This document will guide you through the process of installing Specops Password Policy.

Key Components

Specops Password Policy flow

Specops Password Policy consists of the following components and does not require any additional servers or resources in your environment.

Specops Password Policy Administration Tools

Used to configure the central aspects of the solution and enable the creation of Specops Password Policy Settings in Group Policy Objects.

Specops Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

  • Sentinel Password Filter: The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.
  • Sentinel Service: The Sentinel Service is always installed as part of the Specops Password Policy, but effective only if the Breached Password Protection add-on is configured.

For more information on the Sentinel, please refer to the Password Policy Sentinel page.

Specops Authentication Client

(formerly known as the Specops Password Client or the uReset Client) Displays the password policy rules when a user fails to meet the policy criteria when changing their password. The Client also notifies users when their passwords are about to expire.

The Specops Client is an optional component.

Specops Arbiter: The Specops Arbiter should only be installed if you are using the Specops Breached Password Protection add-on.

The Specops Arbiter acts as a gateway between the Sentinel Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Specops Arbiter uses a customer unique API key to communicate with the Breached Password Protection Cloud API.


Component Requirement
Administration Tools
  • Windows 10/11 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • Active Directory and Users and Computers snap-in
  • Group Policy Management Console (GPMC)
  • Windows Powershell 5.1
Specops Password Policy Sentinel
  • Windows Server 2016/2019/2022 (core or desktop experience)
  • .Net Framework 4.7.2 or later
  • Writable domain controller
Specops Authentication Client
  • Windows 10 x64, Windows 11 x64 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • For password resets with uReset 8 and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed.
Specops Arbiter
  • Windows Server 2016/2019/2022 (core or desktop experience)
  • .Net Framework 4.7.2 or later

Installing Specops Password Policy

Installing Specops Password Policy

During installation, Specops Password Policy will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Policy:

  • Administration Tools
  • Specops Arbiter
  • Sentinel
  • Client
  1. Download the Setup Assistant.
  2. Save and Run the Setup Assistant on your server.
    By default, the file is extracted to C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]
  3. Double click SpecopsPasswordPolicy.Setup.exe to launch the Setup Assistant.
  4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Administration Tools

Installing the Administration Tools will install the Domain Administration tool and the GPMC snap-in, as well as the powershell module. You can use the Domain Administration tool to manage configurations that apply to your entire domain including your license information, templates, and Password Policy Sentinel installations. You can use the GPMC snap-in to configure password policies in a Group Policy Object (GPO). The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

This machine requires Internet access to download the online dictionaries.
  1. In the main menu, select Administration tools.
    The installer will indicate whether installation prerequisites are met with a green checkmark in front of the prerequisites. If any display a red cross, please install or update that component in your system.
  2. If you want Specops Password Policy to register the Specops Active Directory Users and Computers (ADUC) Menu Extension, click Extend menu.
    This will allow Specops to add the Specops Display Specifiers in the configuration partition of your Active Directory forest allowing you to administer the product directly from the right-click menu of Active Directory objects. In order to add the menu extension to Active Directory the user running the Setup Assistant must be an Enterprise Administrator.
  3. Click Install.
  4. In the Installation succeeded dialog box, click OK.

For information on how to set up policies, please refer to the Adminsitration documentation

Installing the Specops Arbiter

The Specops Arbiter is installed for use with the Specops Breached Password Protection add-on, as well as to enable sending emails through the Arbiter.
  1. In the main menu, select Specops Arbiter.
  2. If any of the prerequisites are not met, please update or install the required elements.
  3. Click Install.
  4. In the Installation succeeded dialog box, click OK.

Installing the Sentinel

The Sentinel is a password filter at the domain controllers which verifies whether the new password matches the Specops Password Policy settings assigned to the user. You should install the Sentinel on all writable domain controllers in your domain. All Domain Controllers should have the same version of the Sentinel.

  1. In the main menu, select Domain Controller Sentinel.
  2. To install the Sentinel on all writable domain controllers in your domain you can:
    Create a network share on the local computer and copy the sentinel msi-package to the new network share

    1. Click Create Share.
    2. Select a local path to create the share for, and click OK.
    3. Click Select share.
    4. Verify that the network path to the network share you created is correct, and click OK.
    Select an existing network share and manually copy the msi-package to the existing network share

    1. Click Select Share.
    2. Browse to the location of the msi-package, and click OK.
      The default installer extraction path is: C:\temp\SpecopsPassword_Setup_[VersionNumber]\
  3. Select the domain controllers you want to install the Sentinel on, and click Install.
    You must reach the remote domain controllers through Remote Protocol Connection (RPC).
  4. Verify that the Sentinel state for the selected domain controllers has changed to “Installed.”
    If the Sentinel state for the selected domain controllers has changed to install, but the icon next to the component hasn’t changed, you can continue to the next step.

