Administrator configurations

Specops Password Reset can be configured from any computer in the domain where the Specops Password Reset Administration Tool are installed. The administration tools can be used to configure different aspects of the product.

Specops Password Reset Configuration Tool


The Specops Password Reset Configuration tool is used to control system wide settings for each Specops Password Reset Server.

Domains

Specops Password Reset Servers can only serve requests from domain which have been configured for use through the Specops Password Reset Configuration tool.

You can use the Domains tab to perform the following tasks:

  • Configure New Domain
  • Edit Selected Domain Configuration

Configure a new domain

This option allows you to enable a new domain. Using the system with multiple domains requires a bi-directional trust between the additional domains and the domain where the Specops Password Reset Server is located.

  1. From the Specops Password Reset Configuration tool, select Domains , and click Configure New Domain .
  2. From the list of available domains, select the domain you want to add.
  3. Click OK .

Edit domain configuration settings

  1. From the Specops Password Reset Configuration tool, select Domains , and click Edit Selected Domain Configuration .
  2. In the Domain Friendly Name field enter the name of the domain you want presented to users.
    NOTE
    • The name of the domain will be visible to the users during enrollment, password changes, and password reset operations.
    • If the value is left blank, the FQDN name of the domain will be shown to the user instead.
  3. Select the Scope of Management. The Scope of Management is the root in Active Directory where the Password Reset Service will be used.
  4. Select Enable Challenge Question in Helpdesk to allow helpdesk users to see the Secret Questions for enrolled users to verify the identity of a calling user. The default behavior is not enabled.
  5. Select Hide Users Mobile Number to hide the mobile number of users from all web pages.
    NOTE
    In some environments, depending on security standards, you may want to hide the mobile number from the users.
  6. Select Restrict access to caller’s domain to restrict access to user data in other domains for administrators using the helpdesk or reporting pages in Specops Password Reset Web.
  7. If you changed the scope of management to a higher level in your Active Directory hierarchy, click Delegate Security to assign the necessary permissions for your service account to the new Scope of Management. You can use the below table to verify whether the necessary permissions have been applied to the Specops Password Reset Server service:
    PermissionScope
    Create and DeleteclassStore objects beneath user objects
    Read userAccountControl attribute on user objects
    msDS-User-Account-Control-Computed attribute on user objects
    Change and Reset passwordUser objects
    Unlock accountUser objects
    Change password at next logonUser objects
    List child objectsUser objects
    Read and WriteMobile attribute on user objects

Email settings

You can change the server email settings using the Configuration tool. The email settings are used when the Specops Password Reset Server sends emails to users.

Edit email settings

  1. From the Specops Password Reset Configuration Tool, select Email Settings , and click Edit .
  2. Specify the FQDN or IP-address of your SMTP server in the SMTP Server Name text field.
  3. Specify a non-standard port to connect to the server in the SMTP Port Number
  4. Optionally, you can configure more advanced settings:
    • Enable TSL Security
    • Use Custom SMTP Credentials
    NOTE
    You can use custom credentials if you not want to use the service account of the Specops Password Reset server for sending email.
  5. Enter the email address that will be used to send email in the Email Sender Address
  6. Enter the sender display name in the Email Sender Display name field. This is the name that will appear in the email.
  7. Enter the email address that will be receive license expiration emails in the License reminder email address .
NOTE
License reminders are sent to administrators to report license compliance issues such as nearing or exceeding the allowed license count.

Helpdesk settings

To configure the settings for mobile verification messages, you must use a third-party SMS service provider. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.

Edit Mobile Verification Email Settings

  1. From the Specops Password Reset Configuration Tool, select Helpdesk Settings , and click Edit .
  2. In the From email text field, enter the email address that will be used to send the validation message.
  3. Configure the To email , Subject , and Body settings according to the specifications of your SMS provider.
  4. From the Insert placeholder code drop box you can select the information that will be different for each user.
  5. Click OK .

License

You can use the Specops Password Reset Configuration Tool to view license information and update your license key. You will be required to add more licenses if you have added additional users or if you have upgraded the product to a new major version in accordance with your Support and Maintenance agreement.

Specops Password Reset Web Customization Tool


The Specops Password Reset Web application contains a customization tool which gives you control over the Specops Password Reset end user interface. The customization tool can be used to customize the following:

  • Graphical appearance of the user interface by modifying the theme.
  • Text used in the product by editing the selected language.

