The
Specops uReset Administration Tool provides an overview of the installed components and can be used to manage the system wide configuration settings that were created during installation.
uReset Gatekeeper
The following can be configured from the
uReset Gatekeeper tab on the
uReset Administration Tool.
Update the web urls
If you have changed the obfuscation of your
Specops uReset page, you will be required to update your web urls. For more information, see
Use obfuscated URL.
Gatekeeper Remote Administration
You can configure Remote Access to the
Specops uReset Gatekeeper from the the
Specops uReset Administration tool. The following security configurations must be completed in Active Directory:
- Mutual Kerberos authentication
-
The service account for the Gatekeeper must have an SPN (servicePrincipalName) with service class HTTP registered for the Gatekeeper computer.
-
The service account for the Gatekeeper must be trusted for delegation.
-
The service account for the Gatekeeper should have a userPrincipalName.
-
The user running the
uReset Administration Tool should have a userPrincipalName.
Active Directory ‘mobile’ Attribute Override
By default, the “Mobile” attribute on the user object is used to store a mobile number. The attribute is used when sending text messages to a user. If a custom mobile attribute is used on the user object, this setting must be configured to the same value.
-
On the
uReset Administration Tool, click
uReset Gatekeeper.
-
Click Edit next to Active Directory ‘mobile’ attribute override.
-
Enter the attribute LDAP name where the organization stores phone numbers on the user object.
- Click OK.
If a custom attribute is used, you will need to manually grant the “
uReset Gatekeepers” group read permission on the attribute. Write access is only required if users are allowed to manually set a mobile number from the
uReset web.
For each Active Directory scope where
Specops uReset is active, you will need to grant access to the
uReset Gatekeepers group using dsacls from a command prompt. You can see the selected scopes from the Policies and Groups tab on the
uReset Administration Tool.
For example, if your organization stores mobile numbers in the comment attribute, you will need to run the following commands. These must be run in a command prompt (not a PowerShell prompt).
Read-only access:
dsacls
OU=Users,DC=company,DC=com
/I:S /G company\uResetGatekeepers:RP;comment;user
Read-write access:
dsacls
OU=Users,DC=company,DC=com
/I:S /G company\uResetGatekeepers:RPWP;comment;user
Replace the values with the distinguished name for the selected AD scope, and the sAMAccountName of the Gatekeepers group.
Helpdesk Search
You can now specify the AD attribute to search from the helpdesk. If the field is not set, the default will be ambiguous name resolution (aNR), a consolidation of some common attributes on the user object. For more details about aNR, click
here.
To use aNR and a custom attribute, you will need to aNR in a comma separated list of attributes to search.
Change Proxy Settings
If your organization is using a forward proxy server to route internet traffic externally, you will need to configure the proxy server to allow the Gatekeeper to reach the internet. Enable Use a proxy server and specify the address as a complete URL,
including the protocol and any custom port.
Initiate User Count
You can refresh the enrollment statistics found in the reporting page on the
uReset web by clicking
Initiate User Count. If the Client is installed, users without valid enrollment will receive a balloon tip enrollment reminder.
Policies and Groups
The following can be configured from the
Policies and Groups tab on the
uReset Administration Tool.
Edit the scope of management
The Active Directory scope determines which users can use the
Specops uReset Service.
-
On the
uReset Administration tool, click Policies and Groups.
-
Find the row where the current Active Directory scopes is displayed and click Edit.
-
Select the desired Active Directory Scope, and click Add. Multiple locations can be selected if you want multiple scopes of management.
-
If you don’t want
uReset administrators, helpdesk users, and managers to be within the
uReset scope of management but want them to still manage the system or authenticate users, click
Allow admins, helpdesk users, and managers to be outside of the
selected scope.
NOTE
The number of users that can use the service will be limited by your license.
- Click OK.
