Technical documentation: SPECOPS PASSWORD POLICY

Transcription

1 Technical documentation: SPECOPS PASSWORD POLICY By Johan Eklund, Product Manager, April 2011

2 Table of Contents 1 Overview Group Based Policy Extended password requirements Components Getting Started System Requirements Installation Install using the Setup Assistant Install/Update the License Install Administration Tools Install Domain Controller Sentinel Specops Password Client Deploy Specops Password Client using GPSI Getting Started Setup Administrators Guide Best Practices Windows Settings Managing Password Policies Password Policy Settings Logging Sentinel Client PowerShell cmdlets Frequently Asked Questions Support and Troubleshooting... 28

3 1 Overview Specops Password Policy (for short SPP) is a password policy product built on the Group Policy engine in Active Directory. SPP works in conjunction with the existing password policy feature found in Active Directory. This page contains a brief overview of SPP and its different modules. 1.1 Group Based Policy SPP is a truly Group Policy based product, which means that it can be configured in any number of group policies in Active Directory. This has several advantages: There can be more than one password policy in Active Directory affecting different users. For example a strong password policy for administrators and a more forgiving for normal users. The password policy configuration can be delegated. In a large Active Directory environment administrators on different levels can configure the password policy without needing domain level permissions. The Group Policy targeting mechanisms such as security group filtering, enforcing and blocking which should be familiar to Active Directory administrators will affect the password polices. Configuring the password policies mimics the configuration of other security settings since most security settings are group policy based as well. Note! In the end only one password policy will apply to a specific user. Password policies are not merged Specops Software Inc. 1

4 1.2 Extended password requirements SPP adds many additional password requirements and features not found in the built-in password policy feature. Some of the additional requirements include: Disallowing words from a specified dictionary Disallowing incremental passwords, for example changing from password1 to password2 would be prohibited notification when the password is about to expire. This is an important feature for users who do not normally log in interactively. For example via Outlook Web Access. From such applications the password cannot be changed The notification can be used to inform the users ahead of time that they need to change the password Maximum length requirement on passwords. This feature is useful for environments where the same password is used to access for example main frame systems where the maximum length may be limited These are just a few of the features in SPP. There are more than 20 different settings to choose from when configuring a password policy. Here is a complete list of the password rules that can be configured in a password policy. 1.3 Components SPP consists of a few different components. Below is a brief description of the different parts Specops Software Inc. 2

5 Sentinel The Sentinel is the server part which must be installed on all domain controllers. The Sentinel is the component that validates new passwords against affecting password policy rules during password changes. GPMC Snap-in The GPMC (Group Policy Management Console) snap-in is added to the Group Policy Object Editor. This is where the password policy for a certain Group Policy is configured. This snap-in will appear in any Group Policy you open. Note that the snapin is in the user part of the Group Policy, the password policies are configured for the users affected by the Group Policy, not the computers. Domain Administration From the Domain Administration console domain wide settings are made. This is a windows application that can be started from the Start menu after the installation. Before using SPP a license must be added from the Domain Administration console. Some additional features of this console are, enabling/disabling SPP in the whole domain, managing password policy templates, and an overview of all configured password policies. Active Directory Users and Computers extension SPP adds an extension to the ADUC console. If you right-click a user object a new menu item called Specops Password Policy will appear. Clicking this item will display a window with information about which, if any, password policy affects the user. Client The client is a small program that will display a message to the end users when the try to change passwords and fail. It informs them about what password policy requirements they are affected by and what requirements their attempted password meets and does not meet. Scripting support SPP is fully scriptable. All administrative tasks can be done through the user interface or through.net programming or PowerShell scripting. SPP includes a custom PowerShell cmdlet Specops Software Inc. 3