Themes

The graphical elements on the Specops Password Reset web pages, such as images, colors, and fonts can be modified using the theme editor.

Set current theme

The Set Current Theme button will make the selected theme the active theme in the web application.

  1. From the Specops Password Reset Web Customization tool, select an available theme.
  2. Click Set Current Theme .

Add new theme

You can create new themes using the Add New Theme button.

  1. From the Specops Password Reset Web Customization tool, click Add New Theme.
  2. Select a theme template using the drop-box.
  3. Enter a theme name and click OK .

Edit theme

The Edit Theme button will launch the theme editor and allow you to modify an existing theme.

  1. From the Specops Password Reset Web Customization tool, click Edit Theme .
  2. To modify the text display elements, click the Theme Path The text display elements are contained in the cascading style sheets. You can edit the style sheets in any text editor.
  3. The theme folder contains the following style sheets:
    Style SheetWhere it is used
    Default.cssReset, Change, and Enrollment pages
    HelpDesk.cssHelpdesk pages
    MasterPage.cssMaster pages
    Reporting.cssReporting pages
    Wizard.css Wizard elements on the Reset, Change, and Enrollment pages.
  4. Import the following graphic elements:
    ElementSizeWhere it is used
    Wizard background800x600 pixels Background image on the Reset, Change, and Enrollment pages.
    Wizard top left logo128x109 pixels The logo image used on the Reset, Change, and Enrollment pages.
    Helpdesk top left logo128x109 pixels ID card logo seen on the main page of the Helpdesk tool.
    Helpdesk logo381x109 pixelsThe header image used in the Helpdesk tool.
    NOTE
    • Specops Password Reset uses the PNG and GIF format for product graphics.
    • All the graphics used in the theme can be found in the Images folder in each theme folder.
  5. Click OK .

Languages

You can use the Specops Password Reset Web Customization tool to manage the languages that the product is translated into.

Edit selected language

You can use the language editor to change any string used on the Specops Password Reset web pages. The strings are divided into tabs depending on where they are used in the system. The text fields support HTML, including HTML links for further customization.

  1. From the Specops Password Reset Web Customization tool, select an available language.
  2. Click Edit Selected Language .
  3. Select a string.
  4. Double-click the text you want to change.
    WARNING
    Some of the strings contain placeholders, such as {0}, to variables retrieved by the Specops Password Reset server, such as the mobile telephone number from the user object.
  5. Once you have made the necessary changes, click OK .
  6. Restart the web site application pool to apply the changes.
NOTE
This can be done through the IIS manager on the web server.

Add new language

You can add new languages to Specops Password Reset. All strings for the new language must be entered manually in the language editor.

  1. From the Specops Password Reset Web customization tool, click Add New Language .
  2. Select the language you want to add, and click OK .
  3. Use the language editor to add the text for the new language.

Group Policy snap-in


The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Reset settings in group policy objects. These settings are stored as a part of the GPO. Managing SPR settings in Group Policy allows you to control how and where the policies are applied.

Create a Specops Password Reset GPO

  1. In the GPMC, expand your domain node and locate the Group Policy Objects node.
  2. Right click on the GPO node, and select New .
  3. Enter a name for the Group Policy Object, and click OK .
  4. Expand User Configuration , Policies , Windows Settings , and select Specops Password Reset . Use the settings to manage password reset for users in your organization.

Applying policy settings

Specops Password Reset settings will apply to all user accounts in locations where your GPO is linked.

If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed.

If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; the GPO closest to the user object in AD will have the highest precedence.

  • Local Group Policy Objects
    NOTE
    Specops Password Reset settings cannot be created on this level.
  • Site linked Group Policy Objects
  • Domain linked Group Policy Objects
  • OU linked Group Policy Objects

If the above order does not enable you to apply your preferred settings, you can use security filtering, to control on a permission level, which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings to objects located on the same level in Active Directory.

Policy settings

Group policy settings determine how the system should behave when accessed by a user. The Specops Password Reset Server queries Active Directory to determine which settings to use for each visiting user.

NOTE
Specops Password Reset creates a leaf object in Active Directory, under the user object, to store enrollment information. For more information, click here.

General

You can configure the following items from the General tab.