Post-installation: You must reboot your domain controllers once you have installed the Sentinel.

Installing the Client

The Specops Authentication Client is installed with an MSI-based installer. Note that upgrading the Specops Authentication Client will overwrite the installed Client.

If installed, the Specops Authentication Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.

Older versions of the Specops Authentication Client can be identified as “Specops uReset Client” or “Specops Password Client.”

The Specops Authentication Client can be used across the following Specops Software products:

  • Specops Password Reset
  • Specops Password Policy
  • Specops uReset

Upgrading the Specops Authentication Client

Organizations using Specops Password Policy only, need to deploy the Specops Authentication Client MSI. The CefSharp Runtime MSI is not required for this scenario.

Organizations using Specops uReset or Specops Password Reset, need to deploy the CefSharp Runtime MSI in addition to the Specops Authentication Client MSI. The CefSharp Runtime MSI is required by the Secured Browser used for resetting passwords.

Since the Specops Authentication Client uses a specific version of the CefSharp Runtime MSI, it is important to deploy the latest CefSharp Runtime MSI at the same time or before deploying the Specops Authentication Client MSI.

While the Specops Authentication Client MSI only can be installed with exactly 1 version, multiple versions of the CefSharp Runtime MSI can be installed at the same time. The purpose with this is to simplify deployment in a larger organization.

The recommended flow for upgrading the Specops Authentication Client is:

  1. Deploy the latest CefSharp Runtime MSI, if it's not already deployed
  2. Deploy the latest Specops Authentication Client MSI
  3. Undeploy any previous versions of the CefSharp Runtime MSI, if necessary

When using Specops Authentication Client in conjunction with a password reset tool:

The latest CefSharp browser runtime version is required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Authentication Client itself.

Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Authentication Client can be upgraded. This will make it easier to make sure that the Specops Authentication Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.

The Specops Authentication Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.

Downloading the Specops Authentication Client

Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.

Deploying the Specops Authentication Client

To deploy the Specops Authentication Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Authentication Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.

Manually Installing or upgrading the Specops Authentication Client

  1. Open the Specops Authentication Client Setup wizard you just downloaded (.msi file)
  2. In the wizard, click Next.
  3. Accept the License Agreement by checking the checkbox, and click Next.
  4. Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Authentication Client\), then click Next.
  5. Click Install.
  6. Once the installation has completed, click Finish.

Configuring the Specops Authentication Client

The Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Authentication Client page.


Please complete the following tasks after you have installed Specops Password Policy:

  1. Reboot your domain controllers if you have not already done so.
  2. Open the Password Policy Domain Administration app (located in Start > Specops Software > Password Policy Domain Administration)
  3. Click Import license file....
  4. Browse to the location where your license file is stored, select the file and click Open.
  5. If you are using Specops Password Policy with the Breached Password Protection add-on, you will also need to register the Arbiter(s) from the Domain Administration tool:
    1. From the Domain Administration tool, select Breached Password Protection, and click Register new Arbiter.
    2. Select, or type the name of your Arbiter computer, and click OK. The Arbiter computer is now added to the table containing all Specops Password Arbiters.
      You can also search for your Arbiter computer by clicking the Advanced button and then Find now.
    3. Click the Import API key button and paste the API key you received from Specops in the text field that comes up. Click OK. A green checkmark should appear in the API key column in the table.
      Paste only the actual API key in the text field, excluding any comments that may be present.
    4. Click Test cloud connection to test the connection.
    5. NOTE
      You will receive an error prompting you to enter a valid license key once installation is complete.
  6. Verify that the appropriate Group Policy Objects are linked to the OUs containing the correct managed users.
  7. Configure your built-in domain password policy to the lowest settings you wish to use in your Specops Password Policies.
    This will allow the Client to display the Specops Password Policy rules when a user fails to meet the policy criteria when changing their password. If you do not configure your built-in domain password policy to the lowest setting, the built-in password policy rules will appear.

Next, configure your password policies as described in the Administration section.