Add/remove members to security groups
You can add additional members to the Gatekeepers, Administrators, and Helpdesk groups. Users that are members of the Gatekeepers group will have permission to read user information and reset the password for users in the selected scope. Users that are
members of the Administrators group will be portal administrators. Users that are members of the Helpdesk group will have access to the Helpdesk settings in the
Specops uReset web application and will be able to reset passwords on behalf of a user, view user information, and view reports.
-
On the
uReset Administration tool, click Policies and Groups.
-
Find the security group you want to edit, and click
Edit members.
-
To add a member, click Add member, and enter the name of the user or group you want to add.
-
To remove a member, select a member from the Group Members list, and click Remove selected member.
- Click OK.
Create an authentication policy for Administrators
You can enable multifactor authentication, for users that are part of the Administrators group, to verify their identity when accessing the Administrator pages on the
uReset web. By default, the user will only authenticate with their Windows Identity, which will be automatic if integrated security is configured. Adding more requirements to the policy, may require enrollment with additional identity services.
If a user is a member of multiple roles, for example a helpdesk user who is also a normal user who can reset their own password, will need to fulfill the policies for all the roles. If the authentication policy contains the same identity
service, enrolling with it for one policy will also count towards the other policy.
If an authentication policy is created, but the administrators group is outside the
uReset Active Directory scope, the
uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects. For more information,
click here.
Create an authentication policy for Helpdesk Users
You can enable multifactor authentication, for users that are part of the Helpdesk group, to verify their identity when accessing the Helpdesk pages on the
uReset web. By default, the user will only authenticate with their Windows Identity, which will be automatic if integrated security is configured. Adding more requirements to the policy, may require enrollment with additional identity services.
If a user is a member of multiple roles, for example a helpdesk user who is also a normal user who can reset their own password, will need to fulfill the policies for all the roles. If the authentication policy contains the same identity
service, enrolling with it for one policy will also count towards the other policy.
If an authentication policy is created, but the helpdesk group is outside the
uReset Active Directory scope, the
uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects. For more information,
click here.
Use delegated security
Using the delegated security model will grant granular control over the ability to reset passwords. If delegated security is not enabled, all members of the Helpdesk group are granted permission to read information/reset passwords for all users that reside
in the scope of management. If delegated security is enabled, members of the Helpdesk group will also need explicit permission in Active Directory to perform a password reset.
NOTE
The reset permission in Active Directory will be required for all helpdesk activity, including viewing information.
You need to meet the following prerequisites to enable delegated security:
Gatekeeper
- Running on Windows Server 2012 or later
-
The user running the Gatekeeper must have permissions to add new members to
Access Control Assistance Operators group. When delegated security is enabled from the
uReset Administration Tool, the Gatekeeper is automatically added to the
Access Control Assistance Operators group.
-
The user running the Gatekeeper must have permissions to update the
Specops uReset settings in Active Directory located in: CN=Settings,CN=
uReset,CN=Specops,CN=System,DC=domain,DC=company,DC=com
Active Directory
-
The Domain Controller that is communicating with the Gatekeeper must be running Windows Server 2012 or later. Preferably all Domain Controllers running Server 2012 or later, otherwise, the Gatekeeper must be configured to explicitly communicate with the
appropriate Domain Controller.
-
On the
uReset Administration tool, click Policies and Groups.
- On the Use delegated security row, click Change.
-
Select the Enable delegated security checkbox, and click
OK.
The group
uReset Gatekeepers will be added to the Access Control Assistance Operators group.
For more information, see
Delegated Helpdesk Security.
Edit an existing policy
-
On the
uReset Administration tool, click Policies and Groups.
-
Find the Policies row and select the policy you want to modify. Click
Edit.
-
Configure the following setting:
- Number of stars required for enrollment
- Number of stars required for authentication
Note:
-
The number of stars required for authentication should be equal to, or less than the number of stars required for enrollment.
-
The stars represent the weight assigned to each identity service and can be configured to attain the desired security. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
-
Select an identity service from the list of available identity services. You will need to assign a star value for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level
of security. For instance, assigning the
Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. If the identity service does not contain any additional policy settings, it will be added to the policy. If the identity service contains additional policy settings
that require configuration, see
Policy settings for more information. For more information on
Duo Security policy settings, click
here.