6 2 Getting Started 2.1 System Requirements The following prerequisites need to be met to successfully install all Specops Password Policy components. Administrative tools Windows XP or higher Microsoft Management Console 3.0 Microsoft.NET Framework 2.0 Active Directory Users and Computers MMC Snap-in Sentinel Windows 2000 Server Service Pack 4 or higher Writable domain controllers (not RODC) Client Windows 2000 Service Pack 4 or higher Domain member Supported languages are: o Danish o German o Spanish o Dutch o Hungarian o Swedish o English o Italian o Turkish o Finnish o Norwegian o French o Portuguese If other languages are needed, please contact your reseller Specops Software Inc. 4

7 3 Installation Specops Password Policy can be installed in two different ways: using the Setup Assistant manually (installing MSI packages) 3.1 Install using the Setup Assistant The easiest way to install Specops Password Policy in the domain is to use the Setup Assistant. Execute SpecopsPasswordSetup.exe to start the Setup Assistant. The Setup Assistant automatically detects if the 32-bit or 64-bit setup package should be used during installation. Follow the instructions of the Setup Assistant and complete the steps below. 3.2 Install/Update the License On the Welcome page, in the Specops Password Policy panel, install/update the license by pressing the Update License link. Press the Start Installation link. Read through the Software License Agreement and press Accept to continue the installation. 3.3 Install Administration Tools The Administration tools installs the: Specops Password Policy Group Policy Object Editor (GPOE) snap-in Used to configure password policy settings in Group Policy Objects Domain Administration Allow you to manage configurations that apply to you entire domain such as license information, Sentinel installations, language files and policy templates Prerequisites The following prerequisites must be met: MMC 3.0 must be installed on the local computer Group Policy Management Console (GPMC) must be installed on the local computer Install ADUC Menu Extension Press the Add menu ext. button to install the ADUC Menu Extension. The ADUC Menu extension extends the menu displayed when right-clicking a user in the Active Directory Users and Computers MMC snap-in. Install Press the Install button and wait for the installation to finish Specops Software Inc. 5

8 3.4 Install Domain Controller Sentinel The Sentinel is responsible for enforcing the password policies you have created, when passwords are set or changed in the domain. The Sentinel should be installed on all domain controllers where password changes might happen. Prerequisites The following prerequisites must be met: Installing Sentinel requires Domain Admin permissions Configuration When installing Sentinel on domain controllers, the MSI packages will be accessed from a network share. Select one of the two methods. Create network share Press the Create share button to create a new network share to copy the MSI packages to Select Network share Press the Select share button to select an existing network share to copy the MSI packages to Install Select the domain controllers you wish to install the Sentinel on and then click the Install button. Wait for the installation to finish on selected domain controllers. Restart the selected domain controllers. 3.5 Specops Password Client Click the Install button to install the client locally. 3.6 Deploy Specops Password Client using GPSI Deploy the client to all computers that will be affected by password policies. To deploy the Specops Password client using GPSI (Group Policy Software Installation) follow the steps below. Prerequisites To deploy the application a Group Policy Object (GPO) must be used. This means that the user who is trying to deploy the application must have permissions to edit a GPO or create a new GPO. To create GPOs you must be a member of the Domain Admins security group or the Group Policy Creator Owners group. If there already exists a GPO that you have permission to update you can go ahead and use this, if you need to create a new GPO make sure you have the described permissions Specops Software Inc. 6

9 Configuration When installing Sentinel on domain controllers, the MSI packages will be accessed from a network share. Select one of the two methods. Select Group Policy Object Select the Group Policy Object that will be used to deploy the Specops Password Client to the client computers Create network share Press the Create share button to create a new network share to copy the MSI packages to Select Network share Press the Select share button to select an existing network share to copy the MSI packages to Deployment Click the Add Settings to deploy the Specops Password client using the selected Group Policy Object. All setups are available in 32 bit and 64 bit versions. The MSI files end in -x86 or -x64, select the ones matching your systems. Register Active Directory Users and Computers extension The Active Directory Users and Computers extension can be used to determine which password policy that affects a given user. To be able to use the Active Directory Users and Computers extension the Specops Active Directory Users and Computers menu extension must be registered once within the domain Specops Software Inc. 7

