How To Reset A Password Reset On A Cell Phone On A Pc Or Ipad (For A Cell) On A Microsoft Macbook Or Ipa (For An Ipa) On An Iphone Or Ipam (For Pc) On

Transcription

1 Specops Password Reset 6.1 Product Documentation. All rights reserved.

2 Specops Software Specops Software is an international software company offering IT management solutions based on the idea of improving and extending the functionality of Microsoft Active Directory and Group Policy to perform complex management tasks. Our Windows integrated approach to IT management adds significant value to the business of thousands of customers all over the world by helping them achieve an extraordinary high degree of efficiency in their IT-environments. The award winning Specops product line is consistently recognized as some of the most essential third party add-ons to Microsoft environments. Contact information Please contact us at one of our offices if you have any questions: International HQ Specops Software Torsgatan Stockholm Sweden Support: Phone: Fax: North America Specops Software Inc. 532 Front Street West Toronto, Ontario, ON M5V 1B8 Canada Support: SPECOPS ( ) Phone: SPECOPS ( ) Fax: United Kingdom Specops Software Ltd. 4 Orchard Way Stoke Gabriel, Totnes, Devon TQ9 6PZ United Kingdom Phone: United States Specops Software USA Inc. 600 Chestnut St. Suite 772 Philadelphia PA United States Support: SPECOPS ( ) Phone: SPECOPS ( ) Fax: Copyright and Trademarks Specops Password Reset is a trademark owned by Specops Software. All other trademarks used and mentioned in this document belong to their respective owners. Disclaimer The content of this document is provided as is. While Specops Software makes every effort to ensure the reliability and accuracy of our documentation there is no guarantee that the information in this document is applicable in all customer environments. 2

3 Contents Overview... 4 Usage scenarios... 4 Implementation Planning... 5 System requirements... 5 Language localizations... 6 Licensing options... 7 Architectural overview... 7 Authentication methods Installation The Setup Assistant Post installation configuration Configuration and Operation The Specops Password Reset Configuration tool Specops Password Reset ADUC extension Configuring your environment for use with the Mobile Access web service Mobile Device Applications Specops Password Reset Web Customization tool Specops Password Reset and Group Policy Creating and editing Specops Password Reset Policies Specops Password Reset GPO Settings Specops Password Reset Reporting Specops Password Reset Helpdesk The Specops Password Client System Security Delegated Helpdesk Security Configuration Specops Password Reset Server Call Throttling Other Specops Password Reset Server registry settings Troubleshooting Event logging Debug logging Support

4 Overview Specops Password Reset (SPR) is a selfservice solution which allows end users to securely manage their own password problems such as forgotten passwords, locked accounts or even normal password changes. The fully customizable user interface quickly builds trust between the users and the system which ensures a high adoption rate. When users can fix their own problems they also show less resistance to choosing more complex passwords. The system is designed with security in focus and is fully integrated with Windows and Active Directory. Specops Password Reset allows users to easily handle their own password related problems Usage scenarios These are some of the most common scenarios where Specops Password Reset delivers value to current business problems. Reduced support workload Gartner Group and other business research institutes estimate that as much as 30% of all calls to the helpdesk are related to password issues. If the loss of productivity is included in the cost calculation, the cost of each such call could run as high as $70. By allowing the end users to securely manage these problems themselves the helpdesk personnel can spend more time on developing the IT-infrastructure rather than just solving problems with it. Increased availability Specops Password Reset is available to the end users 24 hours per day and can be accessed from anywhere where there is an internet connection. Users are able to manage their password problems at any time, reducing the loss of productivity when a password problem is encountered. Problem reduction The graphical user interface in Specops Password Reset helps remove the confusion around password complexity rules by displaying the exact rules which apply to each user. The same interface is available for normal password changes, making Specops Password Reset the preferred way of changing your password. 4

5 Implementation planning Implementing Specops Password Reset is very easy and straightforward. Before proceeding with the actual installation it is beneficial to spend a few moments considering the implications of how you wish to use the product in your environment. System requirements In order to use Specops Password Reset your organization must meet the following system requirements: Password Reset Component Specops Password Reset Server Specops Password Reset Web Administrative Tools Password Client Supported OS configurations Windows Server 2003 SP2 or Windows Server 2003 R2 All editions of Windows Server 2008 / Server 2008 R2 All editions of Windows Server 2012 Windows Identity Foundation installed. Windows Server 2003 SP2 or Windows Server 2003 R2 All editions of Windows Server 2008 / Server 2008 R2 All editions of Windows Server 2012 IIS installed Trusted SSL certificate for all names the web application will be presented as. Any server OS supported by the Specops Password Reset Server component. Windows XP, Windows Vista, Windows 7 or Windows 8 client OS. OS must be a domain member. MMC 3.0 installed..net Framework 3.5 installed (applies to Windows Server 2008 R2, Windows 7 or older operating systems).net Framework 4.0 installed (applies to Windows Server 2012, Windows 8 or newer operating systems) Active Directory Users and Computers MMC snap-in installed. Any server OS supported by the Specops Password Reset Server component. Any client OS supported by the Specops Password Reset Administrative Tools component. OS must be a domain member. Specops Software always recommends running our software on the latest version of Windows. 5

6 Hardware requirements There are no specific hardware requirements for Specops Password Reset. If your hardware is capable of running the supported operating systems, it is also capable of running Specops Password Reset. Language localizations Specops Password Reset is localized in the following languages: Password Reset Component Specops Password Reset Sentinel Specops Password Reset Admin Tools Specops Password Reset Web Specops Password Client Available localizations English (en-us) English (en-us) English (en-us) Chinese (Traditional) (zh-hant) Czech (cs-cz) Danish (da-dk) Dutch (nl-nl) Finnish (fi-fi) French (fr-fr) German (de-de) Hungarian (hu-hu) Italian (it-it) Japanese (ja-jp) Norwegian (nb-no) Polish (pl-pl) Portuguese (pt-pt) Russian (ru-ru) Spanish (es-es) Swedish (sv-se) Turkish (tr-tr) Welsh (cy-gb) It is also possible to add your own language localizations for the Specops Password Reset Web and Client components as needed by your organization. 6

7 Licensing options There are four different licensing options for Specops Password Reset: License type Trial Affected All Subscription Explanation Unrestricted license usable for an unlimited amount of users until a fixed expiration date. The license is only valid for trial purposes. The affected license has no expiration date but is limited to the number of user licenses that have been purchased. When the number of used licenses is counted the system counts the actual number of non-disabled user objects that are affected by GPOs containing Specops Password Reset settings. The all license has no expiration date but is limited to the number of licenses that have been purchased. When the number of used licenses is counted the system counts the total number of non-disabled user objects in the entire domain. The license has no expiration date and no limit on the number of users the product can be used with. At the end of each month the system reports the number of used licenses and the customer is invoiced a subscription fee for that many users. The counting mechanism is the same as used in the Affected licensing mode. Architectural overview Specops Password Reset consists of these basic components: Component Specops Password Reset Server Specops Password Reset Web Specops Password Client Specops Password Reset Mobile Applications Purpose Performs operations against Active Directory and responds to requests from the Specops Password Web. Presents the end user interface of the product and communicates with the Specops Password Reset server in order to verify user input. Adds a link to the Specops Password Reset Web on the Windows logon screen and handles end user notifications about enrollment requirements. Also resets cached user credentials if a password is reset without domain connectivity. Applications for Windows Phone, Android and iphone which allows users to reset their Active Directory passwords directly from these devices. Depending on the requirements of your organization there are a few architectural issues to consider before installing the product in your environment. 7

8 Availability and the number of necessary servers In a minimal installation it is possible to install both server components on the same machine. The machine does not need to be dedicated to Specops Password Reset, but the Web application needs to be able to use SSL in IIS. In High Availability environments it is possible to cluster both the web application and Server components. The typical Specops Password Reset installation consists of one internal server running both the Server and Web components and one external server with the Web component for access over the internet. This architectural overview of the functional components shows the communication between the components in a typical installation. Note that the Password Reset Server and Password Reset Web components are typically installed on the same server in the inside network. Specops Password Client The Password Client is necessary in order for your users to see the Reset Password link on their Windows logon screen. It also handles end user notifications and has the ability to reset cached user credentials if passwords are reset without domain connectivity. The Specops Password Client should be installed on all domain joined client machines, and may be installed on any servers where access to the system is desired. 8

9 External access requirements A common design decision is if the solution needs to be accessible over the internet. One of the main benefits of Specops Password Reset is to provide employees or other contacts with user accounts in your Active Directory with the ability to reset their passwords over the internet. This is especially beneficial if your organization has many users who work from home or while travelling. To support these users it is possible to either publish the internal web server through the firewall of your organization, or to set up a separate web server which is accessible from the internet. This scenario allows you to install the Specops Password Reset Web application on server which does not have to be a member of your internal domain. Communication with a Specops Password Reset service can still take place through the firewall in order to manage the password operations. Mobile Access web service The handy mobile applications for Windows Phone, Android and iphone enable your users to reset their Active Directory passwords directly from their mobile devices. If you wish to provide this service to your users you need to install the Specops Password Reset Web Service on a web service which is accessible from the internet. Active Directory storage Specops Password Reset uses the Active Directory to store the user data needed by the system. For example, if the system is configured to use the secret question authentication mechanism the users will be required to select and answer a number of questions which need to be stored somewhere. In a default installation this data is stored in classstore objects called specops-spp-pwdreset which is placed beneath the user object the data belongs to in Active Directory. ClassStore objects are part of the standard Active Directory schema, and will require a few bytes of extra storage per enrolled user. The required additional storage is roughly equal to the number of bytes required to store the question texts and hashes of the user answers to the questions. The storage requirements are typically not an issue unless the environment contains many tens of thousands of users. Schema extension option If minimizing the additional storage requirement in Active Directory is important in your organization Specops also offers a schema extension which removes the unnecessary bloat of the mandatory classstore attributes. The schema extension is easily applied to the Active Directory and once installed the system will start using it immediately without any further configuration requirements. Contact Specops Product Services for guidance on how to apply the schema extension. 9

