Administrator Configurations

Specops uReset can be configured from any computer in the domain where the Specops uReset Administration Tools are installed. The administration tools can be used to configure different aspects of the product.

Group Policy Snap-In: Manages Specops uReset settings including how users are allowed to use the system.

uReset Administration Tool: The Specops uReset Server Administration Tools contains the installation information for all of the Specops uReset components and can be used to manage system wide configuration settings.

Specops uReset Web: Displays the end user interface of the product. Can be used by portal administrators to view system information and manage various aspects of the product including the customer settings, licensing, customizations, notifications, and reporting.

Group Policy Snap-In

Create a Specops uReset GPO

Specops uReset settings will apply to all user accounts in locations where your GPO is linked, and override the default policy in the cloud.

Note: For more information about policy precedence, see GPO Processing.

  1. In the GPMC, expand your domain node.
  2. Right-click your domain and click Create a GPO in this domain, and Link it here.
  3. Enter a name for the Group Policy Object, and click OK.

Edit policy settings

  1. In the GPMC, right-click on your newly created GPO, and select Edit.
  2. Expand User Configuration, Policies, Windows Settings, and select the Specops uReset snap-in.
  3. Click Edit.
Configure Identity Services
  1. Configure the following setting:
    • Number of stars required for enrollment
    • Number of stars required for authentication
    NOTE
    • The number of stars required for authentication should be equal to, or less than the number of stars required for enrollment.
    • The stars represent the weight assigned to each identity service and can be configured to attain the desired security. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  2. Select an identity service from the list of available identity services. You will need to assign a star value for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. If the identity service does not contain any additional policy settings, it will be added to the policy. If the identity service contains additional policy settings that require configuration, see Policy settings for more information. For more information on Duo Security policy settings, click here.
  3. To require the user to use a specific identity service, expand Show Advanced in the bottom left corner, and select the Allow required checkbox. The Required button will appear next to each identity service.
Notification Mode

The settings below affect the Specops Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them, can be configured as well.

  1. User status check interval:
    • How often the Specops Client checks the user’s enrollment status. A user that has not enrolled, will receive a reminder.
    • How often the user’s password is checked for expiration (only if Specops Password Policy is also used).
  2. You can configure the reminder to appear during user logon and at regular intervals during the day, or only during user logon, or only during a periodic interval. Alternatively, you can turn off the reminders.
NOTE
When to show enrollment reminder does not affect the password expiration reminder.
  1. In the enrollment reminder mode settings, select one of the following options:
    • Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
    • Start browser: The reminder opens a browser window with the enrollment web page.
    • Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.

Policy settings

  • Mobile: You can configure the following settings:
    • Allow national numbers without country prefix for text messages.
    • Hide part of the mobile number on the login page.
    • If/when the user is allowed to enter their mobile phone number during enrollment.
    • Note: The mobile code is valid for 5 minutes.
  • Questions: You can configure the followings settings to control how users are required to use security questions:
    • Import Questions
    • Add Custom Question
    • Edit Selected Question
    • Remove Selected Questions
    • Add Language
    • Number of questions to answer
    • Number of failed attempts before being locked out: You can configure the number of wrong answers a user enter during the security question authentication before being locked out of the Security Questions identity service. The lockout is temporary and can be configured in the lockout duration slider.
    • Lockout duration: You can configure the duration a user is locked out of the security questions identity service after 10 failed attempts. The lockout duration is a sliding window. Let’s assume that a user has their number of failed attempts at 10, and the lockout duration at 8 hours. This means that if a user enters one wrong answer and returns six hours later to provide nine more wrong answers, the user will have had 10 failed attempts in a seven hour timespan. The user will be locked out. However, after the initial hour the number of failed attempts will drop to 9 since the initial failed attempt occurred more than 8 hours ago and falls outside of the sliding window. The user will be allowed to make one more attempt. Once all the failed attempts fall outside the sliding window, the user will have 10 new attempts.
  • Manager Identification: You will need to select how the manager’s name should be displayed on the login page.
    • Note: A Manager Identification request is valid for 60 minutes.