10 4 Getting Started This section will walk through what s needed to get started with Specops Password Policy (SPP). If this is the first time you are using SPP it is recommended to complete all the steps below to gain a general understanding about how the system works. 4.1 Setup The first thing to do is to install the product. Your first password policy When all the setup steps described above are completed, it s time to create your first password policy. To configure a password policy, start GPMC and edit the Group Policy object where you wish configure it. Note! The password policy will affect all users that the selected GPO applies to. The standard rules for GPO application apply. These are the exact steps to configure the password policy: Start the Group Policy Management Console from Administrative Tools on the start menu. Locate the Group Policy Object that you would like to configure the password policy in. Right-click the Group Policy Object and click Edit. From within the Group Policy Object Editor open User Configuration/Windows Settings/Specops Password Policy. Click the Create New Password Policy or Create New Password Policy from Template button. Configure some password policy settings in the window that opens and click OK to save it. Click here to get detailed information about all settings that can be configured within a password making sure the Group Policy Object is linked For a GPO to actually affect any users or computers, it must be linked somewhere in the Active Directory. If the GPO is not linked already, find the appropriate location in Active Directory to link the Group Policy to. This can be on the domain level or on an organizational unit (OU). You can also apply security filters to a GPO. For detailed information about how to use GPOs read this document from Microsoft. Verifying that the policy is applied Now, let s verify that the password policy is applied correctly. Start the Active Directory Users and Computers console and browse to a user that should be affected by the GPO you just edited, right-click the user and select Specops Password Policy. This will display a window with summary information about the password policy that affects the user Specops Software Inc. 8

11 Changing the password Now the first password policy has been created, let s see it in action. Logon to a computer where the Specops Password Policy client has been installed and the computer restarted. Logon as a user that is affected by the GPO you selected. Try to change the password and verify that the requirements you selected are enforced, and that you get a correct message Specops Software Inc. 9

12 5 Administrators Guide 5.1 Best Practices Group Policy Objects Disable unused parts of a Group Policy object Under User Configuration or Computer Configuration in the console tree of the Group Policy snap-in, if a Group Policy object contains only settings that are set to Not Configured; you can avoid processing these settings by disabling User Configuration or Computer Configuration. This expedites the startup and logon processes for those users and computers that are subject to the Group Policy object. Use the Block Policy inheritance and No Override features sparingly Routine use of these features makes it difficult to troubleshoot policy. Use common-sense naming conventions It is not advisable, for example, to use the same name for two different Group Policy objects. Using the same name for two different Group Policy objects does not cause Group Policy to function incorrectly, but it might be confusing. Filter policy based on security group membership Users who do not have an access control entry (ACE) directing that a particular Group Policy object be applied to them can avoid the associated logon delay, because the Group Policy object is not processed for those users. Avoid cross-domain Group Policy object assignments The processing of Group Policy objects slows the startup and logon processes if Group Policy is obtained from another domain. Group Policy Diagnostic Best Practice Analyzer (GPDBPA) The Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) for Windows XP and Windows Server 2003 is designed to help you identify Group Policy configuration errors or other dependency failures that may prevent settings or features from functioning as expected. GPDBPA can be downloaded from Windows Settings To get Specops Password Policy to function properly in a domain, some built-in password related settings in the domain must be configured as described below. Default Domain Password Policy The built-in password policy for an Active Directory domain is configured through group policy objects linked to the root of the 2011 Specops Software Inc. 10