10 Authentication methods The whole idea behind a password problem self-service tool is to allow the users to handle such problems by themselves. This poses an obvious security dilemma: How does an automated system know that a user claiming to be Bob really is Bob when Bob has apparently forgotten his normal means of authentication his password? The answer, of course, is to implement some sort of other authentication mechanism besides the password to let Bob prove his identity. Specops Password Reset currently offers two such authentication mechanisms, and one of the most important decisions during implementation planning is to select which mechanisms that suit the goals of your organization best. Secret questions authentication One of mankind s oldest ways of identification is to use some sort of secret shared between involved parties to prove their identity to one another. Passwords are certainly the most common example of this method, which in simplified terms is known as a something you know authentication factor. Passwords, however, are quite easy to forget once they reach a certainly complexity level, when they have to be changed frequently or when they are rarely used. Implementing a second password for use when users have forgotten their first one is therefore unlikely to be successful. Instead, the idea behind the Secret Questions authentication mechanism is to make the secret personal to the user, which makes it a lot easier to remember even if you don t use it very often. When a user has been configured to use the Secret Questions authentication with Specops Password Reset they will be required to enroll with the system by selecting and answering one or more questions from a pool of available questions configured for them in Group Policy. This process is usually very fast and allows for a quick implementation of the system. The drawback of the Secret Questions mechanism is that it is susceptible to social engineering attacks. If Alice knows that Bob has selected to answer the Where did you attend high school question she might be able to trick Bob into giving up that information during a casual conversation. In order to strengthen the security of the questions mechanism you should make sure that your users have to answer several questions before they are authenticated. It also makes sense to ensure that the available questions to choose from are not of a nature which makes it easy to guess or figure out the answer. Mobile verification code authentication When Secret Questions are not secure or convenient enough for your organization it is a good idea to start looking at the second authentication mechanism in Specops Password Reset. The Mobile Verification Code is a one-time code sent by SMS text message to the mobile phone of the users when they are asked to authenticate in the system. 10

11 Since the code can only be retrieved on a device that the users typically carry on their persons the Mobile Verification Code mechanism can be described as a something you have authentication factor. Before you can start using the Mobile Verification Code mechanism your organization must meet a couple of requirements: Requirement Targeted users must have mobile phones Mobile phone numbers must be stored in Active Directory Your organization needs an SMS provider Explanation This is an obvious requirement which is easy to meet for most organizations. If some of your users have mobile phones while others do not, it is quite easy to configure the system to allow these users to use the more secure authentication mechanism. Specops Password Reset fetches the mobile phone number of the user from their user object in Active Directory. If this information is not currently populated it is possible to let the users register their mobile numbers by enrolling with the system. User privacy concerns might be a factor in some organizations, for instance if the users only have private mobile phones and they don t want their private phone number to be visible to other employees. In this scenario it is possible to configure Specops Password Reset to use a different user attribute than the mobile phone number to hold the data. Specops Password Reset does not come with an internal SMS gateway, as that would increase the complexity and cost of the system. Instead, the Specops Password Reset Server component sends to an external SMS provider of your choice, which can then convert the content to an SMS containing the one-time verification code. There is a multitude of online SMS providers all over the globe if your organization does not already have an SMS gateway functionality in place. If your organization meets the requirements it is recommended to use the Mobile Verification Code for as many users as possible as this increases the security level of the system. Two-factor authentication While the security of either the Secret Questions mechanism or the Mobile Verification Mechanism might be good enough to provide a secure authentication of your users Specops Password Reset also offers the ability to use both methods in combination, to provide a two-factor authentication mechanism. By combining both a something you know and something you have authentication factor you can reach very high levels of security in the system. Specops Software recommends using two-factor authentication wherever possible. 11

12 Installation The Installation document area takes the reader through the process of installing the product. The Setup Assistant The Specops Setup Assistant (SA) is designed as a step by step installation guide to help you install the various product components. The SA also contains automation logic to verify that all prerequisite components have been installed and that the account running the SA has the appropriate permissions to complete the installation. Every section of the SA is divided in individual steps which should be completed during the installation. The Setup Assistant for Specops Password Reset also contains the other products in the Specops Password family Specops Password Policy and Specops Password Sync. If you only intend to install Specops Password Reset the installation steps of the other two products can be safely ignored. Specops Password Reset installation The Setup Assistant contains installations for all the Specops Password products. The installation procedure for Specops Password Reset consists of three simple steps. Section 1 Server installation The Specops Password Reset Server component manages all operations against Active Directory in the solution, such as changing or resetting passwords or registering user enrollments. Windows Identity Foundation Windows Identity Foundation is required on the computer where the Server component is installed. Clicking the install button will install this feature if it is not already present. Select service account All operations performed by the Specops Password Reset Server component will be performed in the context of the service account selected here. During the installation the Setup Assistant will also grant the selected service account the appropriate AD-permission necessary to reset passwords and manage user enrollments. 12

13 Management level When selecting the Management Level you decide from which level in the Active Directory hierarchy you want to use Specops Password Reset. The selected level will be where the Active Directory permissions are created for the service account and it is also used to calculate the total number of users affected by the product. Note The Management Level can be changed by running the Setup Assistant again, but it might be necessary to remove previously created permissions manually. If you want to be able to use the product in your entire domain you must select the domain root as the management level, otherwise it is recommended to select an OU as high up in the hierarchy as necessary to reach all the desired user accounts. Select certificate All communication between the Specops Password Reset Web application and the Specops Password Reset Server service is encrypted using the certificate selected in this step. If your server already has a certificate generated by your certificate infrastructure it is recommended to use the existing certificate. In all other scenarios it is sufficient to use a self-signed certificate created by the Setup Assistant. 13

14 Administrator notification settings The notification settings are the default settings user by the Specops Password Reset Server to send . Administrator notifications are used to send to the administrator with notifications regarding the Specops Password Reset License. It is also possible to override the server settings in each GPO. Besides entering a server name (or IPaddress) it is possible to enable TLS and to specify which credentials the Specops Password Reset Server will use when authenticating to the smtpserver. If no credentials are specified the server will authenticate as the service account it is running as. The settings are used when the Specops Password Reset server sends . The configured settings can be easily modified at any time after the installation through the Specops Password Reset Configuration tool. Mobile phone/ validation message In order to be able to send SMS from the helpdesk tool these settings should be configured according to the specifications of your SMS provider. Specops Password Reset will send an with your configured settings to the SMS provider, for conversion to an SMS text message. Use the placeholders at the bottom to represent the information that will be different for each user, such as the user address, mobile phone number and the verification code that the user will need to authenticate. The configured helpdesk validation settings can be easily modified at any time after the installation through the Specops Password Reset Configuration tool. The settings for the Helpdesk validation message are used to generate the SMS verification code which is used to manually authenticate users who request password resets through the helpdesk. 14

15 Install the server When all of the above sections have been completed it is time to install the Specops Password Reset Server component. The installation process will also create the local security groups described in the table below. Local Security Group Specops Password Configuration Admins Specops Password Helpdesk Admins Specops Password Enrollment Agents Specops Password Reporting Admins Specops Password Reporting Readers Description Members of this group are allowed to run the Specops Password Configuration tool. Members of this group are allowed to administrate password resets through the Specops Password Reset Helpdesk tool. Members of this group are allowed to automatically create enrollments for users through the enrollment PowerShell cmdlets. Members of this group are allowed to administrate the Specops Password Reporting tool. Members of this group are allowed to read information from the Specops Password Reporting tool. When you click the Install button the Setup Assistant will determine if your system should use the 32-bit or the 64-bit version of the Server component and install it. Section 2 Administration tools installation The Administration tools installation will install the Specops Password Reset Configuration tool and the GPMC snap-in needed to configure Specops Password Reset Policies. The tools should be installed on any computer where you wish to administrate the product. For instance, it is necessary to have the admin tools installed in order to see the Specops Password Reset group policy settings. 15

16 ADUC menu extensions Almost all of the Specops products integrate with the Active Directory Users and Computers snapin to make it possible to perform additional commands directly from the right-click menu of an Active Directory object. In order for this integration to work Specops needs to register our Display Specifiers in the configuration partition of your Active Directory forest. Since this action is forest wide you only have to perform it once in each forest, but it also means that you must be an enterprise administrator or a domain administrator in the forest root domain when this action is performed. Note Adding the Specops Display Specifiers to your environment is a fully reversible operation. Display Specifiers are stored in the Configuration partition of the forest and do not modify the Active Directory schema. More information about Display Specifiers can be found on msdn: Specops Password Reset Administration Tools installation Clicking the Install button in this step will install the administration tools. Section 3 Specops Password Reset Web installation The Specops Password Reset Web component is the web application which presents the end user interface to the users when they need to use the system. The web application continuously communicates with the Specops Password Reset Server component to determine which pages it is allowed to show and which operations that have been performed on the server side. Prerequisite: Internet Information Server (IIS) The Specops Password Reset Web component is designed to run on Microsoft IIS. If this role has not been configured on your server you can click the Install button to install and configure it automatically with the components needed by Specops Password Reset. Specops Password Reset Server The first step of the installation procedure is to select which Specops Password Reset Server service you want the web component to connect to. Use the Select... button to browse for a Specops Password Reset Server to connect to. Select or enter the name of the server you wish to connect to. Once the connection has been verified you may proceed to the next step. 16