Specops uReset Administration Tool

The Specops uReset Administration Tool provides an overview of the installed components and can be used to manage the system wide configuration settings that were created during installation.

uReset Gatekeeper

The following can be configured from the uReset Gatekeeper tab on the uReset Administration Tool.

Update the web urls

If you have changed the obfuscation of your Specops uReset page, you will be required to update your web urls. For more information, see Use obfuscated URL.

Gatekeeper Remote Administration

You can configure Remote Access to the Specops uReset Gatekeeper from the the Specops uReset Administration tool. The following security configurations must be completed in Active Directory:

  • Mutual Kerberos authentication
  • The service account for the Gatekeeper must have an SPN (servicePrincipalName) with service class HTTP registered for the Gatekeeper computer.
  • The service account for the Gatekeeper must be trusted for delegation.
  • The service account for the Gatekeeper should have a userPrincipalName.
  • The user running the uReset Administration Tool should have a userPrincipalName.
Active Directory ‘mobile’ Attribute Override

By default, the “Mobile” attribute on the user object is used to store a mobile number. The attribute is used when sending text messages to a user. If a custom mobile attribute is used on the user object, this setting must be configured to the same value.

  1. On the uReset Administration Tool, click uReset Gatekeeper.
  2. Click Edit next to Active Directory ‘mobile’ attribute override.
  3. Enter the attribute LDAP name where the organization stores phone numbers on the user object.
  4. Click OK.

If a custom attribute is used, you will need to manually grant the “ uReset Gatekeepers” group read permission on the attribute. Write access is only required if users are allowed to manually set a mobile number from the uReset web.

For each Active Directory scope where Specops uReset is active, you will need to grant access to the uReset Gatekeepers group using dsacls from a command prompt. You can see the selected scopes from the Policies and Groups tab on the uReset Administration Tool.

For example, if your organization stores mobile numbers in the comment attribute, you will need to run the following commands. These must be run in a command prompt (not a PowerShell prompt).

Read-only access:

dsacls OU=Users,DC=company,DC=com /I:S /G company\uResetGatekeepers:RP;comment;user

Read-write access:

dsacls OU=Users,DC=company,DC=com /I:S /G company\uResetGatekeepers:RPWP;comment;user

Replace the values with the distinguished name for the selected AD scope, and the sAMAccountName of the Gatekeepers group.

Helpdesk Search

You can now specify the AD attribute to search from the helpdesk. If the field is not set, the default will be ambiguous name resolution (aNR), a consolidation of some common attributes on the user object. For more details about aNR, click here.

To use aNR and a custom attribute, you will need to aNR in a comma separated list of attributes to search.

Change Proxy Settings

If your organization is using a forward proxy server to route internet traffic externally, you will need to configure the proxy server to allow the Gatekeeper to reach the internet. Enable Use a proxy server and specify the address as a complete URL, including the protocol and any custom port.

Initiate User Count

You can refresh the enrollment statistics found in the reporting page on the uReset web by clicking Initiate User Count. If the Client is installed, users without valid enrollment will receive a balloon tip enrollment reminder.

Policies and Groups

The following can be configured from the Policies and Groups tab on the uReset Administration Tool.

Edit the scope of management

The Active Directory scope determines which users can use the Specops uReset Service.

  1. On the uReset Administration tool, click Policies and Groups.
  2. Find the row where the current Active Directory scopes is displayed and click Edit.
  3. Select the desired Active Directory Scope, and click Add. Multiple locations can be selected if you want multiple scopes of management.
  4. If you don’t want uReset administrators, helpdesk users, and managers to be within the uReset scope of management but want them to still manage the system or authenticate users, click Allow admins, helpdesk users, and managers to be outside of the selected scope.
    NOTE
    The number of users that can use the service will be limited by your license.
  5. Click OK.
Add/remove members to security groups

You can add additional members to the Gatekeepers, Administrators, and Helpdesk groups. Users that are members of the Gatekeepers group will have permission to read user information and reset the password for users in the selected scope. Users that are members of the Administrators group will be portal administrators. Users that are members of the Helpdesk group will have access to the Helpdesk settings in the Specops uReset web application and will be able to reset passwords on behalf of a user, view user information, and view reports.