Enrollment options

These settings control the authentication method users affected by the policy should use:

  • Secret Questions
  • Mobile Verification Code
  • Both

You can also prompt the user for their current password before starting the enrollment wizard. Prompting the user for their current password is a good security practice.

Locked account options

You can use the locked account options to:

  • Allow locked user account to use the password reset service: If you enable this box alone, the user can reset their password and their account will be automatically unlocked.
  • Allow users to unlock their account without resetting their password: If you enable this box, the user can unlock their account and choose not to change their password.
Enrollment Enforcing

You can use the Enrollment Enforcing settings to control how you want your users to enroll. The Reminder Mode setting allows you to configure the type of reminders you want your users to receive.

  • Balloon tip : Reminder balloon tip that pops up from the taskbar tray. Clicking the reminder will take the user directly to the enrollment web page. This is the default setting in Specops Password Reset.
  • Start browser : This setting causes the reminder to open a browser window with the enrollment web page.
  • Start unclosable fullscreen browser : This setting causes the reminder to open a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.

You can configure the reminder to appear only user logon, or during user logon and at regular intervals during the day. You can manage the intervals using the Specops Password Reset Administrative Template. See Configure Specops Client from the Administrative Template for more information.

Secret Questions

The Secret Question tab allows you to edit the Secret Questions used in the GPO. You can configure the following items from the Secret Questions tab.

Secret Question Settings

The following settings control the requirements on how users are allowed to select and answer the questions in the GPO.

  • Number of questions : The number of questions users are required to answer when they authenticate using the Secret Questions mechanism. You must have more than the configured number of questions available in the policy in order for users to be able to meet this requirement.
  • Number of allowed custom questions : Controls the number of custom questions the user is allowed to user.
  • Custom question answer min length : If custom questions are allowed, this value controls the minimum length of the answers to the custom questions.
  • Lockout threshold : Number of failed password attempts allowed before locking the user out from Password Reset. When the user exceeds the configured number of attempts the system will invalidate the enrollment information, preventing the user from using the system until a new enrollment has been created.
  • Allow identical answers : Allows users to use the same answer to more than one question in the question series.
  • Case sensitive answers : Requires users to provide answers to questions using the same case as when they enrolled.
Edit Questions

Specops Password Reset contains a selection of questions and language translations that can be made available to users affected by the GPO. The questions can be imported using the Import Questions… button.

You can also manually create new questions using the Add new Question… button.

If you have manually created new questions, you will have to provide your own translations. If you want to provide translations for your questions you can add more language translations using the Edit Languages… button.

Mobile Verification Code

If “Use Mobile Verification code” is enabled, you can use the Mobile Verification code tab to configure how the system should connect to your SMS service provider.

Verification Code Message

The Specops Password Reset Server uses these settings to create an email message, which will be sent to the SMS provider, and converted to an SMS message which the user will receive. Most of these settings are controlled by the SMS service provider. The below placeholders are evaluated by the Specops Password Reset Server service.

  • %MobileNumber%: Contains the mobile number retrieved by Specops Password Reset from the user object of the target user in Active Directory.
  • %Code%: Contains the mobile verification code generated by the Specops Password Reset. The code is only valid for use from the same session against the web server that it was requested from.
  • %Email%: Contains the email address retrieved by Specops Password Reset from the user object of the target user in Active Directory.
Mobile Verification Settings

You can control how the mobile verification code is used by users affected by the GPO.

  • Bypass if mobile number missing : This option is only available if you Use Both mobile verification and Secret Questions is enabled. If this option is selected, mobile verification codes will only be used for those users that have a mobile number configured in Active Directory. For others, the step will be bypassed.
  • Allow users to enter mobile number when enrolling : This option is only available if Use Mobile Verification code is enabled. If this option is selected, users without a registered mobile number in Active Directory will be asked to enroll in the system by registering their mobile number.
  • Require verification of mobile phone number : This option is only available if allow users to enter mobile number when enrolling is enabled. If this option is selected, users will have to verify that they have enrolled with the correct mobile number by receiving and responding with a verification code during the enrollment process.

Email Notifications

When certain system events occur, such as a user enrolling with the system, Specops Password Reset has the ability to generate and send emails to end users to confirm that the operation was successful. Event notification settings can be managed using the Email Notifications tab in your Specops Password Reset user GPO in the GPMC. The text fields support HTML, including HTML links for further customization.