17 Select web site If there is more than one web site running on your IIS you may select which one you wish to use for the Specops Password Reset Web component. The installation procedure will create a virtual directory for Specops Password Reset in the selected web site. Most installations use the preconfigured Default Web Site. If the Specops Password Reset Web component is installed on a server in the internal network the Update the Service Connection Point information during installation checkbox should remain checked. This will make sure that the Service Connection Point beneath the computer object of the Specops Password Reset Server is updated with the appropriate URL:s to the pages on the new Specops Password Reset Web server. Do not update the Service Connection Point unless you want to direct your internal password clients to use the web server you are installing. This server already has an SSL enabled web site. Selecting http will enable SSL on the web site with the certificate you choose in the next configuration step. Note More than one Specops Password Reset Web component can be use the same Specops Password Reset Server component, for instance in a DMZ installation providing access to external users. In this scenario it is important that the Service Connection Point is NOT updated as this would direct internal clients to use the external service. Select certificate All communication with the Specops Password Reset Web is encrypted with SSL encryption. When you have selected a web site to run the component on, you may also select which certificate you wish to use for the SSL encryption. This option is not available if your select web site is already configured to use SSL. If you wish to change an existing certificate you need to use the Internet Information Services Manager. The host name specified in the SSL certificate must match the host name requested by the clients when they try to reach the web site in order to avoid certificate warnings in the client browser. 17

18 For internal servers using a certificate generated by your own CA this is typically not a problem as the clients already trust that certificate. If you do not have an internal certificate infrastructure it is possible to generate a self-signed certificate for your web site using the Setup Assistant. However, this certificate will not be trusted by your clients unless you add it to them, for instance through Group Policy. Note Web sites accessible from the internet should always use certificates provided by a trusted certificate authority. In scenarios where you want to publish a single internal web server to your external users you may have to purchase a certificate containing more than one host name, making it possible for both internal and external requesters to trust the identity provided by the web server. Installation Once all the previous steps have been completed you can click the Install button to install the Specops Password Reset Web component on the local server. During the installation you will be given the option to include the Specops Password Reset Web Service (Mobile Access). The Mobile Access component is used to enable the Specops Password Reset mobile device applications to connect to the Specops Password Reset server. If you plan to allow your users to reset their passwords from their smartphones you should select to install this component on a web server accessible from the internet. The Mobile Access component can also be installed separately at a later time. The Password Reset Web Service should be installed on web servers accessible from the internet. The Specops Password Web installation also installs the Specops Password Reset Web Customization tool, which is used to manage the language translations and graphical branding of the web site. 18

19 Section 4 Specops Password Client installation This installation step allows you to install the Specops Password client on the local computer. It is not necessary to proceed with this step on a server computer in order to complete the Specops Password Reset installation. The Specops Password Client should only be installed on computers where you want the end user to get the Reset Password link added to the Windows logon screen. Section 5- Deploy Specops Password Client using GPSI The final step in the Setup Assistant allows you to deploy the Specops Password Client to your client computers through the Group Policy Software Installation (GPSI) feature built into Windows. Select Group Policy Object The selected Group Policy Object will be used when the settings for the Specops Password Client installation are created. Select a Group Policy Object linked to a location where all your intended target client machines are affected by it. Note It is not necessary to perform this step in order to complete the installation of Specops Password Reset. Specops Software recommends using your normal enterprise deployment tool, such as Specops Deploy, when deploying the Specops Password Client in your organization. Share selection The Setup Assistant can create a new share on the local computer and specify it as the source for the Password Client installation. This is only recommended in test environments when you quickly want to get the client deployed with a minimum of configuration. The other option is to manually copy the installation msi-packages from the Setup Assistant extraction path to an existing share used for software installations. This method is recommended in production environments where you wish to have full control over your software installations. Note The default installer extraction path is C:\temp\SpecopsPassword_Setup_[VersionNumber]\. The Specops Password Policy installation packages are located in the \Products\SpecopsPasswordReset\ folder. Configure deployment Clicking the Add Settings button will add the deployment settings for the Specops Password Client to your selected Group Policy Object using the share settings specified in the Setup Assistant. The affected client computers will perform the actual installation when they are restarted. 19

20 Post installation configuration When the all the components have been installed and started it is time to start looking at the basic configuration of the system. A good place to start is the Specops Password Reset Configuration tool, where you can enter your license key to enable the product. There are also a few changes that have to be made in Windows and Active Directory in order to get things running smoothly. Configuration task list The following steps must be completed before the system is fully ready for use in your organization: Add your license key in the Specops Password Reset Configuration tool. Verify that your domain is configured for use with Specops Password Reset in the Configuration tool. Add the Specops Password Reset Web server to the Local Intranet Zone in the Internet Explorer site-to-zone assignment list. Create and link a Group Policy Object with your desired Specops Password Reset settings in your Active Directory. Make the appropriate accounts members of the Specops Password Reset local security groups. If you intend to use the Secret Question authentication method you must also make sure that the users enroll in the system. Install any additional web servers you might want to use for external access. Verify that the Specops Password Client is installed on your clients. Provide read access for the SPR service account on the Password Settings Container in your domain if you are using Fine-Grained Password Policies. Adding the Password Reset Web server to the Local Intranet Zone A common issue in most environments is that users trying to access the Specops Password Reset Web application in order to enroll are asked to enter the logon credentials even though the enrollment page is configured to use integrated Windows authentication. This happens because Internet Explorer defaults to interpreting any FQDN address as belonging to the Internet security zone, where integrated Windows authentication is not allowed. In order to get around this problem you must configure Internet Explorer to assign the web server to the Local Intranet zone instead. The easiest way to control this setting is through Group Policy. Follow the procedure below to complete the configuration: 1. Start GPMC 2. Select an appropriate GPO that affects all computers that will be used with Specops Password Reset 3. Right-click the GPO and select Edit 20

21 4. Browse to Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page. 5. Select properties for the Site to Zone Assignment List setting and enable it. 6. Press Show 7. Add an entry to the URL of your web server (e.g The value of the entry should be 1, which corresponds to the Intranet zone. 9. Save the settings and close the GPO. The configured settings will be applied to the affected computers during their next Group Policy refresh. Site to zone assignment list policy Note Controlling the site to zone assignment centrally through Group Policy prevents your users from assigning these settings themselves. You should ensure that your configured settings include all required site to zone assignments in your organization. More information about how Internet Explorer handles zone assignments can be found in this Microsoft Knowledgebase article: Configuring access to Active Directory Fine-Grained Password Policies If Specops Password Reset is installed in a domain where fine-grained password policies are used, the Specops Password Reset Service Account must be granted permissions to read the configured password policies. Log on to a domain controller with an account that has Domain Admin permissions in the domain and run the following command from a command prompt: dsacls CN=Password Settings Container,CN=System,[domain_DN] /I:S /G [service_account_name]:gr;; Example: dsacls CN=Password Settings Container,CN=System,DC=example,DC=com /I:S /G example\sprsvc:gr;; 21

22 Adding members to the Specops Password Reset local security groups Access to the various administrative components in Specops Password Reset is controlled through local security groups on the Specops Password Reset server. Members of the local Administrators group are always allowed to access the administration tools and do not have to be added to the security groups separately. As the Specops Password Reset server has to be installed on a domain member server this includes the Domain Admins domain security group. Administrative security is handled through the following groups: Local Security Group Specops Password Configuration Admins Specops Password Helpdesk Admins Specops Password Enrollment Agents Specops Password Reporting Admins Specops Password Reporting Readers Description Members of this group are allowed to run the Specops Password Configuration tool. Members of this group are allowed to administrate password resets through the Specops Password Reset Helpdesk tool. Members of this group are allowed to automatically create enrollments for users through the enrollment PowerShell cmdlets. Members of this group are allowed to administrate the Specops Password Reporting tool. Members of this group are allowed to read information from the Specops Password Reporting tool. You should make sure that the appropriate accounts and groups are members of the local security groups. 22

23 Configuration and operation Specops Password Reset is easily configured from any computer in the domain where the Specops Password Reset administration tools are installed. There are a few different administration tools used to configure different aspects of the product. The Specops Password Reset Configuration tool handles the general system configuration such as which domains should be using the system. The branding and text customization of the Specops Password Reset Web can be performed on the web servers through the Specops Password Reset Web Customization tool. Group Policy settings to control how the users are allowed to use the system are handled directly when editing each GPO through the Group Policy Management Console. The Specops Password Reset Configuration tool The Configuration tool is used to control the system wide configuration settings for each Specops Password Reset Server. When the tool is started for the first time in a new environment you will be asked to import your Specops Password Reset license. After completing this step, you will be able to proceed to configure the various settings controlled through the tool. The Specops Password Reset Configuration tool is used to control system wide settings. Domains Specops Password Reset servers are only able to serve requests from domains which have been configured for use through the Configuration tool. Besides enabling domains to be used with the system you can also edit the configuration settings for the enabled domains. Configuring a new domain Select the Configure New Domain option to enable a new domain. Using the system with multiple domains requires a bi-directional trust between the additional domains and the domain where the Specops Password Reset Server is located. When you click the Configure New Domain task you are presented with a list of available domains. Select the domain you wish to add, and proceed to configure your desired the settings. 23

24 Editing domain configuration settings The settings for any enabled domain can be easily edited through the configuration tool. Domain friendly name If you wish to present your domain name to your users with a friendly name rather than the FQDN you may enter that name here. The name of the domain will be visible to the users during enrollment, password changes and password reset operations. Scope of management The Scope of Management in the domain can be conveniently changed through this setting. If you wish to change your scope of management a higher level in your Active Directory hierarchy than it was previously configured at you should remember to also use the Delegate Security button to automatically assign the necessary permissions for your service account to the new Scope of Management. 24

