Administration

This guide is intended for administrators who are responsible for managing user accounts in their Microsoft Active Directory environment. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Sync.

Key components


Specops Password Sync Administration Tool: Configures system settings such as Sync Scopes, Sync Servers, and Sync Points.

Group Policy snap-in: Manages Specops Password Sync settings.

Specops Password Sync Administration Tool


The Specops Password Sync Administration Tool can be used to create and configure:

  • Sync Scopes
  • Sync Servers
  • Sync Points
  • Policies
  • Settings

Sync Scopes

Sync Scopes are used to create a basic administration unit for password synchronization. The scope is tied to a level in your Active Directory structure and enables the use of Specops Password Sync on the user objects beneath the selected level.

Sync Scopes can also be used to control administrative access in the product. By assigning specific security groups as “Delegated Security Groups” for the Scope, it is possible to restrict which users are able to edit the settings in the Sync Scope. Built-in security groups such as “Domain Administrators” automatically have permission to edit all Sync Scopes.

Create a Sync Scope

In large environments, where user administration takes place in more than one location, you should create several sync scopes.

  1. From the Specops Password Sync Administration Tool, select Sync Scopes, and click Add New.
  2. Enter a name for the Sync Scope.
  3. Click Add… to select the User Scope of Management.
  4. Select the User Scope of Management, and click OK.
  5. To control administrative access in the product, click Add… next to Delegated Security Groups to grant security groups permission to configure sync points within the scope.
    • Enter the name of the security group.
    • Click OK.
      NOTE
      • Built-in security groups such as “Domain Administrators” automatically have permission to edit all Sync Scopes.
      • When using the security delegation option on the Sync Scope, the permissions on the Sync Scope container in Active Directory is updated at the path “CN=<SPS Scope Name>,CN=SyncScopes,CN=Password Sync,CN=Specops,CN=System” under the domain root.
  6. If you want to use custom SMTP settings for the Sync Scope, enable Override Global Email Settings.
    NOTE
    If this box is left unchecked, the global SMTP configuration from the Settings page will be used for this scope.
  7. In the SMTP Server Name field, enter the SMTP Server Name.
  8. In the Port Number field, enter or browse to the port on the SMTP server.
    NOTE
    If this field is left blank, the standard SMTP Port will be used.
  9. Optionally, you can configure more advanced settings:
    • Enable Transport Layer Security (TLS)
    • Use custom SMTP credentials
      NOTE
      If you are using custom SMTP credentials you will need to enter the SMTP Username and SMTP Password.
  10. In the Email address to send from field, enter the email address from which the system should send emails from.
  11. Click OK.

Editing Sync Scopes

  1. From the Specops Password Sync Administration Tool, select Sync Scopes, and select the Sync Scope you want to edit.
  2. Click Edit.
  3. Make the necessary changes, and click OK.

Deleting Sync Scopes

  1. From the Specops Password Sync Administration Tool, select Sync Scopes, and select the Sync Scope you want to delete.
  2. Click Delete.
  3. In the Delete Sync Scope dialog box, click OK.

Set Current Sync Scope

The Administration Tool works with the Current Sync Scope.

  1. From the Specops Password Sync Administration Tool, select Sync Scope.
  2. Select the Sync Scope you want to configure as the Current Sync Scope, and click Set Current.

Sync Servers

The Sync Server synchronizes new passwords to connected systems. Depending on the amount of users in your environment, and the frequency with which they change their passwords, you may require more than one Sync Server. In the event that the primary Sync Server cannot be reached, the secondary server will be used.

If a Sync Server is permanently taken out of service, it should be removed from the Sync Points and Sync Scopes.

Add Sync Server

  1. From the Specops Password Sync Administration Tool, select Sync Servers, and click Add Sync Server.
  2. You will be presented with a list of currently available Sync Servers in your Active Directory. Select the Sync Server you want to add.
  3. Click OK.

Remove Sync Server

  1. From the Specops Password Sync Administration Tool, select the Sync Server you want to remove.
  2. Click Remove.
  3. In the Remove Sync Servers dialog box, click Yes.

Sync Points

The Sync Points control the settings that are used when a password is synchronized with another system.

You will require one Sync Point for each system you want to synchronize with. You configure several Sync Points to synchronize with the same external system if your organization requires different synchronization settings for different types of users.

The Sync Point also specifies which Sync Server(s) to use for synchronization, allowing you to create separate Sync Points with different server settings for different parts of your organization.