  1. On the uReset Administration tool, click Policies and Groups.
  2. Find the security group you want to edit, and click Edit members.
  3. To add a member, click Add member, and enter the name of the user or group you want to add.
  4. To remove a member, select a member from the Group Members list, and click Remove selected member.
  5. Click OK.
Create an authentication policy for Administrators

You can enable multifactor authentication, for users that are part of the Administrators group, to verify their identity when accessing the Administrator pages on the uReset web. By default, the user will only authenticate with their Windows Identity, which will be automatic if integrated security is configured. Adding more requirements to the policy, may require enrollment with additional identity services. If a user is a member of multiple roles, for example a helpdesk user who is also a normal user who can reset their own password, will need to fulfill the policies for all the roles. If the authentication policy contains the same identity service, enrolling with it for one policy will also count towards the other policy.

If an authentication policy is created, but the administrators group is outside the uReset Active Directory scope, the uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects. For more information, click here.

Create an authentication policy for Helpdesk Users

You can enable multifactor authentication, for users that are part of the Helpdesk group, to verify their identity when accessing the Helpdesk pages on the uReset web. By default, the user will only authenticate with their Windows Identity, which will be automatic if integrated security is configured. Adding more requirements to the policy, may require enrollment with additional identity services. If a user is a member of multiple roles, for example a helpdesk user who is also a normal user who can reset their own password, will need to fulfill the policies for all the roles. If the authentication policy contains the same identity service, enrolling with it for one policy will also count towards the other policy.

If an authentication policy is created, but the helpdesk group is outside the uReset Active Directory scope, the uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects. For more information, click here.

Use delegated security

Using the delegated security model will grant granular control over the ability to reset passwords. If delegated security is not enabled, all members of the Helpdesk group are granted permission to read information/reset passwords for all users that reside in the scope of management. If delegated security is enabled, members of the Helpdesk group will also need explicit permission in Active Directory to perform a password reset.

NOTE
The reset permission in Active Directory will be required for all helpdesk activity, including viewing information.

You need to meet the following prerequisites to enable delegated security:

Gatekeeper

  • Running on Windows Server 2012 or later
  • The user running the Gatekeeper must have permissions to add new members to Access Control Assistance Operators group. When delegated security is enabled from the uReset Administration Tool, the Gatekeeper is automatically added to the Access Control Assistance Operators group.
  • The user running the Gatekeeper must have permissions to update the Specops uReset settings in Active Directory located in: CN=Settings,CN= uReset,CN=Specops,CN=System,DC=domain,DC=company,DC=com

Active Directory

  • The Domain Controller that is communicating with the Gatekeeper must be running Windows Server 2012 or later. Preferably all Domain Controllers running Server 2012 or later, otherwise, the Gatekeeper must be configured to explicitly communicate with the appropriate Domain Controller.

  1. On the uReset Administration tool, click Policies and Groups.
  2. On the Use delegated security row, click Change.
  3. Select the Enable delegated security checkbox, and click OK.

The group uReset Gatekeepers will be added to the Access Control Assistance Operators group.

For more information, see Delegated Helpdesk Security.

Edit an existing policy
  1. On the uReset Administration tool, click Policies and Groups.
  2. Find the Policies row and select the policy you want to modify. Click Edit.
  3. Configure the following setting:
    • Number of stars required for enrollment
    • Number of stars required for authentication

    Note:

    • The number of stars required for authentication should be equal to, or less than the number of stars required for enrollment.
    • The stars represent the weight assigned to each identity service and can be configured to attain the desired security. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  4. Select an identity service from the list of available identity services. You will need to assign a star value for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. If the identity service does not contain any additional policy settings, it will be added to the policy. If the identity service contains additional policy settings that require configuration, see Policy settings for more information. For more information on Duo Security policy settings, click here.
  5. To require the user to use a specific identity service, expand Show Advanced in the bottom left corner, and select the Allow required checkbox. The Required button will appear next to each identity service.
  6. Click OK when you have completed the configuration.
Notification Mode

The settings below affect the Specops Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them, can be configured as well.