13 domain. When a new Active Directory domain is setup the Default Domain Policy GPO contains the default settings for the built-in password policy. The following settings can be configured by the built-in password policy: Every password change request is always validated by the built-in password policy. If a password complies with all requirements the password is considered as valid, otherwise the password change is rejected. When Specops Password Policy is installed in a Windows 2000/2003 domain every password change must also be accepted by Specops Password Policy. Therefore a password change is not considered as valid before the password has been accepted by both the Windows Password Policy and the Specops Password Policy. Important! To get Specops Password Policy to function properly, the built-in password policy must be configured with the least restrictive requirements. When editing the settings in the built-in password policy, you must take into consideration the time required to replicate the new settings to all other domain controllers (the replication latency). Important! Remember that the settings configured using the Default Domain Password Policy will also become the default password policy for all local user accounts on any server and workstation in the domain. To secure local accounts on servers and workstations in the domain, you can define a separate Windows Password Policy for organizational units containing servers and workstations. Password expiration warning Users that logs on to Windows 2000 /XP will be prompted to change their password 14 days before expiration. The number of days before users get prompted can be configured using a Group Policy Object. The setting used is Interactive logon: Prompt user to change password before expiration and can be found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\. To avoid getting duplicate password expiration messages on the clients the following must be taken in consideration when configuring the above setting in conjunction with the maximum password age configured in the Windows Password Policy: ( [Default Domain Password Policy: Maximum password age] - [Interactive logon: Prompt user to change password before expiration] ) > [Specops Password Policy: Highest configured Maximum password age] 5.3 Managing Password Policies Specops Password Policy is built on the Group Policy infrastructure which means that Group Policy Management Console (GPMC) is the primary tool used to create, configure and assign password policies within Specops Password Policy. Password policies can be created and configured through any Group Policy Object (GPO) in the domain Specops Software Inc. 11

14 Create a new password policy Note! To complete the following procedures, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. To create a new password policy, you must first create a new GPO that will contain the password policy settings. The recommendation is to create new dedicated GPOs (instead of using existing GPOs) with describable names, to make it easier to locate GPOs containing password policies. To create a new GPO: In the GPMC console tree, browse to the Group Policy Objects node in the forest and domain in which you want to create a new password policy Right-click the Group Policy Objects node and select New In the New GPO dialog box, specify a name for the new password policy, and then click OK Right-click the newly created GPO and select Edit Browse to User Configuration\Windows Settings\Specops Password Policy or to User Configuration\Policies\Windows Settings\Specops Password Policy if using RSAT Click the Create New Password Policy or the Create New Password Policy From Template button Create a password policy A password policy can be created from a template that contains predefined settings. The settings are copied from the template to the new password policy. Note! When you create a GPO containing a password policy, it will not have an effect until it is linked to a domain or organizational unit (OU). Edit an existing password policy Note! To complete the following procedures, you must have edit permissions for the GPO that you want to edit. In the GPMC console tree, browse to the Group Policy Objects node in the forest and domain in which you want to edit an existing password policy Right-click an existing GPO and select Edit Browse to User Configuration\Windows Settings\Specops Password Policy or to User Configuration\Policies\Windows Settings\Specops Password Policy if using RSAT Click the Configure Password Policy button 2011 Specops Software Inc. 12

15 Assign a password policy Note! To link an existing GPO to a domain or organization unit, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege. For a GPO containing a password policy to actually affect any users, it must be linked to the domain or to an organizational unit somewhere in the Active Directory. To assign a password policy to the domain or an organizational unit To assign a GPO containing password policy settings to an organizational unit: In the GPMC console tree (the right pane), expand Domains Right-click the domain or the organizational unit that you want to assign a password policy to Click Link an Existing GPO In the Select GPO dialog, select the GPO containing password policy settings that you want to assign To assign a password policy to a group or user GPO security filtering is a way of refining which users and computers will receive and apply the settings in a GPO. Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. In order for the GPO to apply to a given user, that user must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though group membership. By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group. To assign a GPO containing password policy settings to a group: First assign the GPO to an organizational unit In the GPMC console tree (the right pane), expand Group Policy Objects Select the GPO you wish to assign In the results pane, select the Scope tab Click Add in the Security Filtering part In the Enter the object name to select box, type the name of the group or user that you want to add to assign the password policy Remove Authenticated Users from the Security filtering list Managing inheritance of Group Policy You can add one or more GPO links to each domain and organizational unit in Group Policy Management Console. The password policy settings deployed by GPOs linked to higher containers (parent container) in Active 2011 Specops Software Inc. 13