25 Service account permissions The following Active Directory permissions are required in order for the Specops Password Reset Server service to work properly: Permission Create and Delete Read Change and Reset password Unlock account Change password at next logon List child objects Read and Write Scope classstore objects beneath user objects useraccountcontrol attribute on user objects User objects User objects User objects User objects Mobile attribute on user objects Note The service account must also be given permissions to read the Group Policy Objects where you create Specops Password Reset settings. This is a common mistake when security filtering is used on the GPO to control which users should be affected. 25

26 Server settings The domain configuration page also allows you to change three domain wide server settings. Setting Enable Challenge Question in Helpdesk Hide Users Mobile Number Restrict access to callers domain Explanation Enables the help desk tool to use the last secret question each user has answered as a manual authentication option if a user calls in. When this setting is disabled the help desk tool will only use mobile verification codes for manual authentication. Hides the mobile number of users from all web pages. This setting can be used to ensure that the mobile phone number of your users is never shown and thus stays private. Note that hiding the mobile number also hides the number from the users themselves, making it impossible for them to verify that the system is using the correct number. This setting is use to restrict access to user data in other domains for administrators using the help desk or reporting pages in Specops Password Reset. When this setting is enabled these administrators will only be able to see data from their own domain. When the setting is disabled, data from all configured domains will be available. settings The server settings can be changed at any time through the Configuration tool. Selecting the Edit task brings up the configuration dialog where you can change which SMTP server to use and configure more advanced settings like setting custom authentication credentials or enabling TSL security. Custom credentials are useful in situations where you do not want to use the service account of the Specops Password Reset server for sending . The license reminder address can also be configured on this page. License reminders are sent to an administrator to report license compliance issues such as nearing or exceeding the allowed license count. The settings are used when the Specops Password Reset Server sends

27 Helpdesk settings The settings used when sending mobile verification codes from the helpdesk tool can also be changed at any time. Clicking the Edit task in the Configuration tool will open up the same dialog used in the Setup Assistant where you can also configure advanced settings like the authentication credentials and security protocols used in the communication with the smtp server. License The license key used by the system can be updated at any time. This is typically required when you have added more user licenses or if you have upgraded the product to a new major version in accordance with your Support & Maintenance agreement. Updated license keys can be requested from Specops Software at any time. The license information displayed in the Specops Password Reset Configuration tool also shows the current license count. Total user count This value shows the total number of non-disabled users found beneath the configured scopes of management for all your enabled domains. Affected User Count This value shows the total number of non-disabled users that are affected by Group Policy Objects with Specops Password Reset settings. Updating the license count The license count is performed every time the Specops Password Reset Server starts and once every 24 hours while the service is running. If you have concerns about the numbers you should verify that your GPOs and Scope of Management settings are configured correctly. 27

28 Exceeding the number of licensed users If the license count determines that your organization is using more licenses than it has purchased the Specops Password Reset Server will send a notification to the configured notification address. The server will also send warning s prior to exceeding the number of allowed licenses when it determines that your organization is getting close to using all of its purchased licenses. In a situation when the license count is exceeded the Specops Password Reset Configuration tool will display a warning to notify the administrator that more licenses are required. The administrator will also be notified by on a daily basis as long as the problem persists. Warning! As long as the number of licensed users is exceeded it will not be possible for new users to enroll in the system. These users will be presented with an error message and asked to contact their administrator. Specops Password Reset ADUC extension The ADUC menu extension allows you to see the current Specops Password Reset configuration for a user by right-clicking the user object in Active Directory Users and Computers. This functionality requires the Specops Display Specifiers to be added to the configuration partition of the forest, which is easily performed through the Setup Assistant. Once installed, right-clicking a user object in Active Directory on a computer where the Specops Password Reset Administration Tools are installed will open up the user view of that specific user in the Specops Password Reset Helpdesk tool. 28

29 Configuring your environment for use with the Mobile Access web service The Mobile Access Web Service component handles the communication with devices using the mobile applications for Android, iphone and Windows Phone. The Mobile Access web service is an optional component which can be installed as part of the Specops Password Reset Web installation. Once you have installed the Mobile Access service there are a few more steps which must be completed before the service is ready for use within your organization. Internet accessibility The Mobile Access service needs to be reachable from the internet. The mobile devices will connect to the service through https, which means you need to ensure that your firewall allows communication on tcp port 443. Service discovery In order for the mobile devices to find your Mobile Access service the applications will ask the user to enter their address. The domain part of the address (everything right of character) is then used to make a DNS query to find a service record for the Mobile Access service in the zone. This requires each DNS zone your organization owns which handles for your users to be updated with a new service record pointing to the Specops Password Reset Mobile Access Service. 29

30 Creating the Specops Password SRV record The service record should be created in your mail enabled external DNS zones either by you or your ISP depending on who manages the zone data. The following settings should be used: DNS record part Value Explanation _service _specopspassword The name of the service. _protocol _tcp The _specopspassword service is accessed over tcp. Zone Name [zone] This part is the name of your internet zone. The full name of the service record for the example.com domain would be: _specopspassword._tcp.example.com. TTL [TTL] The time (in seconds) the record may be cached before it is considered obsolete. Every zone has a default TTL value, but it is also possible to create separate TTLs for each record. Class IN The standard DNS class field. This is always IN. Priority 0 If more than one target host exists for the service record the priority determines the preference between targets. Lower values mean higher preference. Weight 0 The relative weight for records with the same priority. Port 443 The _specopspassword service is accessed over SSL on port tcp/443. If this configuration is changed on the web server the port data in the SRV record needs to reflect this as well. Target [target FQDN] The target is the fqdn of the host running the Specops Password Reset Web Service. For a host called spr in the example.com domain the target would be: spr.example.com. The complete record to connect clients to the host spr.example.com might look like this: _specopspassword._tcp.example.com IN spr.example.com 30

31 Testing the service record The service record can be tested by running the following command from a command prompt: nslookup -type=srv _specopspassword._tcp.[your_domain_name] Expected response: nslookup -type=srv _specopspassword._tcp.example.com Server: google-public-dns-a.google.com Address: Non-authoritative answer: _specopspassword._tcp.example.com SRV service location: priority = 0 weight = 0 port = 443 svr hostname = spr.example.com The mobile device applications also use the Google DNS at IP-address when querying for the service record, making this the best source for DNS verification. You may have to wait until this DNS has been updated before the new record is accessible to the internet. Mobile device applications Specops Password Reset can be accessed over mobile devices applications for iphone, Android and Windows Phone. The applications are free of charge and can easily be found in the application store used by the respective device. Mobile Device Type Supported OS versions How to find the app Android phones Android tablets Android 2.2 and higher Open Google Play and search for Specops Password Reset. The application should be listed in the search results. iphone ipad ios 6.0 Open the App Store and search for Specops Software. The application should be listed in the search results. Windows Phone Windows Phone 7.x and higher Open the Windows Phone Marketplace and search for Specops Software. The application should be listed in the search results. Once installed the mobile application is ready for use. 31

32 Specops Password Reset Web Customization tool The Specops Password Reset Web application comes with a customization tool which gives you full control over the end user interface in Specops Password Reset. The customization tool can be used both to control the graphical appearance of the user interface by changing the theme used on the web server and the texts used in the product by modifying the language translations. When opening the tool you are presented with an overview showing the currently available languages on the left hand side, and the currently available themes on the right hand side. The main page of the Web Customization tool. Themes The graphical elements in Specops Password Reset, such as the background picture and logos used on the web pages, are controlled through the theme editor. Select an available theme in the theme list and click the Edit Theme to start the editor. New themes can be created by clicking the Add New Theme button. The Set Current Theme button makes the selected theme the active theme in the web application. The graphics are changed by browsing to the new file you wish to use in your theme. The text display elements are contained in the cascading style sheets that are applied to the product. These are found by clicking the Theme Path link at the top of the theme editor. The theme editor is used to select new images for the theme. 32

33 The table below specifies the recommended size of the graphic elements used in the themes. Element Size Where is it used? Wizard Background 800x600 pixels Background image on the Reset, Change and Enrollment pages. Wizard top left logo 128x109 pixels The logo image used on the Reset, Change and Enrollment pages. Helpdesk top left logo 128x109 pixels ID card logo seen on the main page of the Helpdesk tool. Helpdesk logo 381x54 pixels The header image used in the Helpdesk tool. Specops Password Reset uses the PNG and GIF formats for the graphics shipped with the product. All the graphics used in the theme can be found in the Images folder in each theme folder. These images can also be replaced, but this is not possible through the Theme editor. Cascading Style Sheets The appearance of the text displayed on the pages is controlled through the cascading style sheets found in the theme folder. Clicking the theme path link at the top of the theme editor opens this folder. Modifying the style sheets can be done in any text editor. Style Sheet Default.css HelpDesk.css MasterPage.css Reporting.css Wizard.css Where is it used? Reset, Change and Enrollment pages. Helpdesk pages. Master pages. Reporting pages. Wizard elements on the Reset, Change and Enrollment pages. 33

34 Languages The languages used in Specops Password Reset can be modified by using the language editor, which can be opened by selecting a language and clicking the Edit Selected Language button. The _Default language is the English translation shipped with the product. New languages can be added to the system by using the Add New Language button. All strings for the new language must be entered manually in the language editor. Using the language editor The language editor is very easy to use and allows free text editing for all the strings used on the web pages. The strings are divided in tabs depending on where they are used in the system. Simply select a string, double-click the text and change it. The language editor can be used to change any string used on the Specops Password Reset web pages. Placeholders Some of the strings contain placeholders to variables retrieved by the Specops Password Reset server. For instance, the mobile telephone number from the user object might be passed to a string which has to display the mobile number. The placeholders represent the position in an array of values retrieved by the server. {0}, which might represent the mobile number in one string could thus represent something completely different in another string. The surrounding text can usually be used to identify the type of value the placeholder will have. If more than one placeholder is used in the same string they will use the format {0}, {1} etc. Restarting the web site application pool to apply changes The Specops Password Reset Web application pool may have to be restarted to apply changes to the language translations. This can be done through the IIS manager on the web server. 34

