable domain controllers in your domain you can:
    Option
    Create a network share on the local computer and copy the sentinel msi-package to the new network share

    1. Click Create Share.
    2. Select a local path to create the share for, and click OK.
    3. Click Select share.
    4. Verify that the network path to the network share you created is correct, and click OK.
    Option
    Select an existing network share and manually copy the msi-package to the existing network share

    1. Click Select Share.
    2. Browse to the location of the msi-package, and click OK.
      NOTE
      The default installer extraction path is: C:\temp\SpecopsPassword_Setup_[VersionNumber]\
  3. Select the domain controllers you want to install the Sentinel on, and click Install.
    NOTE
    You must reach the remote domain controllers through Remote Protocol Connection (RPC).
  4. Verify that the Sentinel state for the selected domain controllers has changed to “Installed.”
    NOTE
    If the Sentinel state for the selected domain controllers has changed to install, but the icon next to the component hasn’t changed, you can continue to the next step.

Post-installation: You must reboot your domain controllers once you have installed the Sentinel.

Installing the Client

Installing the Client will allow Specops to display the password policy rules when a user fails to meet the policy criteria when changing their password. The Client will also notify users when their passwords are about to expire.

Deploying the Client using GPSI

You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain. Alternatively, you can use another deployment solution to install the Client on the computers in your organization by downloading the msi-files. See Deploy the Client using Specops Deploy / App or other deployment tools for more information.

  1. In the main menu, select Deploy Specops Password Client using GPSI.
  2. To select the Group Policy Object that will be used to deploy the Client, click Select GPO. You will be given the following options:
    Option
    Create New GPO

    1. Click Create New GPO.
    2. Enter a new Group Policy Object name.
    3. Select the location you want to link the Group Policy object to.
    4. Click OK.
    Option
    Select an existing GPO

    1. Select an existing GPO from the list.
    2. Select a link for the chosen GPO, and click OK.
  3. Click Download… to download the installation files for the Client.
    1. In the dialog box, click Download Files.
    2. When the dialog box is complete, click OK.
      NOTE
      The files are copied to: C:\temp\SpecopsPasswordPolicy_Setup[VersionNumber]\products\specopspasswordpolicy
  4. To install the Client on all computers in your organization you can:
    Option
    Create a network share on the local computer and copy the sentinel msi-package to the new network share

    1. Click Create Share.
    2. Select a local path to create the share for, and click OK.
    3. Click Select share.
    4. Verify that the network path to the network share you created is correct, and click OK.
    Option
    Select an existing network share and manually copy the msi-package to the existing network share

    1. Click Select Share
    2. Browse to the location of the msi-package, and click OK.
      NOTE
      It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing verify that the setup files are copied to all servers before proceeding.
  5. To create the packages for x86 and x64 deployments in the selected GPO, click Add Settings.
    NOTE
    The Client Side Extension MSI will be deployed through a computer software installation and may not take effect until the computers have been restarted.

Deploy the Client using Specops Deploy / App or other deployment tools

If you are not deploying using Group Policy Software Installation (GPSI), you can download the Client for alternative deployment methods, such as Specops Deploy.

  1. Download the Specops Client:
    https://download.specopssoft.com/Release/Client/Specops.Authentication.Client-x64.msi
    https://download.specopssoft.com/Release/Client/Specops.Authentication.Client-x86.msi
  2. Double-click the Specops.Authentication.Client-x64 or Specops.Authentication.Client-x86 Windows Installer Package to open the Client Setup Wizard.
    1. Click Next.
    2. Accept the terms in the License Agreement, and click Next.
    3. Select the destination folder where the files are to be stored, or accept the default location by clicking Next.
    4. Click Install
    5. Click Finish

Post-Installation


Please complete the following tasks after you have installed Specops Password Policy:

  1. Reboot your domain controllers if you have not already done so.
  2. Open the Password Policy Domain Administration app (located in Start > Specops Software > Password Policy Domain Administration)
  3. Click Import license file....
  4. Browse to the location where your license file is stored, select the file and click Open.
  5. If you are using Specops Password Policy with the Breached Password Protection add-on, you will also need to register the Arbiter(s) from the Domain Administration tool:
    1. From the Domain Administration tool, select Breached Password Protection, and click Register new Arbiter.
    2. Select, or type the name of your Arbiter computer, and click OK. The Arbiter computer is now added to the table containing all Specops Password Arbiters.
      NOTE
      You can also search for your Arbiter computer by clicking the Advanced button and then Find now.
    3. Click the Import API key button and paste the API key you received from Specops in the text field that comes up. Click OK. A green checkmark should appear in the API key column in the table.
      NOTE
      Paste only the actual API key in the text field, excluding any comments that may be present.
    4. Click Test cloud connection to test the connection.
    5. NOTE
      You will receive an error prompting you to enter a valid license key once installation is complete.
  6. Verify that the appropriate Group Policy Objects are linked to the OUs containing the correct managed users.
  7. Configure your built-in domain password policy to the lowest settings you wish to use in your Specops Password Policies.
    NOTE
    This will allow the Client to display the Specops Password Policy rules when a user fails to meet the policy criteria when changing their password. If you do not configure your built-in domain password policy to the lowest setting, the built-in password policy rules will appear.