16 Directory are inherited by default to child containers. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects containing password policies are processed according to the following order: GPOs linked to the domain GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units. You can further control precedence and how GPO links are applied by doing the following: Changing the link order within a domain or organizational unit. The link with the higher order (with 1 being the highest order) has the higher precedence Blocking Group Policy inheritance. Using block inheritance prevents GPOs linked to higher containers from being automatically inherited by child-level containers Enforcing a GPO link. An enforced GPO link takes precedence over the settings of any child object Disabling a GPO link. A disabled GPO link is not processed at all Disabling user settings. If user settings are disabled for a GPO, the password policy settings configured within the GPO is not processed Delete a password policy There are several ways to remove a password policy. Some of the methods are described below. Delete the GPO link Note! To remove a link, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege. To delete the GPO link: In the GPMC console tree (the right pane), expand Domains Browse to the domain or organizational unit where the GPO is linked Right-click the GPO and click Delete The GPO link is deleted, which means that the GPO doesn t affect any users. But the password policy settings within the GPO still exist. Remove password policy settings from a GPO Note! This remove the password policy from a GPO, you must have Edit Settings permissions for the GPO. To remove password policy settings from a GPO: In the GPMC console tree (the right pane), expand Group Policy Objects 2011 Specops Software Inc. 14

17 Select the GPO you wish to remove password policy settings from Browse to User Configuration\Windows Settings\Specops Password Policy Click the Remove Password Policy Configuration button This method doesn t delete the GPO itself, it just remove the password policy configuration from the GPO. Delete the GPO Note! To delete a GPO, you must have Edit Settings, Delete, Modify Security permissions for the GPO. To delete a GPO: In the GPMC console tree (the right pane), expand Group Policy Objects Select the GPO you wish to delete Right-click and select Delete This method deletes the GPO itself. 5.4 Password Policy Settings This is a list of all the settings that can be configured within a password policy. Password Length Requirements Rule Description Minimum This rule determines the minimum length required for the password. password length If this rule is disabled the number of required characters from the selected character groups will determine the minimum length. If neither this rule nor any character group requirements are configured blank passwords will be allowed. Maximum The maximum length allowed for the password. The maximum password length must be larger password length than or equal to the minimum password length. Maximum password length can be useful when the same password is used for other systems such as older main frames where the password length may be limited Specops Software Inc. 15

18 Character Group Requirements Rule Description Required alpha characters The minimum number of alpha characters (A-Z, a-z etc) that are required in the password. This rule overrides the settings for upper or lower case character requirements. This rule can disable to specify requirements for upper or lower case characters independently. Required upper The minimum number of upper case characters (A-Z etc) that are required in the password. This case characters rule is overridden by the Number of required alpha characters rule. Required lower The minimum number of lower case characters (a-z etc) that are required in the password. case characters This rule is overridden by the Number of required alpha characters rule. Disabling this rule means that there are no requirements for lower case characters. Required non alpha characters The minimum number of non-alpha characters (digits, special or Unicode) that are required in the password. This rule can be used instead of the more specific rules for digit, special and Unicode character requirements. Required digits The minimum number of digits (0 9) that are required in the password. This rule is overridden by the Number of required non alpha characters rule. If this rule is not enabling there are no requirements for digits. Required special characters Required Unicode characters The minimum number of special characters (for example!? _ #) that is required in the password. The minimum number of unicode characters that are required in the password. Unicode characters are those characters that do not fit into the ASCII table. For example symbols from the Hebrew alphabet. Before enabling this rule makes sure the users that are affected by the policy has the ability to enter unicode characters from their keyboard at logon Specops Software Inc. 16

