Installing Specops Password Policy
During installation, Specops Password Policy will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Policy:
- Administration Tools
- Specops Arbiter
- Download the Setup Assistant.
- Save and Run the Setup Assistant on your server.
By default, the file is extracted to C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]
- Double click SpecopsPasswordPolicy.Setup.exe to launch the Setup Assistant.
- To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.
Installing the Administration Tools
Installing the Administration Tools will install the Domain Administration tool and the GPMC snap-in, as well as the powershell module. You can use the Domain Administration tool to manage configurations that apply to your entire domain including your license information, templates, and Password Policy Sentinel installations. You can use the GPMC snap-in to configure password policies in a Group Policy Object (GPO). The GPO can then be applied to your entire domain or a part of your domain.
The Administration Tools should be installed on the computer that you want to administer the product from.
This machine requires Internet access to download the online dictionaries.
- In the main menu, select Administration tools.
The installer will indicate whether installation prerequisites are met with a green checkmark in front of the prerequisites. If any display a red cross, please install or update that component in your system.
- If you want Specops Password Policy to register the Specops Active Directory Users and Computers (ADUC) Menu Extension, click Extend menu.
This will allow Specops to add the Specops Display Specifiers in the configuration partition of your Active Directory forest allowing you to administer the product directly from the right-click menu of Active Directory objects. In order to add the menu extension to Active Directory the user running the Setup Assistant must be an Enterprise Administrator.
- Click Install.
- In the Installation succeeded dialog box, click OK.
For information on how to set up policies, please refer to the Adminsitration documentation
The Specops Arbiter is installed for use with the Specops Breached Password Protection add-on, as well as to enable sending emails through the Arbiter.
- In the main menu, select Specops Arbiter.
- If any of the prerequisites are not met, please update or install the required elements.
- Click Install.
- In the Installation succeeded dialog box, click OK.
Installing the Sentinel
The Sentinel is a password filter at the domain controllers which verifies whether the new password matches the Specops Password Policy settings assigned to the user. You should install the Sentinel on all writable domain controllers in your domain. All Domain Controllers should have the same version of the Sentinel.
- In the main menu, select Domain Controller Sentinel.
- To install the Sentinel on all writable domain controllers in your domain you can:
Create a network share on the local computer and copy the sentinel msi-package to the new network share
- Click Create Share.
- Select a local path to create the share for, and click OK.
- Click Select share.
- Verify that the network path to the network share you created is correct, and click OK.
Select an existing network share and manually copy the msi-package to the existing network share
- Click Select Share.
- Browse to the location of the msi-package, and click OK.
The default installer extraction path is: C:\temp\
- Select the domain controllers you want to install the Sentinel on, and click Install.
You must reach the remote domain controllers through Remote Protocol Connection (RPC).
- Verify that the Sentinel state for the selected domain controllers has changed to “Installed.”
If the Sentinel state for the selected domain controllers has changed to install, but the icon next to the component hasn’t changed, you can continue to the next step.
Post-installation: You must reboot your domain controllers once you have installed the Sentinel.
Installing the Client
The Specops Authentication Client is installed with an MSI-based installer. Note that upgrading the Specops Authentication Client will overwrite the installed Client.
If installed, the Specops Authentication Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.
Older versions of the Specops Authentication Client can be identified as “Specops uReset Client” or “Specops Password Client.”
The Specops Authentication Client can be used across the following Specops Software products:
- Specops Password Reset
- Specops Password Policy
- Specops uReset
Upgrading the Specops Authentication Client
Organizations using Specops Password Policy only, need to deploy the Specops Authentication Client MSI. The CefSharp Runtime MSI is not required for this scenario.
Organizations using Specops uReset or Specops Password Reset, need to deploy the CefSharp Runtime MSI in addition to the Specops Authentication Client MSI. The CefSharp Runtime MSI is required by the Secured Browser used for resetting passwords.
Since the Specops Authentication Client uses a specific version of the CefSharp Runtime MSI, it is important to deploy the latest CefSharp Runtime MSI at the same time or before deploying the Specops Authentication Client MSI.
While the Specops Authentication Client MSI only can be installed with exactly 1 version, multiple versions of the CefSharp Runtime MSI can be installed at the same time. The purpose with this is to simplify deployment in a larger organization.
The recommended flow for upgrading the Specops Authentication Client is:
- Deploy the latest CefSharp Runtime MSI, if it's not already deployed
- Deploy the latest Specops Authentication Client MSI
- Undeploy any previous versions of the CefSharp Runtime MSI, if necessary
When using Specops Authentication Client in conjunction with a password reset tool:
The latest CefSharp browser runtime version is required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Authentication Client itself.
Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Authentication Client can be upgraded. This will make it easier to make sure that the Specops Authentication Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.
The Specops Authentication Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.
Downloading the Specops Authentication Client
Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.
Deploying the Specops Authentication Client
To deploy the Specops Authentication Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Authentication Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.
Manually Installing or upgrading the Specops Authentication Client
- Open the Specops Authentication Client Setup wizard you just downloaded (.msi file)
- In the wizard, click Next.
- Accept the License Agreement by checking the checkbox, and click Next.
- Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Authentication Client\), then click Next.
- Click Install.
- Once the installation has completed, click Finish.
Configuring the Specops Authentication Client
The Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Authentication Client page.