The
Specops Password Sync Administration Tool can be used to create and configure:
- Sync Scopes
- Sync Servers
- Sync Points
- Policies
- Settings
Sync Scopes
Sync Scopes are used to create a basic administration unit for password synchronization. The scope is tied to a level in your Active Directory structure and enables the use of
Specops Password Sync on the user objects beneath the selected level.
Sync Scopes can also be used to control administrative access in the product. By assigning specific security groups as “Delegated Security Groups” for the Scope, it is possible to restrict which users are able to edit the settings in the Sync Scope. Built-in
security groups such as “Domain Administrators” automatically have permission to edit all Sync Scopes.
Create a Sync Scope
In large environments, where user administration takes place in more than one location, you should create several sync scopes.
-
From the
Specops Password Sync Administration Tool, select Sync Scopes, and click Add New.
- Enter a name for the Sync Scope.
- Click Add… to select the User Scope of Management.
- Select the User Scope of Management, and click OK.
-
To control administrative access in the product, click
Add… next to Delegated Security Groups to grant security groups permission to configure sync points within the scope.
- Enter the name of the security group.
-
Click OK.
NOTE
-
Built-in security groups such as “Domain Administrators” automatically have permission to edit all Sync Scopes.
-
When using the security delegation option on the Sync Scope, the permissions on the Sync Scope container in Active Directory is updated at the path “CN=<SPS Scope Name>,CN=SyncScopes,CN=Password Sync,CN=Specops,CN=System” under the domain root.
-
If you want to use custom SMTP settings for the Sync Scope, enable
Override Global Email Settings.
NOTE
If this box is left unchecked, the global SMTP configuration from the Settings page will be used for this scope.
-
In the SMTP Server Name field, enter the SMTP Server Name.
-
In the Port Number field, enter or browse to the port on the SMTP server.
NOTE
If this field is left blank, the standard SMTP Port will be used.
-
Optionally, you can configure more advanced settings:
- Enable Transport Layer Security (TLS)
-
Use custom SMTP credentials
NOTE
If you are using custom SMTP credentials you will need to enter the SMTP Username and SMTP Password.
-
In the Email address to send from field, enter the email address from which the system should send emails from.
- Click OK.
Editing Sync Scopes
-
From the
Specops Password Sync Administration Tool, select Sync Scopes, and select the Sync Scope you want to edit.
- Click Edit.
- Make the necessary changes, and click OK.
Deleting Sync Scopes
-
From the
Specops Password Sync Administration Tool, select Sync Scopes, and select the Sync Scope you want to delete.
- Click Delete.
- In the Delete Sync Scope dialog box, click OK.
Set Current Sync Scope
The Administration Tool works with the Current Sync Scope.
-
From the
Specops Password Sync Administration Tool, select Sync Scope.
-
Select the Sync Scope you want to configure as the Current Sync Scope, and click Set Current.
Sync Servers
The Sync Server synchronizes new passwords to connected systems. Depending on the amount of users in your environment, and the frequency with which they change their passwords, you may require more than one Sync Server. In the event that the primary Sync
Server cannot be reached, the secondary server will be used.
If a Sync Server is permanently taken out of service, it should be removed from the Sync Points and Sync Scopes.
Add Sync Server
-
From the
Specops Password Sync Administration Tool, select Sync Servers, and click Add Sync Server.
-
You will be presented with a list of currently available Sync Servers in your Active Directory. Select the Sync Server you want to add.
- Click OK.
Remove Sync Server
-
From the
Specops Password Sync Administration Tool, select the Sync Server you want to remove.
- Click Remove.
- In the Remove Sync Servers dialog box, click Yes.
Sync Points
The Sync Points control the settings that are used when a password is synchronized with another system.
You will require one Sync Point for each system you want to synchronize with. You configure several Sync Points to synchronize with the same external system if your organization requires different synchronization settings for different types of users.
The Sync Point also specifies which Sync Server(s) to use for synchronization, allowing you to create separate Sync Points with different server settings for different parts of your organization.
Add Sync Points
-
From the
Specops Password Sync Administration tool, select Sync Points, and click Add New.
-
In the Sync Point Name field, enter the name of the Sync point.