19 Regular Expression Rule Use Regular Expression Description Enables the use of regular expression when validating passwords. Press the Edit button to configure the regular expression settings. Regular Expression Settings: Rule Regular expression Client message Description The regular expression to be used when validating passwords. Make sure that you don t create a regular expression that conflicts with other rules used in this policy. The message that will be included in the password policy message displayed to end users when they change passwords. Make sure that the message explains what is required for the password to be validated by the regular expression. Password Content Restrictions Rule Description Disallow full user Prohibits the use of the user s account names in the password. Only names that are longer than name in password two characters will be checked. The following Active Directory account properties are checked: - Account name (samaccountname) - First name (givenname) - Last name (sn) - Display name (displayname) Disallow part of user name in password Disallow digit as first character in password Prohibits the use of any 3 character part of the user s account names in the password. The following Active Directory account properties are checked: - Account name (samaccountname) - First name (givenname) - Last name (sn) - Display name (displayname) Prevent the users from having a digit as the first character in the password. This rule slightly increases the complexity of the password and thus the time it takes for a brute force attack can break the password Specops Software Inc. 17

20 Disallow digit as last character in password Disallow consecutive identical characters Prevent the users from having a digit as the last character in the password. This rule slightly increases the complexity of the password and thus the time it takes for a brute force attack can break the password. Disallow that the same character is repeated in a password. The specified number determines the maximum number of identical characters that are allowed after each other. For example, the value 3 would disallow the password abbba. Dictionary Rule Disallow words from dictionary Description Disallows words from the dictionary configured within this policy. Note that when using dictionaries no word from the list may be PART of the password. It is strongly recommended to not put words shorter than 3 or for characters in the dictionary as this will limit the passwords very much if the dictionary is large. Disallow reversed Enabling this rule will check for the existence of reversed dictionary words in the password. dictionary words Password History Rule Number of remembered passwords Minimum password age (days) Disallow incremental passwords Description Enforce password history. Password history means that the user may not reuse recent passwords. The specified number determines how many passwords that are remembered. For example setting the value to 4 means that the users may not reuse any of the last 4 passwords. Limit how often a user can change the password. This rule is recommended to use in combination with the password history feature, to prevent users from circumventing the password history by quickly changing the password several times to clear the history. The number determines how many days must pass between password changes. Prevent users from using incremental passwords. An incremental password is defined as changing only the last digit of the password. For example: If the old password was password1 it cannot be changed to password2, neither password7 etc Specops Software Inc. 18

21 Password Expiration Rule Maximum password age (days) Warning, at logon, before expiration (days) Send warning (days) Description The user will be forced to change the password regularly. The number determines how many days old a password can be before it expires and the user is prompted to change it. Display a warning to the users at logon when the password is about to expire. The specified number determines how many days before the password expiration the user will be warned. From this time the warning will be displayed at every logon until the password is changed. A warning message will be sent by to users when their passwords are about to expire. The subject field of the contains information about how many days that are left before the password expires. The normal expiration warning can only be displayed when users logon interactively, I.E. via CTRL-ALT-DEL. For users that logon through VPN or for example Outlook Web Access this rule helps inform them that the password is about to expire. The specified number determines how many days in advance the message should be sent. Expiration Warning Settings: Rule SMTP Server name From Description The name of the SMTP server that should be used when sending the password expiration warning s. Use this field to specify a custom sender for the . This is the address that will be used for the From field of the . If the field is left blank the default sender Specops Password Policy will be used. User name The user name that will be used when logging on to the SMTP server for sending password expiration warning s. Specifying a user name for the sender is optional. The will be sent by the domaincontroller acting as PDC Emulator in the domain. If that server is allowed to send s through the specified SMTP server without authentication this value can be left blank. If you specify an account, use a specific account for this purpose with low privileges Specops Software Inc. 19

22 Password The password that will be used when logging on to the SMTP server for sending password expiration warning s. It is recommended to use a specific account for this purpose, with low privileges. Language file The client language file that will be used when construction the password expiration warning . Exclude rules information Additional information By default the password rules specified in the policy will be included in the body of the . Check this option to NOT include information about the password rules in the . Additional information that will be included in the body of the password expiration warning . Account Lockout Settings Rule Disable account lockout Description Disable the account lockout process. Disabling account lockout means that accounts affected by this policy will be unlocked soon after they become locked for example because of too many failed login attempts. Only accounts that get locked out after the policy has been enabled will get unlocked, already locked out accounts will remain locked Specops Software Inc. 20