35 Specops Password Reset and Group Policy Specops Password Reset extends the functionality of Group Policy to make it possible to assign Specops Password Reset configuration settings to your users through any Group Policy Object. Assigning these settings through Group Policy makes it extremely simple to control which users should be affected and also makes it possible to use different settings for different groups of users. What user accounts will be affected? All user accounts that are located in locations where your GPO is linked will be affected by the settings. If more than one GPO with Specops Password Reset settings is affecting the user account the normal GPO processing order will apply. GPO processing order In order to determine which settings are applied to a user or computer all Group Policy Objects that apply to the object is processed in a pre-determined sequence. If settings from different policies are in conflict, the GPO that was processed last will overwrite the previous settings. Group Policies are processed in the following order: 1. Local Group Policy objects. Specops Password Reset settings cannot be created on this level. 2. Site linked Group Policy Objects. These are domain GPOs that are linked on the site level. Specops Password Reset settings can be created on this level. 3. Domain linked Group Policy Objects. These are domain GPOs that are linked on the domain level. Specops Password Reset settings can be created on this level. 4. OU linked Group Policy Objects. This is the most common way to link GPOs in the domain. If more than one GPO is linked on the same level the link order of the GPOs determine in which order the GPOs will be processed. The link order can be controlled from the Group Policy Management Console. 35

36 Security filtering Security filtering allows an administrator to control on a permission level which users and computers are allowed to read the contents of the GPO. If an object cannot read the GPO, it will not be able to process it, and thus it will not be affected by the GPO. By controlling access this way it is easy to apply different policy settings to objects located on the same level in Active Directory. Specops recommends using security filtering when the standard GPO processing order is not sufficient to apply the settings you prefer. Note Do not forget to give the service account permissions to read the Group Policy Objects where you create Specops Password Reset settings. This is a common mistake when security filtering is used on the GPO to control which users should be affected. WMI filtering WMI filtering can also be used to determine if a GPO should be processed or not when Group Policy settings are applied. However, since the Specops Password Reset settings are interpreted by the Specops Password Reset Server rather than the client computers it is NOT possible to use WMI filtering to control which users should receive which settings. 36

37 Creating and editing Specops Password Reset policies Specops Password Reset settings are managed through the GPMC snap-in installed with the Specops Password Reset Administration Tools. Since Specops Password Reset is completely integrated with the Windows Group Policy functionality every aspect of administrating these settings work the same way as when working with other Group Policy settings. This means that the standard Group Policy Management Console (GPMC) is the main way of creating Specops Password Reset settings. The following steps take you through the process of creating a new GPO and adding some Specops Password Reset settings: 1. Open the Group Policy Management Console (GPMC) 2. Expand your domain node and locate the Group Policy Objects node beneath it. 3. Right-click the Group Policy Objects node and select New. 4. Select an appropriate name for your Group Policy Object and click OK. The new GPO will now be created. 5. Locate the new GPO beneath the Group Policy Objects node. Right-click it, and select Edit. 6. The Group Policy Management Editor will now start and load the settings from your GPO. Expand the User Configuration -> Policies -> Windows Settings node. 7. Locate the Specops Password Reset node and click it to display the settings overview page. 8. Click the Enable Password Reset button in order to open the policy settings and start configuring the policy. Specops Password Reset settings are created and managed by editing standard Group Policy Objects. 37

38 Specops Password Reset GPO settings The Group Policy settings determine how the system should behave when a user tries to access it. The Specops Password Reset Server queries the Active Directory to find out which settings to use for each visiting user. General settings Enrollment Options These settings control if the users affected by the policy should use Secret Questions, the Mobile Verification code or a combination of both as their authentication method. Prompting the user for their current password is strongly recommended for security purposes. Enrollment Enforcing The General Settings tab in a Specops Password Reset GPO. The Reminder Mode setting controls how you wish to encourage your users to enroll in the system if they are affected by the GPO. Reminder Mode Balloon tip Start browser Start unclosable fullscreen browser Explanation This setting causes a reminder balloon tip to pop up from the taskbar tray. Clicking the reminder will take the user directly to the enrollment web page. This is the default setting in Specops Password Reset. This setting causes the reminder to open a browser window with the enrollment web page. This setting causes the reminder to open a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed. Reminder interval The reminder can be configured to trigger only during user logon, or during logon and at regular intervals during the day. The default setting is to trigger enrollment reminders at regular intervals. Reset Options This option allows you to allow the users to unlock their user accounts when resetting their passwords. 38

39 Secret Questions While the Secret Questions mechanism is enabled as an authentication method on the General tab you are able to configure how you wish to use them on this tab. The first step is to ensure that the questions you wish to use are present in the GPO. The Secret Questions tab allows you to edit the secret questions used in the GPO. Secret Question Settings The settings surrounding the secret questions control the requirements on how users are allowed to select and answer the questions in the GPO. Setting Number of questions Number of allowed custom questions Custom question answer min length Explanation This is the number of questions the users are required answer when they authenticate using the secret questions mechanism. The default value is 3 questions, but this can be increased in order to improve security. Note that you must have more than the configured number of questions available in the policy in order for users to be able to meet this requirement. It is possible to allow the users to enter both the question text and the answer to their own question when they register. This setting controls how many such Custom questions the user is allowed to use. The default value is 0 questions, in order to prevent users from creating bad questions which they cannot remember when they need to use the system. If custom questions are allowed, this value controls the minimum length of the answers to the custom questions. The default value is 3 characters. 39

40 Setting Lockout threshold Allow identical answers Case sensitive answers Explanation In order to prevent attacks on the system each user is given a specified number of attempts to answer the series of questions correctly. When the user exceeds the configured number of attempts the system will invalidate the enrollment information, preventing the user from using the system until a new enrollment has been created. Getting locked out from Specops Password Reset does not lock the user s Active Directory account. The default value is 10 attempts. Selecting this option allows the users to use the same answer to more than one question in the question series. By default, this setting is not enabled in order to prevent users from cheating in their enrollment by entering the same answer to all questions regardless of the question text. Selecting this option requires the users to provide answers to their questions using the exact same case as when they enrolled. By default, this setting is not enabled in order to prevent user confusion around the answers. Importing questions The easiest way to add the questions that will be available to the users affected by the GPO is to import them from the selection of questions that are shipped with the product. These questions are also available in all the language translations shipped with the product. The question import can be started by clicking the Import Questions button. The English translation of the available questions will be listed on the left side, where you can choose which questions you wish to include. The convenient Select all button selects all questions. After selecting the questions you can also choose to add any translations to other languages than English that you want to use with this GPO. It is easy to pick questions and translations in the Import Questions screen. 40

41 The ability to choose different questions and translations in different GPOs make it very easy to adapt the settings in Specops Password Reset to the needs of the different parts of your organization. When you have selected all the questions and translations you wish to import you can click the Ok button to save your selection in the GPO. Creating new questions It is not necessary to use the Import Questions functionality in order to populate your GPO with questions for use with Specops Password Reset. By using the Add new question button you can manually create new questions as needed. Editing existing questions Questions already present in the GPO can be freely edited by double-clicking the field you wish to change. Minimum question length The default minimum answer length on all questions that are shipped with the product is two characters. This value can be changed to better match the expected minimum length of a proper answer to the question. Required questions The users are forced to include all questions marked as Required in their series of questions and answers. Marking a question as required is a good way to ensure that all users answer at least one specific, secure question decided by the organization. By manually creating at least one question with organizational specific scope, such as asking for an employee ID or other information only known by each employee and marking these questions as required it is possible to improve the level of security in Secret Questions based authentication compared to allowing the users themselves to select all the questions. Deleting questions Unwanted questions can easily be deleted by selecting them and using the Delete Selected Question button. Adding new languages The Edit languages button allows you to add more language translation columns so you can provide translations for your questions in other languages than English. If you wish to add the translations which are shipped with the system you should use the Import Questions functionality instead. 41

42 Mobile Verification Code While the Mobile Verification Code mechanism is enabled as an authentication method on the General tab you are able to configure how the system should connect to your SMS provider on this page. The Mobile Verification Code tab controls the settings for the SMS provider. Mobile Verification Settings There are three settings controlling how the mobile verification code is used by users affected by the GPO you are editing. Setting Bypass if mobile number missing Allow users to enter mobile number when enrolling Require verification of mobile phone number Explanation This setting enables using the Both authentication requirement in organizations where some, but not all, users have their mobile numbers registered in Active Directory. If the setting is enabled and the system detects that a mobile number is missing on the user, it will simply bypass the verification code requirement and jump straight to the secret questions. By enabling this setting users without a registered mobile number in Active Directory will also be asked to enroll in the system by registering their mobile number. The information is stored in the mobile attribute on the user object or the custom mobile attribute for Specops Password Reset if it has been configured for the system. Enabling this setting requires the users to verify that they have enrolled with the correct mobile number by receiving and responding with a verification code during the enrollment process. 42

43 Verification Code Message When the system needs to send an SMS message the Specops Password Reset Server will use these settings to create an message with the SMS contents. The message is then sent to the SMS provider, which converts the and sends the SMS to the end user. Note Consult your SMS provider documentation when creating the Mobile Verification Code message settings. Most of these settings are controlled by the SMS provider, but the important variables, such as which mobile number the SMS should be sent to, are handled through placeholders. Placeholder %MobileNumber% %Code% % % Explanation This placeholder contains the mobile number retrieved by Specops Password Reset from the user object of the target user in Active Directory. This placeholder contains the mobile verification code generated by Specops Password Reset. The code is only valid for use from the same session against the web server that it was requested from. This placeholder contains the address retrieved by Specops Password Reset from the user object of the target user in Active Directory. Notifications When certain system events occur, such as a user enrolling with the system, Specops Password Reset has the ability to generate s which are sent to the end users to confirm that the operation was successful. These event triggers can also be used to send additional elsewhere, containing data about the operation. The notification settings are controlled through the Notifications tab. The Notifications tab 43