  1. User status check interval:
    • How often the Specops Client checks the user’s enrollment status. A user that has not enrolled, will receive a reminder.
    • How often the user’s password is checked for expiration (only if Specops Password Policy is also used).
  2. You can configure the reminder to appear during user logon and at regular intervals during the day, or only during user logon, or only during a periodic interval. Alternatively, you can turn off the reminders.
    NOTE
    When to show enrollment reminder does not affect the password expiration reminder.
  3. In the enrollment reminder mode settings, select one of the following options:
    • Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
    • Start browser: The reminder opens a browser window with the enrollment web page.
    • Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.

Deploy Client

The Specops Client presents a link to the Specops uReset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements. The Client also creates menu shortcuts to the enrollment and password reset pages. The Client is not required, but highly recommended for all domain joined client machines. The Client can be configured using the administrative template in the Group Policy Management Console.

Deploy with Group Policy Software Installation

You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain.

  1. On the uReset Administration Tool, click Deploy Client.
  2. Click Deploy with Group Policy.
  3. If you have already downloaded the Client installation files, select Use existing installation files and select the folder where the files are saved. Otherwise, select Download the installation files and select the folder where you want to save the files.
  4. Select the Group Policy Object that will be used to deploy the Client, and click Next.
  5. Select the share where the installation files should be accessed from when computer install the Client.
    NOTE
    It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing, verify that the setup files are copied to all servers before proceeding.
  6. Click Finish. The installation package will be added to the selected Group Policy. Client computers affected by the policy will install the package after the next restart.
Deploy the Client using Specops Deploy/App or other deployment tools

If you are not deploying using Group Policy Software Installation (GPSI), you can download the Client for alternative deployment methods, such as Specops Deploy.

  1. On the uReset Administration Tool, click Deploy uReset Client.
  2. Click Download Setup Files.
  3. Select a folder where Client installers will be downloaded.
  4. Browse to the selected folder when the download is complete.
  5. Double click the uReset.Authentication-x64or Specops.Authentication.Client-x86 Windows Installer Package.
  6. Accept the terms in the License Agreement, and click Install.
  7. Click Finish.

License and Identity Services

From the License and Identity Services tab, you can view/update your license information, and view a list of available identity services or newly added identity services that will be available following an upgrade. Identity services that require configuration, such as Duo Security, can also be accessed from this page.

Logging

Gatekeeper Log Settings

You can enable and edit log settings for the Gatekeeper.

  1. Open the Specops uReset Administration tool.
  2. Browse to Gatekeeper Log Settings, and click Edit.
  3. In the Edit log settings dialog box, you can configure the following settings:
    • Enable operational logging for the Gatekeeper.
    • Clear the log file when the service is started.
    • Specify a log level.
    • Set the file path where the debug file for the Gatekeeper should be stored.
    • Set the maximum size in Megabytes of a log file before a new log file is created. Note that only the two latest log files will be kept.
  4. Click OK.
  5. When you are done, click Collect Log Files.
Admin Tools Log Settings

You can enable and edit log settings for the Admin Tools.

  1. Open the Specops uReset Administration Tool.
  2. Browse to Admin Tools Log Settings, and click Edit.
  3. In the Edit log settings dialog box, you can configure the following settings:
    • Enable operational logging for the Admin Tools.
    • Clear the log file when the service is started.
    • Specify a log level.
    • Set the file path where the debug file for the Admin Tools should be stored.
    • Set the maximum size in Megabytes of a log file before a new log file is created. Note that only the two latest log files will be kept.
  4. Click OK.
  5. When you are done, click Collect Log Files.

Specops uReset Web

Once you have installed and configured the various components, you can sign in to the Specops uReset web application. Users that are members of the uReset Admins Group in Active Directory, can perform administrative tasks on the web application.

