The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage
Specops Password Reset settings in group policy objects. These settings are stored as a part of the GPO. Managing SPR settings in Group Policy allows you to control how and where the policies are applied.
Create a
Specops Password Reset GPO
-
In the GPMC, expand your domain node and locate the Group Policy Objects node.
- Right click on the GPO node, and select New .
-
Enter a name for the Group Policy Object, and click
OK .
-
Expand User Configuration , Policies ,
Windows Settings , and select
Specops Password Reset . Use the settings to manage password reset for users in your organization.
Applying policy settings
Specops Password Reset settings will apply to all user accounts in locations where your GPO is linked.
If more than one GPO is linked on the same level, the link order of the GPOs determine the order the GPOs will be processed.
If conflicting settings from multiple GPO’s apply to a user, Group Policy will resolve the conflict. Group Policy Objects are applied in the following order; the GPO closest to the user object in AD will have the highest precedence.
-
Local Group Policy Objects
NOTE
Specops Password Reset settings cannot be created on this level.
- Site linked Group Policy Objects
- Domain linked Group Policy Objects
- OU linked Group Policy Objects
If the above order does not enable you to apply your preferred settings, you can use security filtering, to control on a permission level, which users and computers will be affected by the GPO. Security filtering allows you to apply different policy settings
to objects located on the same level in Active Directory.
Policy settings
Group policy settings determine how the system should behave when accessed by a user. The
Specops Password Reset Server queries Active Directory to determine which settings to use for each visiting user.
NOTE
Specops Password Reset creates a leaf object in Active Directory, under the user object, to store enrollment information. For more information, click
here.
General
You can configure the following items from the General tab.
Enrollment options
These settings control the authentication method users affected by the policy should use:
- Secret Questions
- Mobile Verification Code
- Both
You can also prompt the user for their current password before starting the enrollment wizard. Prompting the user for their current password is a good security practice.
Locked account options
You can use the locked account options to:
-
Allow locked user account to use the password reset service: If you enable this box alone, the user can reset their password and their account will be automatically unlocked.
-
Allow users to unlock their account without resetting their password: If you enable this box, the user can unlock their account and choose not to change their password.
Enrollment Enforcing
You can use the Enrollment Enforcing settings to control how you want your users to enroll. The Reminder Mode setting allows you to configure the type of reminders you want your users to receive.
- Balloon tip : Reminder balloon tip that pops up from the taskbar tray. Clicking the reminder will take the user directly to the enrollment web page. This is the default setting in
Specops Password Reset.
- Start browser : This setting causes the reminder to open a browser window with the enrollment web page.
- Start unclosable fullscreen browser : This setting causes the reminder to open a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.
You can configure the reminder to appear only user logon, or during user logon and at regular intervals during the day. You can manage the intervals using the
Specops Password Reset Administrative Template. See
Configure Specops Client from the Administrative Template for more information.
Secret Questions
The Secret Question tab allows you to edit the
Secret Questions used in the GPO. You can configure the following items from the
Secret Questions tab.
Secret Question Settings
The following settings control the requirements on how users are allowed to select and answer the questions in the GPO.
- Number of questions : The number of questions users are required to answer when they authenticate using the
Secret Questions mechanism. You must have more than the configured number of questions available in the policy in order for users to be able to meet this requirement.
- Number of allowed custom questions : Controls the number of custom questions the user is allowed to user.
- Custom question answer min length : If custom questions are allowed, this value controls the minimum length of the answers to the custom questions.
- Lockout threshold : Number of failed password attempts allowed before locking the user out from
Password Reset. When the user exceeds the configured number of attempts the system will invalidate the enrollment information, preventing the user from using the system until a new enrollment has been created.
- Allow identical answers : Allows users to use the same answer to more than one question in the question series.
- Case sensitive answers : Requires users to provide answers to questions using the same case as when they enrolled.
Edit Questions
Specops Password Reset contains a selection of questions and language translations that can be made available to users affected by the GPO. The questions can be imported using the
Import Questions… button.
You can also manually create new questions using the
Add new Question… button.
If you have manually created new questions, you will have to provide your own translations. If you want to provide translations for your questions you can add more language translations using the
Edit Languages… button.
Mobile Verification Code
If “Use Mobile Verification code” is enabled, you can use the Mobile Verification code tab to configure how the system should connect to your SMS service provider.
Verification Code Message
The
Specops Password Reset Server uses these settings to create an email message, which will be sent to the SMS provider, and converted to an SMS message which the user will receive. Most of these settings are controlled by the SMS service provider. The below placeholders
are evaluated by the
Specops Password Reset Server service.
- %MobileNumber%: Contains the mobile number retrieved by
Specops Password Reset from the user object of the target user in Active Directory.
- %Code%: Contains the mobile verification code generated by the
Specops Password Reset. The code is only valid for use from the same session against the web server that it was requested from.
- %Email%: Contains the email address retrieved by
Specops Password Reset from the user object of the target user in Active Directory.
Mobile Verification Settings
You can control how the mobile verification code is used by users affected by the GPO.
- Bypass if mobile number missing : This option is only available if you Use Both mobile verification and
Secret Questions is enabled. If this option is selected, mobile verification codes will only be used for those users that have a mobile number configured in Active Directory. For others, the step will be bypassed.
- Allow users to enter mobile number when enrolling : This option is only available if Use Mobile Verification code is enabled. If this option is selected, users without a registered mobile number in Active Directory will
be asked to enroll in the system by registering their mobile number.
- Require verification of mobile phone number : This option is only available if
allow users to enter mobile number when enrolling is enabled. If this option is selected, users will have to verify that they have enrolled with the correct mobile number by receiving and responding with a verification code
during the enrollment process.
Email Notifications
When certain system events occur, such as a user enrolling with the system,
Specops Password Reset has the ability to generate and send emails to end users to confirm that the operation was successful. Event notification settings can be managed using the Email Notifications tab in your
Specops Password Reset user GPO in the GPMC. The text fields support HTML, including HTML links for further customization.
Email Server Settings
These settings can be used to override the server email configuration specified during the installation of the
Specops Password Reset Server component. This is useful in scenarios where you want a specific part of the organization to use a specific SMTP server.
Events
Specops Password Reset can send email notification for the following events:
- Password Reset by user : This event triggers every time a user resets their password through
Specops Password Reset. By default, a confirmation email is sent to the user with details about the reset operation.
- Password Reset from helpdesk : This event triggers when the
Specops Password Reset Helpdesk tool is used to reset the password of a user. No emails are configured by default for this event.
- User has enrolled : This event triggers when a user successfully completes the enrollment process in Specops Password Reset. By default, a confirmation email is sent to the user with details about the enrollment operation.
- User account locked out from
Specops Password Reset : This event triggers when a user has exceeded the allowed number of attempts to answer the
Secret Questions correctly. No emails are configured by default for this event.
- Account unlocked : This event triggers when a user unlocks their account through
Specops Password Reset. No emails are configured by default for this event.
- Enrollment reminder : This event triggers during the daily enrollment status check if the system discovers a user who has not yet enrolled. No emails are configured by default for this event, but it is strongly recommended to add
a customized reminder email that will be sent to the user.
Custom Wizard Messages
The settings in the Custom Wizard Messages tab allows you to create your own custom message to be displayed to the end users when they have successfully completed an enrollment, password change/reset operation. The custom message you create can either
be appended to the default message or used to replace the default message entirely.