23 Password Reset Options Rule Ignore this policy on password reset Require user to change password on next logon Unlock locked accounts automatically on reset Description Ignore this password policy when the password is reset by an administrator. If this rule is enabled it is strongly recommended that the option Require user to change password at next logon also is enabled or else passwords neglecting this whole policy may exist. Automatically require the user to change the password at next logon when it has been reset by an administrator. This rule overrides the built-in setting for this when the password is reset. It is strongly recommended to use this rule. Automatically unlock a locked account when it is reset by an administrator. Client Message Rule Additional information to end users at password change Description Additional message that will be shown for users if their password change attempt fails. 5.5 Logging Sentinel Event Log Sentinel writes entries to the Application log on domain controllers. Specops Password Policy Sentinel is used as source for all type of events. Information events Entries containing information have event IDs in the range 100 to Specops Software Inc. 21

24 Below are some of the more important information events: Event Id Description 100 Initializing 101 Successfully initialized version x.x.x.x. 102 Contains information about a successful password change. 103 Contains information about a successful password reset. 104 Verbose logging enabled. 105 Verbose logging disabled. 106 Start processing users affected by maximum password age policies. 107 Contains information about the above processing result. 108 A user account was automatically unlocked by a given policy. 109 Various types of information events. Warning Events Entries containing warnings have event IDs in the range 200 to 210. Below are some of the more important warning events: Event Id Description 202 Contains information about a failed password change. 203 Contains information about a failed password reset. 209 Various types of warning events Specops Software Inc. 22

25 Error events Entries containing errors have event IDs in the range 300 to 310. Below are some of the more important error events: Event Id Description 300 Initialization failed. 301 An error occurred during the password change/reset. 309 Various types of error events. Verbose Logging Verbose logging can be configured through the registry on each domain controller. To enable verbose logging, use Registry Editor to modify the following registry entry: Key: HKLM\SOFTWARE\SpecopsSoft\Specops Password Policy\Filter Value: Debug Type: DWORD Data: 1 (Decimal) The name of active the log file is SPP3FLT [LSASS].log and it s created in the <WINDIR>\Debug folder. The maximum size of the log file is 10MB, when the file exceeds 10MB it s saved as SPP3FLT [LSASS].<timestamp>.LOG. Note! No restart is required to enable or disable verbose logging Client Event Log The client writes entries to the Application and Specops Password Client is used as source for all type of events. Verbose Logging Verbose logging can be configured through the registry on the machine where verbose logging should be enabled. To enable verbose logging, use Registry Editor to modify the following registry entry: Key: HKLM\SOFTWARE\SpecopsSoft\Specops Password Policy\Client Value: Debug Type: DWORD Data: 1 (Decimal) 2011 Specops Software Inc. 23

26 On a XP client the following log files are created: 1. <TEMP>\SppClient [SppClient].log. <TEMP> refers to the logged on users TEMP directory, normally found in the user s profile. 2. <WINDIR>\Debug\SPP3CLT [WINLOGON].log. On a Vista client the following log files are created: 1. <TEMP>\SppClient [SppClient].log. <TEMP> refers to the logged on users TEMP directory, normally found in the user s profile. 2. <WINDIR>\Debug\SppCredentialProvider [LOGONUI].log. Note! No restart is required to enable or disable verbose logging. 5.6 PowerShell cmdlets SPP includes several Windows PowerShell cmdlets. For more information about PowerShell, visit the Microsoft website. Setting it up To start using the cmdlets, perform the following steps: Install the SPP Administrative tools package Start PowerShell and add the password policy cmdlets by running the following command from PowerShell: Add-PSSnapin Specopssoft.SpecopsPasswordPolicy Download the cmdlets help file and copy it to the the directory where you installed the SPP Administrative tools. E.G. %ProgramFiles%\Specopssoft\Specops Password Policy\Administrative Tools 2011 Specops Software Inc. 24