  1. Open https://www.ureset.com/ureset.web/<domain.com>/home.
  2. Enter your email address, and click Continue.
  3. Enter your Active Directory credentials to login.

Manage customer settings

From the settings menu, you can view and manage system wide configuration settings.

Use obfuscated URL

Changing the Specops uReset web application URL to an obfuscated URL hides the “company domain name” part of the URL and replaces it with the customer ID.

  1. From the uReset web application, select Settings, and click General.
  2. Click Enable.
  3. Click Save.
  4. Open the Specops uReset Administration Tool.
  5. From the left menu pane, click uReset Gatekeeper.
  6. Click Update next to Web Urls.
Captcha Settings

Configure the captcha settings to dynamically display a captcha to prevent user name harvesting.

You can display a captcha when a user first provides their username.

  1. From the uReset web application, select Settings, and click General.
  2. Under Captcha Settings, and click Enable.
Find password reset page by e-mail address

You can allow users to find your organization’s password reset page from the Specops uReset start page by entering their e-mail address. This eliminates the need of a deep link URL. If ‘Use obfuscated URL’ is enabled, it is recommended to disable this setting.

  1. From the uReset web application, select Settings, and click General.
  2. Under Find reset page by e-mail address, and click Enable.
Add additional domain names

You can associate different email domains to the same customer from the uReset web application.

  1. From the uReset web application, select Settings, and click Domain Names.
  2. Click Add and enter the additional domain names in the text box.
  3. Click Save.
Import license key

From the Specops uReset web application, you can view your license information and update your license key. You will be required to add more licenses if you have added additional users.

  1. From the Specops uReset web application, select Settings, and click License Information.
  2. Click Browse… and locate the TXT file.
  3. Click Open.
  4. Click Upload License.

Customize the Specops uReset web application

The Specops uReset web application contains several customization features which give you control over the Specops uReset end user interface. You can customize the graphical elements of the Specops uReset web application including main header text, main logo, favicon, and main style, allowing you to set your own styles by using a custom bootstrap CSS. You can also customize the text displayed to the end user, for all supported languages.

To get started, click Customization from the Settings tab.

Customize the graphical elements

Main Header text:

  1. Click Main header text in the component column.
  2. Click Customize.
  3. In the text field, enter the text that you want to appear next to the logo on the navigation menu bar, and click Save.

Main Logo:

  1. Click Main logo in the component column.
  2. Click Customize.
  3. Click Browse to upload the icon you want displayed in the title bar, and click Save.

Favicon:

  1. Click Favicon in the component column.
  2. Click Customize.
  3. Click Browse to upload the icon you want displayed on the top left of the browser window, and click Save.

Login logo:

  1. Click Login logo in the component column.
  2. Click Customize.
  3. Click Browse to upload the icon you want displayed to users when they login to the self-service password reset system, and click Save.

Main style:

Additional customizations, such as custom color themes, fonts, and graphics, can be achieved by uploading a custom bootstrap CSS. Alternatively, you can activate an existing stylesheet.

  1. Click Main style in the component column.
  2. Click Customize.
  3. Select or upload the stylesheet you want to use.
  4. Click Save.
Create your own bootstrap CSS

You can use a bootstrap style generator to create your own stylesheet. We recommend using the following free tool:

NOTE
Specops Software cannot take responsibility for pages maintained by external providers.

Simply create your CSS by editing the variables. The edits will be displayed live on the page. The tool will generate the bootstrap.css file which you can import as the main style on the uReset web.

NOTE
After uploading your custom CSS, you may need to do a hard refresh to update the theme in your browser’s cache in order to see the changes; in most browsers on Windows this can be done using CTRL+F5. Alternatively, open uReset in a private/incognito browser window to test how the new theme will work in a clean browser session.
Customize the text

You can customize the text displayed to the end user from the uReset web pages. This can be done for all languages available in the product (English, French, German, Swedish). The custom text field supports HTML, including HTML links, which can be useful if you are providing password reset related information on your company website.