Add Sync Points

  1. From the Specops Password Sync Administration tool, select Sync Points, and click Add New.
  2. In the Sync Point Name field, enter the name of the Sync point.
  3. You will need to select and configure a Primary Sync Server. Select the browse button to next to Primary Sync Server, and select a Sync Server from a list of available Sync Servers.
    • Select a Sync Server.
    • Click OK.
  4. You will have the option to select and configure a Secondary Sync Server. Select the browse button next to Secondary Sync Server to select a Sync Server from a list of available Sync Server.
    • Select a Sync Server.
    • Click OK.
  5. In the Maximum number of retries field, specify the number of times the password change should be attempted.
    NOTE
    When the Sync Server receives a new job, it will attempt to contact the remote system according to the settings in the sync provider. If this is unsuccessful, the server moves the job to a retry queue from which the job will be attempted at a later point.
  6. In the Seconds between retries field, enter the time to wait between retries if the communication with the external system fails.
  7. If the username in the external system is not identical with the Windows account name, you will need to use name mapping to translate the account name from your Active Directory to the username format in the remote system. Click the button next to Name mapping settings. For more information about using the Name Mapping attributes, see Name Mapping.
  8. Click Select and Configure Provider to select a provider for the Sync Point. The provider is the component that will be used when communicating with the external system when changing a user’s password. You will need to configure your selected provider with the necessary settings to connect to the remote system and synchronize passwords. The configurable settings will vary between each Sync provider. For more information about the configurable settings, see Sync Provider Configuration Reference.
    • From the Provider drop-box, select a provider for the sync point.
    • Configure the required settings, and click OK.
  9. Email templates can be configured to send emails to users on certain system events. From the Event drop-box, select an event you want configure an email template for. For more information, see Available Events.
    • Click Add New.
    • In the Body text field, customize the information that will be sent to the user. You can use the available placeholders to insert information from the system in the email. The available placeholders are:

    PlaceholderDescription
    %providerName%The name of the provider used by the Sync Point.
    %providerConfiguration% A list with all the configuration properties for the provider.
    %syncPointName%The name of the Sync Point.
    %userName% The windows user account name of the user whose password is being changed.
    %userEmail% The email address of the user whose password is being changed. This is loaded from the user account in Active Directory.
    %externalUserName% If name mapping is used this contains the translated user name that is used in the external system. If no name mapping is in place this will be the same as the %userName% placeholder.
    %errorMessage%Information about the error that occurred.
    %errorType%The type of error that occurred.
  10. If you have configured all necessary settings, click OK.

Edit Sync Points

  1. From the Specops Password Sync Administration tool, select Sync Points, and select the Sync Point you want to edit.
  2. Click Edit.
  3. Make the necessary changes, and click OK.

Delete Sync Points

  1. From the Specops Password Sync Administration tool, select Sync Points, and select the Sync point you want to delete.
  2. Click Delete.
  3. In the Delete Sync Points dialog box, click Yes.

Policies

From the Policies section you can view and edit Group Policy Objects with Specops Password Sync Settings in your domain. More information about editing the policy can be found in the Group Policy snap-in section of this documentation.

Edit Group Policy Object

  1. From the Specops Password Sync Administration tool, select Policies, and select the GPO you want to Edit.
  2. Click Edit.
    Note: You can only edit policies that have Specops Password Sync enabled.
  3. Make the necessary changes, and close the Group Policy Editor.

Settings

The settings tab displays system wide configuration settings used by Specops Password Sync.

Edit email settings

You can configure default email settings used by the system to send email. You can override the system wide settings in each sync scope.

  1. From the Specops Password Sync Administration tool, select Settings, and click Edit Settings.
  2. In the SMTP Server Name field, enter the SMTP Server Name.
  3. In the Port Number field, enter or browse to the port on the SMTP server.
  4. Optionally, you can configure more advanced settings.
    • Enable Transport Layer Security (TLS)
    • Use custom SMTP credentials
      NOTE
      If you are using custom SMTP credentials you will need to enter the SMTP Username and SMTP Password.
  5. In the Email address to send from field, enter the email address from which the system should send emails from.
  6. In the Display name of sender field, enter the display name for the sender.
  7. In the Administrative email recipient field, enter the administrative email that will receive emails from the system.
  8. Click OK.

Import License

The License information tab displays license data including a timestamp from the daily license count. To import a new license key:

  1. From the Specops Password Sync Administration tool, select Settings, and click Import License.
  2. Browse to the location of the TXT file, and click Open.

Group Policy Snap-In


The Group Policy snap-in, installed with the Administration Tools, allows you to create and manage Specops Password Sync settings in group policy objects. These settings are stored as a part of the GPO. Managing Specops Password Sync settings in Group Policy allows you to control how and where the policies are applied.

Creating a Specops Password Sync GPO

  1. In the GPMC, expand your domain node and locate the Group Policy Objects node.
  2. Right click on the GPO node, and select New.
  3. Enter a name for the Group Policy Object, and click OK.
  4. Right-click on the new GPO node, and select Edit.
  5. In the Group Policy Management editor expand, User Configuration, Policies, Windows Settings, and select Specops Password Sync.
  6. Edit the policy and link it to the OU where the user is contained.

Policy settings

The GPO settings allow you to enable or disable which Sync Points the users affected by the GPO should use. Sync points are enabled by selecting them from the list of available Sync Points.

NOTE
The GPO editor lists all Sync Points configured for the domain regardless of which Sync Scope they were created in. If your organization uses more than one Sync Scope, you should implement a naming convention for Sync Points to ensure that the correct Sync Points are used in the GPOs. Specops Password Sync will not synchronize passwords for users outside of the Sync Scope the Sync Point is created in.