Create a Specops uReset GPO
Specops uReset settings will apply to all user accounts in locations where your GPO is linked, and override the default policy in the cloud.
Note: For more information about policy precedence, see GPO Processing.
- In the GPMC, expand your domain node.
- Right-click your domain and click Create a GPO in this domain, and Link it here.
- Enter a name for the Group Policy Object, and click OK.
Edit policy settings
- In the GPMC, right-click on your newly created GPO, and select Edit.
- Expand User Configuration, Policies, Windows Settings, and select the Specops uReset snap-in.
- Click Edit.
Configure Identity Services
Configure the following setting:
- Number of stars required for enrollment
- Number of stars required for authentication
- The number of stars required for authentication should be equal to, or less than the number of stars required for enrollment.
- The stars represent the weight assigned to each identity service and can be configured to attain the desired security. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
- Select an identity service from the list of available identity services. You will need to assign a star value for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. If the identity service does not contain any additional policy settings, it will be added to the policy. If the identity service contains additional policy settings that require configuration, see Policy settings for more information. For more information on Duo Security policy settings, click here.
- To require the user to use a specific identity service, expand Show Advanced in the bottom left corner, and select the Allow required checkbox. The Required button will appear next to each identity service.
The settings below affect the Specops Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them, can be configured as well.
User status check interval:
- How often the Specops Client checks the user’s enrollment status. A user that has not enrolled, will receive a reminder.
- How often the user’s password is checked for expiration (only if Specops Password Policy is also used).
- You can configure the reminder to appear during user logon and at regular intervals during the day, or only during user logon, or only during a periodic interval. Alternatively, you can turn off the reminders.
In the enrollment reminder mode settings, select one of the following options:
- Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
- Start browser: The reminder opens a browser window with the enrollment web page.
- Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.
Mobile: You can configure the following settings:
- Allow national numbers without country prefix for text messages.
- Hide part of the mobile number on the login page.
- If/when the user is allowed to enter their mobile phone number during enrollment.
- Note: The mobile code is valid for 5 minutes.
Questions: You can configure the followings settings to control how users are required to use security questions:
- Import Questions
- Add Custom Question
- Edit Selected Question
- Remove Selected Questions
- Add Language
- Number of questions to answer
- Number of failed attempts before being locked out: You can configure the number of wrong answers a user enter during the security question authentication before being locked out of the Security Questions identity service. The lockout is temporary and can be configured in the lockout duration slider.
- Lockout duration: You can configure the duration a user is locked out of the security questions identity service after 10 failed attempts. The lockout duration is a sliding window. Let’s assume that a user has their number of failed attempts at 10, and the lockout duration at 8 hours. This means that if a user enters one wrong answer and returns six hours later to provide nine more wrong answers, the user will have had 10 failed attempts in a seven hour timespan. The user will be locked out. However, after the initial hour the number of failed attempts will drop to 9 since the initial failed attempt occurred more than 8 hours ago and falls outside of the sliding window. The user will be allowed to make one more attempt. Once all the failed attempts fall outside the sliding window, the user will have 10 new attempts.
- Manager Identification: You will need to select how the manager’s name should be displayed on the login page.
- Note: A Manager Identification request is valid for 60 minutes.