POC Preparation

To prepare for your Specops Password Policy (and Breached Password Protection add-on) proof-of-concept, we recommend the following preparations in advance:

  1. Domain Admin level account to perform the installation, and create/link GPOs.
    NOTE
    • If ADUC integration is required, you will need Enterprise Admin level account. This (optional) feature will add lines to the Configuration container in AD.
    • This is not a schema change. Schema admin permissions are not required.
  2. Two test OUs: One for Test Machines and one for Test Users.
  3. Two test groups: For filtering the GPOs if required.
  4. Specops Arbiter server: Installation should be performed on a Windows 2016 server (VM or Physical – 2xCPU, 4GB RAM, 60GB Disk).
    • This machine should have the Group Policy Management and AD management tools installed, be fully patched, and have internet access to download the software and connect to Specops Breached Password Protection in the cloud. .Net 4.7.2 should also be installed on this machine.
    • This server should be should be joined to the domain, and be able to connect to the internet. Bypass of any proxy is preferable, but proxy support is available via registry edits.
    • The admin tools will also be installed on to this machine. It is advised that the admin tools eventually be installed onto all machines that are used to edit group policy.
      NOTE
      Multiple arbiters can be installed for resilience if required.
  5. During the installation process, we will push the Specops Sentinel (password filter) to all writable DCs in the domain. Full RPC port access is required from the Arbiter server to the DCs.
    • This process will NOT reboot the DCs, but they will need to be rebooted before the software becomes active.
    • The DCs should all have two or more CPUs/cores.
    • If the Breached Password Protection Express feature is to be used, make sure that you have 10GB of spare disk space on your DC’s SYSVOL volume.
      NOTE
      The Sentinels can be installed manually if the push method is not possible.
  6. A test workstation (preferably a VM so that the logon screen can be seen remotely) running your current build, joined to the domain and in your Test Machines OU. On this machine we will deploy the Specops Authentication Client.
  7. A test user configured as a real user with a valid email address and mobile number in the Test Users OU with a known password.
  8. A Group policy linked to the Test Users OU where we will configure the new password policy.
  9. A Group policy linked to the Test Machines OU where we will configure a policy to manage the Client settings.