44 Server Settings These settings can be used to override the server configuration specified during the installation of the Specops Password Reset Server component. This is useful in scenarios where you want a specific part of the organization to use a specific smtpserver. Events Specops Password Reset is able to send on the following events: Event Password Reset by user Password Reset from helpdesk User has enrolled User account locked out from Specops Password Reset Account unlocked Enrollment reminder Description This event triggers every time a user resets their password through Specops Password Reset. By default, a confirmation is sent to the user with details about the reset operation. This event triggers when the Specops Password Reset Helpdesk tool is used to reset the password of a user. No s are configured by default for this event. This event triggers when a user successfully completes the enrollment process in Specops Password Reset. By default, a confirmation is sent to the user with details about the enrollment operation. This event triggers when a user has exceeded the allowed number of attempts to answer the secret questions correctly. No s are configured by default for this event. This event triggers when a user unlocks their account through Specops Password Reset. No s are configured by default for this event. This event triggers during the daily enrollment status check if the system discovers a user which is required to enroll has not yet enrolled with the system. No s are configured by default for this event, but it is strongly recommended to add your own customized reminder to be sent to the user reminding them that they should enroll. 44

45 Managing s Select an event in the Event list to see which s are configured to be sent when that event triggers. New s can be added or editing by using the Add and Edit button respectively. When creating or editing your you have access to certain placeholders containing information sent from the event triggering the . The placeholders can be used in any of the fields to fill the with useful information. templates can be enabled and disabled by using the Enable this Template checkbox at the top of the screen. Custom Wizard Messages The last tab in the GPO configuration is the Custom Wizard Messages tab. These settings allow you to create your own custom message to be displayed to the end users when they have successfully completed an enrollment, password change or password reset operation. The custom message you create can either be appended to the default message or used to replace the default message entirely. 45

46 Specops Password Reset Reporting In order to track the system utilization Specops Password Reset comes with a comprehensive reporting facility which allows you to track the activity of your users down to the individual user level. The reporting page is only accessible to members of the Specops Password Reporting Admins and Specops Password Reporting Readers local security groups on the Specops Password Reset Server. Database file All the reporting statistics gathered by Specops Password Reset are stored in an SQL Server Compact database. The content of the database is processed when accessing the reporting page in Specops Password Reset, which may require some time in larger environments. Accessing the database file from other systems It is quite easy to access the database file by connecting through it using the Microsoft SQL Server Compact 4.0 (.NET Framework Data Provider for Microsoft SQL Server Compact 4.0) provider. The database file can found at following location on the Specops Password Reset Server: %ProgramData%\Specopssoft\Specops Password Reset\SPRReporting.sdf Enrollment Statistics The Enrollment Statistics overview shows enrollment status for the currently configured Group Policy Objects in your environment. The statistics are broken down both per policy and as a summary of all GPOs. The page is very useful when determining if there is a specific policy causing problems with end user adaption or users getting locked out of the system. The Enrollment Statistics overview shows enrollments from all GPOs. 46

47 Reset Statistics The Reset Statistics overview shows the system usage during the last year. The top of the overview shows the number of events logged by the system allowing you to track the actual activity in the system. These figures can be very useful if your organization is interested in calculating the return of investment on implementing Specops Password Reset. The two diagrams show the events during the last week and each calendar month, allowing you to pinpoint which periods are the most sensitive to your organization. The Reset Statistics overview page shows the system usage. The ability to track the number of SMS text messages sent from the system is also useful to ensure that you don t run out of SMS credits with your SMS provider. All users The All users overview displays the enrollment information for each individual user. By filtering the report based on the GPO the users are affected by or if they are enrolled or not it is easy to get a quick overview if any action is necessary to encourage the users to enroll. The resulting report can be exported to a comma separated file (csv) which can then be opened in your spreadsheet program for further analysis. The All Users overview shows the enrollment data of each user. Note The usage statistics for each user are found in the Specops Password Reset Helpdesk tool. 47

48 License Statistics The license statistics overview shows you the same overview of your current license information that you can find in the Specops Password Reset Configuration tool. All the Specops Password Reset Reporting pages also have the ability to initiate a new user count by using the link at the bottom left corner. This action refreshes the statistics on the reporting page. Note If your organization desires to track the changes in the number of help desk calls after the implementation of Specops Password Reset and you already have a help desk system which contains the normal call statistics you can configure Specops Password Reset to send s to your existing help desk system to keep tracking the usage statistics there. This configuration is performed in the GPOs controlling the settings for the end users. 48

49 Specops Password Reset Helpdesk While implementing Specops Password Reset certainly reduces the number of phone calls to your helpdesk there will always be situations when people do call in with password related problems. A common security issue in many helpdesks today is the problem of authenticating the callers before proceeding with the reset operation. In some cases there simply isn t any process for this, and the helpdesk staff has to trust that the person who calls really is the person they claim to be. In other cases the organization has some sort of authentication process, but it requires several complicated steps of verification and results in a long waiting period without being productive for the end user. The search view lists accounts matching the search string. Specops Password Reset comes with a helpdesk tool that aims to solve these issues. The helpdesk tool is available to users who are members of the Specops Password Helpdesk Admins local security group. Once the page is opened the helpdesk person can search for the user account of a user who calls in. Clicking the account brings up the user information page, where the helpdesk can perform various actions on the user. Verify User If a mobile phone number is configured on your user the helpdesk can send a one-time verification code to the mobile phone for authentication purposes. The user can then repeat the code they received and the helpdesk person can verify that the code matches what was sent. If the Enable challenge question in helpdesk setting has been configured for the domain the helpdesk person can also see the last secret question the user enrolled with. By repeating the question to the user and asking them for the answer to it the helpdesk can authenticate the user. 49

50 Active Directory and enrollment information The user information page also shows general information from Active Directory about the user, the current password policies that apply to the user and the enrollment status. The Force Reenrollment button can be used to invalidate an existing enrollment, forcing the user to reenroll with the system. This option is only available when the user has a valid enrollment. Password Reset Once the user has been authenticated the helpdesk person can switch to the Password Reset tab where they can set a new password for the user. The convenient Generate Password button automatically creates a complex password which matches the password policy of the user, but it is also possible to enter the new password directly in the New Password field. Clicking the Reset Password button when the new password has been entered performs the actual password reset operation in Active Directory. When the operation has completed the Send Password button can be used to send the new password in an SMS text message to the user. The Reset Password page shows the current password policy for the user. User Statistics Individual statistics for each user is available under the User Statistics tab. The helpdesk can use this page to see the full history of system usage for each user, which can be very useful to discover if there are particular users who tend to use the system more than others. In case of suspected system abuse, it is also possible to use this information for logging purposes. 50

51 The Specops Password Client The Password Client is handles the integration between Specops Password Reset and the Windows client computers. When the password client has been installed it will add a Reset password link to the logon screen in Windows when it detects that it can connect to the Specops Password Reset web application. Clicking the link will start a locked down client which takes the user directly to the reset page of the Specops Password Reset web application. It is not possible to access the local computer through the locked down client. The Specops Password Client also adds shortcuts on the start menu in Windows. The Reset password... link is available directly on the Windows logon screen. Through these shortcuts the user is able to access the Enrollment, Reset Password and Change Password pages. User authentication When the user arrives at the reset page they are asked to provide their user name. The Specops Password Reset server will then determine if there are any Specops Password Reset Group Policy settings that apply to the provided user name, and proceed to authenticate the user according to these settings. If the mobile verification mechanism is used it will be presented before the secret questions mechanism. Failing to provide a correct answer to a question will cause an error message to be displayed, explaining the problem to the user. The GPO settings for the secret questions mechanism include a restriction on the number of attempts a user has to answer the series of questions correctly. If the number of allowed attempts is exceeded the user will not be allowed to use the system until they have completed a new successful enrollment. The Secret Questions authentication method requires the user to answer questions that they have previously answered to enroll in the system. 51

52 Resetting a password Once the user is successfully authenticated they are able to select a new password. If the user account was detected to be locked out of Active Directory the user is given the option to either simply unlock the account, or to proceed with a full password reset operation. The intuitive interface on the password reset screen makes it easy for the user to select a new password which matches the current password rules. Each rule criteria is presented to the user and dynamically checked for compliance as the user types in the desired password. When all rules are met the user can proceed to attempt the password reset. Some rule criteria, such as compliance with the password dictionary, are marked with a yellow symbol. This symbol indicates that the criteria cannot be dynamically checked on the client and has to be verified on the domain controller where the actual password reset operation takes place. The intuitive interface makes selecting a new password easy and understandable. If the new password is accepted on the domain controller the user will be informed that the operation completed successfully. An will also be generated and sent to the user with information that their password was reset through the system. This way the users can quickly detect if someone else has reset their password and alert an administrator to the problem. Changing the password Specops Password Reset can also be used when your users want to change their passwords through the start menu shortcut added by the password client. The user will have to provide their current password before they can access the Change Password page to verify their identity. The main advantage of using the Change Password page instead of the normal ctrl+alt+delete functionality in Windows is that the user can see the current password rules while they are selecting a new password. Enrollment process If the Secret Questions authentication mechanism is used, or if the Mobile Verification Code mechanism requires users to register their mobile numbers with the system the password client will notify the users that they need to enroll with the system. The notification method is controlled through the GPO settings, with the default setting being a tray bar notification balloon tip. 52