Email Server Settings

These settings can be used to override the server email configuration specified during the installation of the Specops Password Reset Server component. This is useful in scenarios where you want a specific part of the organization to use a specific SMTP server.

Events

Specops Password Reset can send email notification for the following events:

  • Password Reset by user : This event triggers every time a user resets their password through Specops Password Reset. By default, a confirmation email is sent to the user with details about the reset operation.
  • Password Reset from helpdesk : This event triggers when the Specops Password Reset Helpdesk tool is used to reset the password of a user. No emails are configured by default for this event.
  • User has enrolled : This event triggers when a user successfully completes the enrollment process in Specops Password Reset. By default, a confirmation email is sent to the user with details about the enrollment operation.
  • User account locked out from Specops Password Reset : This event triggers when a user has exceeded the allowed number of attempts to answer the Secret Questions correctly. No emails are configured by default for this event.
  • Account unlocked : This event triggers when a user unlocks their account through Specops Password Reset. No emails are configured by default for this event.
  • Enrollment reminder : This event triggers during the daily enrollment status check if the system discovers a user who has not yet enrolled. No emails are configured by default for this event, but it is strongly recommended to add a customized reminder email that will be sent to the user.

Custom Wizard Messages

The settings in the Custom Wizard Messages tab allows you to create your own custom message to be displayed to the end users when they have successfully completed an enrollment, password change/reset operation. The custom message you create can either be appended to the default message or used to replace the default message entirely.

Configuring the Client from the Administrative Template


Specops Authentication can be configured using the administrative template in the Group Policy Management Console.

Specops Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).

ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to Specops Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.

Accessing the Specops ADMX templates

To access the ADMX templates associated with Specops Authentication Client, open the Group Policy Management tool, right-click the Group Policy Object you want to change, and select Edit . In the tree navigation, navigate to Computer Configuration > Policies > Administrative templates: Policy definitions (ADMX files) > Specops Client . There you will find all the ADMX templates associated with Specops Client.

Hiding the reset password link on the logon page

Location: Enhance Windows logon and password change > Show the Password Reset Link

At Windows logon, under the username/password fields, a “Reset password…” link allows users in organizations running Specops uReset or Specops Password Reset to reset their passwords. This setting allows you to show or hide the reset password link shown on the Windows logon page.

  1. Open the Show the Password Reset Link file.
  2. Select the Disabled radio button.
  3. Click OK .
    NOTE
    to enable the setting again, you can set the radio button to either Not configured or Enabled.
Start menu shortcut creation

Location: General Client settings > Create start menu shortcuts to enroll/change/reset

With Specops Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.

  1. Open the Create start menu shortcuts to enroll/change/reset file.
  2. Select the Disabled radio button.
  3. Click OK .
NOTE
to enable the setting again, you can set the radio button to either Not configured or Enabled.
Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops Client ADMX/ADML files from %windir%PolicyDefinitions.

The ADMX should be copied to:

\<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitions

The ADML should be copied to:

\<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitionsen-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/92984

Specops Secured Browser (Cefsharp)


The Specops Secured Browser is used to reset passwords for a user from the Windows logon screen. It comes in two flavors, based on CefSharp and Internet Explorer browser engines, respectively. It is recommended to use the CefSharp-based Secured Browser for better security and user experience.

To use the CefSharp-based Secured Browser, the Specops Client CefSharp runtime must be deployed. The runtime has been tested by Specops to be compatible with the Secured Browser, and is a separate MSI from the Specops Client.

NOTE
If the CefSharp runtime isn't installed, an error message will be displayed if attempting to reset a password from the Windows logon screen by pressing the 'Reset Password...' link. It is possible to enforce using the Internet Explorer based browser, but strongly not recommended.

Usage

The CefSharp-based browser supports Specops uReset 8 and Specops Password Reset. Organizations that have not yet migrated to Specops uReset 8 must use the Internet Explorer-based Secured Browser, and should therefore not deploy the MSI for Specops the CefSharp runtime.

Organizations using Specops uReset 8 or Specops Password Reset

It is recommended to deploy the Specops Client CefSharp runtime on x64 Windows 10 or newer client computers.

Organizations using Specops Password Policy only

If no reset solution is used, there is no need deploy the Specops Client CefSharp runtime (not applicable).