-
You will need to select and configure a Primary Sync Server. Select the browse button to next to Primary Sync Server, and select a Sync Server from a list of available Sync Servers.
- Select a Sync Server.
- Click OK.
-
You will have the option to select and configure a Secondary Sync Server. Select the browse button next to Secondary Sync Server to select a Sync Server from a list of available Sync Server.
- Select a Sync Server.
- Click OK.
-
In the Maximum number of retries field, specify the number of times the password change should be attempted.
NOTE
When the Sync Server receives a new job, it will attempt to contact the remote system according to the settings in the sync provider. If this is unsuccessful, the server moves the job to a retry queue from which the job will be attempted at a later point.
-
In the Seconds between retries field, enter the time to wait between retries if the communication with the external system fails.
-
If the username in the external system is not identical with the Windows account name, you will need to use name mapping to translate the account name from your Active Directory to the username format in the remote system. Click the button next to
Name mapping settings. For more information about using the Name Mapping attributes, see
Name Mapping.
-
Click Select and Configure Provider to select a provider for the Sync Point. The provider is the component that will be used when communicating with the external system when changing a user’s password. You will need to configure
your selected provider with the necessary settings to connect to the remote system and synchronize passwords. The configurable settings will vary between each Sync provider. For more information about the configurable settings, see
Sync Provider Configuration Reference.
-
From the Provider drop-box, select a provider for the sync point.
- Configure the required settings, and click OK.
-
Email templates can be configured to send emails to users on certain system events. From the Event drop-box, select an event you want configure an email template for. For more information, see
Available Events.
- Click Add New.
-
In the Body text field, customize the information that will be sent to the user. You can use the available placeholders to insert information from the system in the email. The available placeholders are:
Placeholder | Description |
---|
%providerName% | The name of the provider used by the Sync Point. |
%providerConfiguration% |
A list with all the configuration properties for the provider.
|
%syncPointName% | The name of the Sync Point. |
%userName% |
The windows user account name of the user whose password is being changed.
|
%userEmail% |
The email address of the user whose password is being changed. This is loaded from the user account in Active Directory.
|
%externalUserName% |
If name mapping is used this contains the translated user name that is used in the external system. If no name mapping is in place this will be the same as the %userName% placeholder.
|
%errorMessage% | Information about the error that occurred. |
%errorType% | The type of error that occurred. |
-
If you have configured all necessary settings, click
OK.
Edit Sync Points
-
From the
Specops Password Sync Administration tool, select Sync Points, and select the Sync Point you want to edit.
- Click Edit.
- Make the necessary changes, and click OK.
Delete Sync Points
-
From the
Specops Password Sync Administration tool, select Sync Points, and select the Sync point you want to delete.
- Click Delete.
- In the Delete Sync Points dialog box, click Yes.
Policies
From the Policies section you can view and edit Group Policy Objects with
Specops Password Sync Settings in your domain. More information about editing the policy can be found in the Group Policy snap-in section of this documentation.
Edit Group Policy Object
-
From the
Specops Password Sync Administration tool, select Policies, and select the GPO you want to Edit.
-
Click Edit.
Note: You can only edit policies that have
Specops Password Sync enabled.
- Make the necessary changes, and close the Group Policy Editor.
Settings
The settings tab displays system wide configuration settings used by
Specops Password Sync.
Edit email settings
You can configure default email settings used by the system to send email. You can override the system wide settings in each sync scope.
-
From the
Specops Password Sync Administration tool, select Settings, and click Edit Settings.
-
In the SMTP Server Name field, enter the SMTP Server Name.
-
In the Port Number field, enter or browse to the port on the SMTP server.
-
Optionally, you can configure more advanced settings.
- Enable Transport Layer Security (TLS)
-
Use custom SMTP credentials
NOTE
If you are using custom SMTP credentials you will need to enter the SMTP Username and SMTP Password.
-
In the Email address to send from field, enter the email address from which the system should send emails from.
-
In the Display name of sender field, enter the display name for the sender.
-
In the Administrative email recipient field, enter the administrative email that will receive emails from the system.
- Click OK.
Import License
The License information tab displays license data including a timestamp from the daily license count. To import a new license key:
-
From the
Specops Password Sync Administration tool, select Settings, and click Import License.
-
Browse to the location of the TXT file, and click
Open.