27 The cmdlets After adding the cmdlets with the command above, he following cmdlets are made available: New-PasswordPolicy Get-PasswordPolicyLanguageFile New-PasswordPolicyTemplate Get-PasswordPolicySentinel Get-PasswordPolicy Remove-PasswordPolicy Get-PasswordPolicyTemplate Remove-PasswordPolicyTemplate To get a list of all the password policy cmdlets from within PowerShell, use the following command: Get-Command -Noun PasswordPolicy* This will produce a list, similar to that above. Examples Let s get started with using the cmdlets. Note! One important thing to note is that the cmdlets, or the SPP SDK will not create the Group Policy Objects for you. The GPOs to be used must exist and can be created and linked from the Group Policy Management Console (GPMC). You can also use freeware cmdlets from SDM Software to create and link Group Policy Objects ( The following command will create a new password policy in the Group Policy called My GPO. $policy = (New-PasswordPolicy -GpoName My GPO ) Then we can set a value for one of the rules, and saving the policy. $policy.minimumlength = 6 $policy.save() Note that the changes to the password policy are not carried through until the Save command is called. Permitted that the GPO is linked, the new settings in the password policy will be in affect as soon as the Save method is called. To get a list of all configured password polices in the domain, try the following command. Get-PasswordPolicy This will produce a list with all the polices and their properties. To get a better overview of the policies try this version of the command, where the Format-Table (ft) cmdlet is used to improve the format of the output. Get-PasswordPolicy ft -Property Name, DomainName, PolicyStrength 2011 Specops Software Inc. 25

28 The Get-PasswordPolicy cmdlet works similar to the New-PasswordPolicy, use the name of the GPO as a parameter to get a reference to a specific password policy: $policy = (Get-PasswordPolicy -GpoName My GPO ) To completely remove a password policy (from a GPO), use the following command: Remove-PasswordPolicy -GpoName My GPO Here are some more things to try out. The following commands will attempt to set properties to the password polices that would make it invalid. Max length cannot be shorter than min length. Try saving the policy and watch the result. $policy.minimumlength = 6; $policy.maximumlength = 5; $policy.save(); Try exploring the properties and methods of the PasswordPolicy class and the other classes available by calling the cmdlets. Refer to the SDK documentation for detialed information about the underlying objects, their properties and methods. SDK Make sure to read the section about the SDK for information about the available classes and methods. 5.7 Frequently Asked Questions The customized client message is not shown when a password change fails Verify that the Specops Password Client is installed on the computer and that the computer has been restarted. If the client has been successfully loaded, there should be an event in the Application log with source Specops Password Client and id 101. Ensure that the settings in the proposed SPP password policy are more restrictive than the settings in the Default Domain Policy. Configuring a setting in the built-in password policy to Not defined does not remove the setting from the domain; instead the setting will be set to the last configured value. If the new password does not meet the requirements specified in the Default Domain Policy, the Windows error message will be shown instead of the message provided by Specops Password Client The Specops Password Policy Sentinel must be installed on all writable domain controllers. The Specops Password Policy menu item does not show up when right-clicking a user in Active Directory Users and Computers 2011 Specops Software Inc. 26

29 Verify that the Specops Password Policy Administrative Tools is installed on the computer. The Specops Active Directory Users and Computers menu extensions must be installed in order to show the menu extension in Active Directory Users and Computers. Is it necessary to install Sentinel on a read-only domain controller (RODC) No. There is no need for installing Sentinel on a RODC, because no password changes can occur on a RODC. If I have a user that s affected by a password policy with a maximum password age configured, but the user is never forced to change the password. Why? A Specops Password Policy will not expire a user s password if any of the following options are set on the user object: User must change password at next logon User cannot change password Password never expires Smart card is required for interactive logon Cannot set the Administrator password while demoting a domain controller If Specops Password Policy Sentinel is installed on the domain controller then you must first uninstall Specops Password Policy Sentinel, before starting the demote process Specops Software Inc. 27

30 7 Support and Troubleshooting Please visit the Specops Forum for support and help with troubleshooting at: For support and help with troubleshooting go to: Urgent requests for support may be submitted to: Feedback on documentation can be sent to: 2011 Specops Software Inc. 28