53 Clicking the balloon tip takes the user directly to the enrollment page where the process can be started. Language selection The first step in the process is to select the language to use for the enrollment. Only the languages configured for the user through the GPO settings will be available to choose from. The language choice is important because the selected language will override any language selection made when the user wants to reset their password. If the GPO settings require the user to enter their current password during the enrollment process they also need to complete this step before they can move on to the actual enrollment steps. The language selection at the start of the process is important. Selecting questions The user will start by answering all the required questions configured in the GPO. The system verifies that the provided answer complies with the minimum length setting and that the identical answer setting is not violated. When the required questions have been answered the user is allowed to choose between the remaining questions from a dropdown list with the questions available in the GPO. When the required number of questions has been answered the user is able to review the provided answers before completing the enrollment. When the enrollment is completed the system will generate an and send it to the user. This mechanism also alerts the user if someone tries to change their enrollment information without their knowledge. The user can review the provided answers before completing the enrollment. 53

54 Cached credential reset capability Specops Password Reset 6.1 has the capability to reset the locally cached credentials of the users when they reset their passwords from the Reset Password link found on the logon screen. This means that users who are accessing the Specops Password Reset web application from a location where their computer is not in contact with its domain are still able to log in to Windows with their newly reset passwords. The secret behind this process is the secured browser executable which is used to handle password resets from the logon screen. When the secured browser receives confirmation that the password in the domain has been reset it will match the user name against the locally stored credentials and replace them as necessary. Requirements In order for the cached credentials reset functionality to work the following conditions must apply: 1. The Specops Password Client 6.1 must be installed on the local machine. 2. An internet connection must be available to connect to the Specops Password Reset web application. 3. The Offline Password Reset web page URL setting must be configured for the Specops Password Client in order to allow it to find an external web server to connect to when the computer is not in contact with its domain. This setting is easily configured through the Group Policy Administrative Template for Specops Password Reset. 4. The host name specified in the Offline URL setting must be part of the Trusted Sites zone in Internet Explorer. This setting should be configured by using the site-to-zone mapping Group Policy setting for the computer. 5. The user must have a previous successful logon which would have stored credentials locally. Note When a user changes their password from within Windows the cached credential will not be changed. Remind your users to always log out and back in again after they change their password in order to make sure that their credentials are stored properly. This is also a general best practice recommended by Microsoft for many other reasons. Disabling the cached credential reset functionality The cached credential reset functionality can be disabled through the Specops Password Reset administrative template by enabling the Disable credential cache update after password reset setting. 54

55 Specops Password Reset logon tile With the introduction of Windows Vista Microsoft changed the way the Windows logon screen works. The new architecture makes it easier to modify the behavior of the logon screen by enabling third parties to develop their own credential providers and present them to the user. Specops has discovered that not all third party developers comply with the Microsoft design specifications for credential providers, resulting in an incompatibility between these products and Specops Password Reset. In order to work around these issues Specops has included the ability to present the Reset password link to the end users as a Windows logon tile rather than as a link text. The Logon Tile is primarily intended for use in environments where the conflicting poorly designed products are installed. Enabling this functionality is controlled through the Specops Password Reset ADMX-template. Specops Password Reset administrative template The Specops Password Client is configurable through an administrative template where you can easily control the settings for the client behavior. The template is installed together with the Administration Tools and is visible whenever you edit a GPO from a machine where the administration tools are installed. Perhaps the most The client behaviour is easily controlled through the ADMX template settings. important setting is the Offline Password Reset web page URL, which must be configured in environments where you want to be able to use the Cached credentials reset capability. Other common settings are to let the client display a tip to the user if they try to log on to a locked out account or if they keep entering the wrong password. Specops recommends setting up a Central Store for Group Policy administrative templates. Note You should add the Specops Password Reset Administrative template to the central store if you have configured one. The template file can be found at the following location on computers where the administration tools are installed: %windir%\policydefinitions\sprclientadministrativetemplate.admx 55

56 Central Store for Group Policy administrative templates In order to reduce the replication traffic between domain controllers Microsoft changed the behavior of where the administrative templates are stored when Windows Vista and Windows Server 2008 were introduced. With previous versions of Windows the adm-templates were stored together with the GPO itself, essentially creating a new copy of the template files for each GPO. With the introduction of the Central Store for administrative templates all template files can be stored in a single location on SYSVOL where they can be accessed and presented in a localized format when editing any GPO. Creating the central store It is very easy to create and start using a Central Store for Group Policy administrative templates. Simply copy the %windir%\policydefinitions folder from a Windows machine of the latest generation of Windows you use to the Policies folder on the SYSVOL share in your domain. Once the Central Store has been created it is important that all Group Policy editing takes place from machines with your latest Windows version. When new Windows versions are added to your environment you ll also want to keep the Central Store updated with policy definitions from the new Windows version. If you are implementing the Central Store in an existing environment where your GPOs already have local copies of the old adm-templates you should also spend some time going through these policies and removing the adm-files in order to gain the full benefit of the reduced SYSVOL size the Central Store brings to your Active Directory. This Microsoft KB article explains the process in further detail:

57 System Security Specops Password Reset contains a number of security features which can be configured to adapt the system to the security requirements of your organization. There are also a number of registry settings that can be used to control the behavior of the system components. Delegated Helpdesk security configuration The Helpdesk tool uses the trusted subsystem security model by default, but it can also be configured to apply a delegated security model. The differences between the two models are described below. You should configure Specops Password Reset to use the model which best matches the security needs of your organization. Trusted subsystem model When accessing the Helpdesk all operations are performed in the context of the configured Specops Password Reset service account. Access to the Helpdesk is controlled through the membership of the local security group Specops Password Helpdesk Admins on the Specops Password Reset server. Users allowed to access the Helpdesk can reset the password of any user within the configured scope of management in the configured domains. Delegated security model When the Helpdesk is configured to use the delegated security model, all server operations are performed in the security context of the user accessing the web page. This is particularly useful in environments where the ability to reset passwords has already been delegated to the Helpdesk personnel. The delegated security model also allows more detailed logging and tracking of user activities in the system, and can be used to provide granular control over who is allowed to reset which password. Configuring the Helpdesk tool to use the delegated security model If you wish to use the trusted subsystem model you don t need to take any action at all. In order to use the delegated security model you need to complete the configuration steps below. Configure the SPR server computer account to be trusted for delegation. 1. Find the computer account in Active Directory Users and Computers. 2. In the account properties, select the Delegation tab 3. Select the Trust this computer for delegation to any service (Kerberos only) option and save the changes. 57

58 Configure the SPR service user account to be trusted for delegation. 1. Find the service account in Active Directory Users and Computers. 2. In the account properties, select the Delegation tab 3. Select the Trust this user for delegation to any service (Kerberos only) option and save the changes. Note Verify that the account option Account is sensitive and cannot be delegated is not checked for the SPR service account. Grant the Act as part of the operating system privilege to the SPR service account In order for the SPR service to be able to impersonate the Helpdesk user, the Act as part of the operating system privilege must be assigned to the SPR service account on the SPR server. The privilege can be assigned either using a Domain Group Policy Object (GPO) or by using the Local Security Policy tool. If you are using a GPO to assign the privilege, the setting can be found in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. If using the Local Security Policy tool: 1. Start Local Security Policy from Administrative Tools on the SPR server. 2. Open the Security Settings\Local Policies\User Rights Assignment node. 3. Double-click the Act as part of the operating system policy. 4. Add the SPR service account to the policy. Enable the delegated security model in the Helpdesk tool The delegated security model is enabled by modifying a registry entry for the Specops Password Reset Server. Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\ UseDelegatedHelpdeskSecurity Enables the delegated security model in the helpdesk. If the value is set to 1 the delegated security model will be enabled. If set to 0 the trusted subsystem security model will be used. Default value =

59 Allow users to write events to the Application log on the SPR Server Because the SPR Server service writes entries to the Application log when impersonating the user, the local Users group must be granted write permissions to the Application event log. This is configured by creating a new registry entry on the Specops Password Reset server: Registry key Value HKLM\SYSTEM\CurrentControlSet\ Services\EventLog\Application\ CustomSD (REG_SZ) O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A ;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S )(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;BU) Grant Helpdesk personnel read permissions to fine-grained password policies If fine-grained password policies (FGPP) are used in the domain, you will need to grant Helpdesk personnel read permission to these in order to see the correct password rules in the helpdesk tool. Log on to a domain controller with an account that has Domain Admin permissions in the domain and run the following command from a command prompt: dsacls CN=Password Settings Container,CN=System,[domain_DN] /I:S /G [group_name]:rp;;msds-passwordsettings Example: dsacls CN=Password Settings Container,CN=System,DC=example,DC=com /I:S /G example\helpdesk Staff :RP;;msDS-PasswordSettings Granting read access to the fine-grained password policies is not required if such policies are not in use. Modifying which user attributes are used by the system The Specops Password Reset Server uses data from the user objects in Active Directory to read and write information used in the system. It is possible to control which attributes are used by the system by modifying the registry on the Specops Password Reset Server. Session data and mobile verification code attributes During the password reset process the session data for the session, such as the session ID and the mobile verification code, is stored in the specops-spp-pwdreset sub object beneath the user object in Active Directory. If your organization is only using the mobile verification code mechanism the creation of the sub object can be prevented by configuring the Specops Password Reset Server to use custom user attributes instead of the sub object when storing the session data. 59