  1. Select the language of the text you want to edit.
  2. Select the text you want to modify from the Text element column.
  3. Click Customize.
  4. In the Custom text field, enter the new text that you want replacing the original text.
    NOTE
    It is important to read the information which describes where the change will take place.
  5. Click Save.

Configure notifications

Notifications can be used to send messages to end users, administrators or other external systems. Notifications are based on system events in Specops uReset.

  1. From the Settings tab, click Notifications.
  2. Click New.
  3. Select an event from the Event menu. The following events are currently available:
    EventDescription
    Password Reset by User This event triggers every time a user resets their password through Specops uReset.
    Account unlocked This event triggers when a user unlocks their account with Specops uReset.
    Account unlocked and Password Reset This event triggers when a user unlocks their account and resets their password.
    Enrollment reminder This event triggers during the daily enrollment status check if the system discovers a user who has not yet enrolled.
    User logged in This event triggers every time a user logs in to the Specops uReset application.
    User received a Manager Identification request This event triggers when a user requires authentication when logging in.
    Helpdesk reset password This event triggers when the Specops uReset helpdesk tool is used to reset the password of a user.
    Helpdesk unlocked account This event triggers when the Specops uReset helpdesk tool is used to unlock the account of a user.
    Helpdesk unlocked account and reset password This event triggers when the Specops uReset helpdesk tool is used to unlock and reset the password of a user.
  4. Select an action from from the Action menu. The action you select control the type of message, and the recipient of the message.
  5. Click Next.
  6. Configure the required settings. Use the Placeholders by clicking them to select the information that will be different for each user. For more information about configuring the settings for a notification, see Configuring Notification Settings.
  7. Click Save.

View policies

From the Policies tab you can view a list of your policies, including the default policy, as well as enrollment / reset requirements, and a list of the identity services (including assigned star value) configured for each policy.

You can manage the Specops uReset default policy and your GPO’s locally using the Group Policy snap-in, or the uReset Administration Tool. The Specops uReset Server queries Active Directory to determine which settings to use for each visiting user.

Reporting

The Reporting tab allows you to track your enrollment process, event activity (password resets, accounts unlocked, and text messages), and identity services used during login.

Enrollment

Enrollment reports show an overview of the enrollment status for the configured GPOs in your environment. This page can be used to determine if a specific policy is being adapted or whether it is triggering users getting locked out of the system.

Events

Events reports show an overview of the system usage such as:

  • User resets: The number of times a password was reset by a user using Specops uReset.
  • Account unlocked: The number of times a user remembers their password and is able to unlock their account with Specops uReset.
  • Account unlocked and password reset: The user does not remember their password, and uses Specops uReset to unlock their account, and reset their password.
  • Text message sent: The number of mobile verification codes sent using Specops uReset.
Identity Service

Identity Service reports show the number of times, and the percentage of an identity service being used to log in to the system.

Reporting – All users

The all users report shows various user related information including Policy Name, Enrollment status, Enrollment Time, and whether the user is locked out of their account. You can filter the report, or export the report data to a CSV format for further processing. The Export to CSV button will export enrollment information for all users.

Configuring Specops Authentication Client from the Administrative Template

The Client can be configured using the administrative template in the Group Policy Management Console.

  1. Open the GPMC and navigate to the GPO you want to edit.
  2. Right click on the GPO and select Edit…
  3. In the Group Policy Management Editor dialog box, expand Computer Configuration, Policies, Administrative Templates, and click Specops uReset Client.
  4. Double-click the settings you want to configure.
    NOTE
    If you are an existing Specops Password Reset customer and testing Specops uReset, Prefer SPR over uReset must be enabled in the General uReset client settings.
  5. Make the desired changes, and click OK.

If you configure the settings, it is recommended to create a Central Store for Group Policy Administrative Templates and add the Specops Password Reset Administrative template.

Create a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%PolicyDefinitions.

The ADMX should be copied to:

<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitions

The ADML should be copied to:

<domainfqdn>sysvol<domainfqdn>PoliciesPolicyDefinitionsen-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841