-
To require the user to use a specific identity service, expand
Show Advanced in the bottom left corner, and select the
Allow required checkbox. The Required button will appear next to each identity service.
- Click OK when you have completed the configuration.
Notification Mode
The settings below affect the Specops Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them,
can be configured as well.
-
User status check interval:
-
How often the Specops Client checks the user’s enrollment status. A user that has not enrolled, will receive a reminder.
-
How often the user’s password is checked for expiration (only if
Specops Password Policy is also used).
-
You can configure the reminder to appear during user logon and at regular intervals during the day, or only during user logon, or only during a periodic interval. Alternatively, you can turn off the reminders.
NOTE
When to show enrollment reminder does not affect the password expiration reminder.
-
In the enrollment reminder mode settings, select one of the following options:
-
Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
-
Start browser: The reminder opens a browser window with the enrollment web page.
-
Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.
Deploy Client
The Specops Client presents a link to the
Specops uReset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements. The Client also creates menu shortcuts to the enrollment and password reset pages. The Client is not required, but highly
recommended for all domain joined client machines. The Client can be configured using the administrative template in the Group Policy Management Console.
Deploy with Group Policy Software Installation
You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain.
-
On the
uReset Administration Tool, click Deploy Client.
- Click Deploy with Group Policy.
-
If you have already downloaded the Client installation files, select
Use existing installation files and select the folder where the files are saved. Otherwise, select
Download the installation files and select the folder where you want to save the files.
-
Select the Group Policy Object that will be used to deploy the Client, and click Next.
-
Select the share where the installation files should be accessed from when computer install the Client.
NOTE
It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing, verify that the setup files are copied to all servers before proceeding.
-
Click Finish. The installation package will be added to the selected Group Policy. Client computers affected by the policy will install the package after the next restart.
Deploy the Client using
Specops Deploy/App or other deployment tools
If you are not deploying using Group Policy Software Installation (GPSI), you can download the Client for alternative deployment methods, such as
Specops Deploy.
-
On the
uReset Administration Tool, click
Deploy uReset Client.
- Click Download Setup Files.
- Select a folder where Client installers will be downloaded.
- Browse to the selected folder when the download is complete.
-
Double click the
uReset.Authentication-x64or
Specops.Authentication.Client-x86 Windows Installer Package.
-
Accept the terms in the License Agreement, and click
Install.
- Click Finish.
License and Identity Services
From the License and Identity Services tab, you can view/update your license information, and view a list of available identity services or newly added identity services that will be available following an upgrade. Identity services that require configuration,
such as
Duo Security, can also be accessed from this page.
Logging
Gatekeeper Log Settings
You can enable and edit log settings for the Gatekeeper.
-
Open the
Specops uReset Administration tool.
- Browse to Gatekeeper Log Settings, and click Edit.
-
In the Edit log settings dialog box, you can configure the following settings:
- Enable operational logging for the Gatekeeper.
- Clear the log file when the service is started.
- Specify a log level.
-
Set the file path where the debug file for the Gatekeeper should be stored.
-
Set the maximum size in Megabytes of a log file before a new log file is created. Note that only the two latest log files will be kept.
- Click OK.
- When you are done, click Collect Log Files.
Admin Tools Log Settings
You can enable and edit log settings for the Admin Tools.
-
Open the
Specops uReset Administration Tool.
- Browse to Admin Tools Log Settings, and click Edit.
-
In the Edit log settings dialog box, you can configure the following settings:
- Enable operational logging for the Admin Tools.
- Clear the log file when the service is started.
- Specify a log level.
-
Set the file path where the debug file for the Admin Tools should be stored.
-
Set the maximum size in Megabytes of a log file before a new log file is created. Note that only the two latest log files will be kept.
- Click OK.
- When you are done, click Collect Log Files.