60 These settings are controlled in the registry on the Specops Password Reset server: Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] UseCustomAttributesForVerificationCode Enables the use of custom attributes for session data. If the value is set to 1 the custom attribute settings will be enabled. If set to 0 the sub object will be used to hold session data. Default value = 0 HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] CustomAttributeSessionId HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] CustomAttributeVerificationCode LDAP display name for the arbitrary user string attribute you wish to hold the session ID. Default value = LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code. Default value = The SPR service account must be granted permissions to read and write the attributes chosen above. This can be done by executing the following commands: dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:rpwp;[your_selected_sessionid_attribute];user dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:rpwp;[your_selected_verification_code_attribute];user Example: dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc :RPWP;carLicense;user dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc :RPWP;assistant;user The Specops Password Reset Server service should be restarted after this configuration has been applied. 60

61 address and mobile phone attributes By default the Specops Password Reset Server retrieves the address of the user from the mail attribute. The mobile phone number of the user is retrieved from the mobile attribute. These settings can be changed to other attributes on the user object: Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] CustomAttribut Enables the use of a custom attribute for address data if configured with a value. The specified value should match an attribute on the user object. Default value = HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] CustomAttributeMobile Enables the use of a custom attribute for mobile phone number data if configured with a value. The specified value should match an attribute on the user object. Default value = HKLM\Specopssoft\Specops Password Reset\Server\Domains\ [domain_name] CustomAttributeVerificationCode LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code. Default value = The SPR service account must be granted permissions to read and write the attributes chosen above. This can be done by executing the following commands: dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:rpwp;[your_selected_ _attribute];user dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:rpwp;[your_selected_mobile_phone_attribute];user Example: dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc :RPWP;carLicense;user dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc :RPWP;assistant;user The Specops Password Reset Server service should be restarted after this configuration has been applied. Configuring the password client to use the custom mobile attribute If the mobile attribute has been changed the password client should be configured to use the custom attribute as well. This is controlled through the Specops Password Reset ADMX template and the User object custom mobile attribute setting. 61

62 Specops Password Reset Server call throttling In order to prevent attackers from systematically probing the system for user names the Specops Password Reset Server service automatically restricts the number of attempts a client may make to use the service within a specified sliding time window. The sliding window starts counting as soon as the first invalid request is detected and adds up new requests every time a new invalid attempt is detected. When the sliding time window for a request has elapsed the request will once again be available for use with the service. If you wish to tweak these settings the following changes should be made to the registry: Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\ CallThrottlingMaxCalls Specifies the time maximum number of calls permitted from a single client during the specified sliding time window. When the number is exceeded the server will deny the request and generate an error message. Default value = 200 HKLM\Specopssoft\Specops Password Reset\Server\ CallThrottlingTimeWindowSeconds Specifies the size of the sliding window measured in seconds. Default value = 300 (5 minutes) Other Specops Password Reset Server registry settings Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\ Databasefilepath HKLM\Specopssoft\Specops Password Reset\Server\ HelpdeskMaximumNumberOfUsersDisplayed Changes the location of the Specops Password Reset Reporting database. Default value = blank. Controls the maximum number of user records to display in the Helpdesk tool. This setting is useful in large environments. Default value = 500. HKLM\Specopssoft\Specops Password Reset\Server\ IgnoreParenthesisContentInPhoneNumbers This setting force the Specops Password Reset server to ignore any digits entered between parenthesis characters in the mobile number. Default value = 0. HKLM\Specopssoft\Specops Password Reset\Server\ LogFilePath Changes the location of the Specops Password Reset Server debug log file. Default value = C:\PasswordResetServer.log 62

63 Registry key Explanation HKLM\Specopssoft\Specops Password Reset\Server\ PollingTime HKLM\Specopssoft\Specops Password Reset\Server\ SearchPageSize HKLM\Specopssoft\Specops Password Reset\Server\ SendVerificationCode Using7bitencoding Controls at which time of day the daily user count and enrollment reminder process should start. Default value = 00:00 Controls the page size of searches for users in the Helpdesk tool. Default value = Specifies that 7-bit encoding should be used in the s sent to the SMS provider. Useful when a provider does not support more modern encoding formats. Default value = 0 HKLM\Specopssoft\Specops Password Reset\Server\ UseComplexMobileVerificationCode Specifies that the mobile verification code should be generated in a complex format. This setting can be disabled by changing the value to 0. Turning off the complexity causes a four digit pin code to be used as the mobile verification code. Default value = 1 HKLM\Specopssoft\Specops Password Reset\Server\ DefaultLanguage Changes the default language of the server. This value can be used to avoid using English as the default language. Note that changing this setting also overrides any user language preference. The value should match the name of the language file on the web server, for instance sv for the Swedish translation. Default value = blank. HKLM\Specopssoft\Specops Password Reset\Server\ UseOnlyDefaultLanguage Enables that the configured default language should be the only language used in Specops Password Reset. Enabling this setting removes the language selection dropdown list from the Specops Password Reset web pages. You must configure a default language for this setting to work. Default value = 0 The server registry key also stores the configuration settings available through the Specops Password Reset Configuration tool. 63

64 Troubleshooting It is very uncommon for things to go wrong with Specops Password Policy, but all Specops products come equipped with some convenient troubleshooting features. This section explains the best procedure to troubleshoot the product. Event logging The Specops Password Reset Server component logs many of its operations to the application event log. This can be used to monitor the service for problems or for gathering information about the system usage. Specops Password Reset Server events Information events ID Error Level Explanation 100 Information Service Starting. 101 Information Service Started. 103 Information Service Stopped. 104 Information License Verification entry. Contains the license count information which is collected nightly. 105 Information Reporting database migration started. Only logged if the service discovers an existing database stored in the old xml-format. 106 Information Reporting database migration completed successfully. Only logged if the service discovers an existing database stored in the old xml-format. 110 Information Enrollment successful. Logged every time a user enrolls. 111 Information Reset successful. Logged every time a user has successfully reset their password. 112 Information Unlock successful. Logged every time a user has successfully unlocked their user account. 64

65 ID Error Level Explanation 113 Information Change successful. Logged every time a user has successfully changed their password. 114 Information Change failed. Logged every time a user has tried to change their password, but failed because of the password policy rules. Warning events ID Error Level Explanation 202 Warning Too many failed user names. Logged when the call throttling feature has blocked a client request. 203 Warning Too many verification code requests. 205 Warning Ignore password rules on reset found in policy. Logged when Specops Password Reset discovers a user with a Specops Password Policy configured to be ignored on password reset operations. This setting should not be enabled in environments where Specops Password Reset is used because it allows users to bypass their password policy. 206 Warning Password reset detected from user with the password not required flag set. 207 Warning Password not required flag discovered on an enrolled user. 208 Warning Failed to impersonate user. 210 Warning Enrollment failed. 212 Warning Unlock failed. 214 Warning Wrong answer submitted during user authentication. 215 Warning Wrong verification code submitted during user authentication. 216 Warning User was locked out from Specops Password Reset. 65

66 ID Error Level Explanation 220 Warning License warning. Logged when the license is close to being exceeded. 221 Warning User failed to reset their password. 222 Warning User failed to change their password. 241 Warning Failed to parse polling time from registry. 245 Warning Failed to contact domain. 277 Warning Failed to send enrollment reminder. Error events ID Error Level Explanation 300 Error Service failed to start Logged if the server component fails to start. 301 Error Service failed to stop 305 Error No SPR Policy found. 306 Error Wrong number of questions. 310 Error Reporting database migration failed. Logged if the service fails to migrate an existing database stored in the old xml-format. 320 Error License Error detected. 332 Error Failed to get password reset package. 334 Error Failed to send mobile verification code. 335 Error Failed to get next secret question. 336 Error Failed to get password policy for user. 337 Error Server failed to unlock user account. 66

67 ID Error Level Explanation 338 Error Server failed to reset user password. 346 Error Failed to send Error Failed to send mobile verification code from helpdesk tool. 349 Error Failed to send new user password from helpdesk tool. 385 Error Failed to add data to the reporting database. 386 Error Failed to clear user data from the reporting database. 67

68 Debug logging All components in a Specops product can be configured to log their internal activity to a verbose debug log. Since the debug logs allow you to follow exactly what the component is doing when an error occurs it is usually a very good first step to enable debug logging and reproduce the error when you need to analyze a problem. Debug logging is enabled by changing the relevant registry key from 0 to 1 for the affected component. Registry Key Explanation HKLM\Specopssoft\Specops Password Reset\Server\ Enables and disables debug logging for the Specops Password Reset Server. Debug HKLM\Specopssoft\Specops Password Reset\Server\ LogFilePath HKLM\Specopssoft\Specops Password Reset\Web\ Specifies the log file path for the Specops Password Reset Server log. Default value = C:\SpecopspasswordResetServer.log Enables and disables debug logging for the Specops Password Reset Web. Debug HKLM\Specopssoft\Specops Password Reset\Web\ LogFilePath Specifies the log file path for the Specops Password Reset Server log. Default value = C:\Temp\SpecopspasswordResetWeb.log Note Debug logs are easy to follow, but look even better if you use the Specops Log Viewer to read them. The Log Viewer is a free component that is delivered as part of the Specops Deploy setup package. Visit for more information. Warning! Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition. 68

69 Support If you are unable to resolve a product related issue by yourself you are always welcome to contact Specops Support for further assistance. Online support channel The best way to access our support services is to submit your case directly on our website at: This ensures a quick response from our support team and enables you to get your case submitted directly into our support system. Telephone support channel If you have experienced a critical issue with the product you should contact Specops Support in your region directly through one of our support phone numbers: International Support (located in Stockholm, Sweden) Open from 09:00 to 17:00 CET North American Support (located in Toronto, Canada and Philadelphia, USA) Open from 09:00 to 17:00 EST SPECOPS ( ) Customer satisfaction Happy customers are very important to us at Specops. If you would like to share your feelings about our products or service with us, please don t hesitate to contact us. Call your sales representative, talk to our support staff or if all else fails, send to [email protected]. We wish you a pleasant experience using Specops Password Reset. 69