Specops Password Policy™
Installation Guide
© Specops Software. All right reserved.
For more information about Specops Password Policy and other Specops products, visit
www.specopssoft.com
Specops Password Policy
Installation Guide
Copyright and Trademarks
Specops Password Policy™ is a trademark owned by Specops Software. All other trademarks
used in this document belong to their respective owners.
2
Specops Password Policy
Installation Guide
Contents
About Specops Password Policy
4
Key components
5
Requirements
6
Installing Specops Password Policy
7
Installing the Administration Tools
8
Installing the Sentinel
9
Installing the Client
10
Post-installation
12
Support
13
3
Specops Password Policy
Installation Guide
About Specops Password Policy
Specops Password Policy helps you increase password security in your Microsoft Active
Directory environment. You can use Specops Password Policy to enforce password rules and
help users select stronger passwords. Specops Password Policy extends the functionality of
Group Policy and can be configured in any number of group policies within Active Directory.
Specops Password Policy is customizable. Users with access to sensitive information can be
assigned policies that enforce password complexity while users with little or no access to
sensitive information can be assigned a less restrictive password policy. This allows your
organization to meet password-related regulatory requirements in a quick and cost effective
manner.
Specops Password Policy is a component of the Specops Password Management suite.
Specops Password Management takes a holistic approach to password management that
increases security, cuts costs, and extends the reach of password-based security. You can
learn more about the Specops Password Management solution and other Specops Password
related products at www.specopssoft.com.
4
Specops Password Policy
Installation Guide
Key components
End user
Changes password
Initiates password change
in Windows
Domain Controller
DC receives password
change request
Local Security Authority
receives passwordchange
request
Provides new password
No
Specops
Password
Client
Displays password
policy criteria
Does the password meet
the policy criteria?
Specops Password
Policy Sentinel
Password change request
passes through the
Sentinel
Yes
Password change request
submitted to DC
Administrator
Creates policy settings
Open GPMC
Modify existing GPO or
create new GPO
Specops Password
Policy Administration
Tools
Edits password policy
settings
AD and Sysvol are
updated
Configuration is
complete
Specops Password Policy consists of the following components and does not require any
additional servers or resources in your environment.
Specops Password Policy Administration Tools: Used to configure the central aspects of
the solution and enable the creation of Specops Password Policy Settings in Group Policy
Objects.
Specops Password Policy Sentinel: Ensures that password change requests comply with the
Specops Password Policy assigned to the user object through Group Policy.
Specops Password Client: Displays the password policy rules when a user fails to meet the
policy criteria when changing their password. The Client also notifies users when their
passwords are about to expire.
Note: The Specops Password Client is an optional component.
5
Specops Password Policy
Installation Guide
Requirements
Your organization’s environment must meet the following system requirements:
Item
Administration Tools
Sentinel
Password Client
Requirement
 Windows Vista or later
 .Net Framework 4.5 or later
 Active Directory and Users and Computers snap-in
 Group Policy Management Console (GPMC)
 Domain Controller 2003 SP2 or later
 Writable domain controller
 Windows Vista or later
 .Net Framework 3.5 SP1 or later
6
Specops Password Policy
Installation Guide
Installing Specops Password Policy
During installation, Specops Password Policy will launch the Setup Assistant. The Setup
Assistant will help you install the following components for Specops Password Policy:



Administration Tools
Sentinel
Password Client
1. Download the Setup Assistant.
2. Save and Run the Setup Assistant on your server.
Note: By default, the file is extracted to
C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]
3. Double click SpecopsPasswordPolicy.Setup.exe to launch the Setup Assistant.
4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and
Accept the End User License Agreement.
7
Specops Password Policy
Installation Guide
Installing the Administration Tools
Installing the Administration Tools will install the Domain Administration tool and the GPMC
snap-in. You can use the Domain Administration tool to manage configurations that apply to
your entire domain including your license information, templates, and Password Policy Sentinel
installations. You can use the GPMC snap-in to configure password policies in a Group Policy
Object (GPO). The GPO can then be applied to your entire domain or a part of your domain.
The Administration Tools should be installed on the computer that you want to administer the
product from.
Install the Administration Tools
1. In the main menu, select Administration tools.
2. If you want Specops Password Policy to register the Specops Active Directory Users
and Computers (ADUC) Menu Extension, click Add menu ext.
Note: This will allow Specops to add the Specops Display Specifiers in the configuration partition
of your Active Directory forest allowing you to administer the product directly from the right-click
menu of Active Directory objects. In order to add the menu extension to Active Directory the user
running the Setup Assistant must be an Enterprise Administrator.
3. Click Install.
4. In the Installation succeeded dialog box, click OK.
8
Specops Password Policy
Installation Guide
Installing the Domain Controller Sentinel
The Sentinel is a password filter at the domain controllers which verifies whether the new
password matches the Specops Password Policy settings assigned to the user. You should
install the Sentinel on all writable domain controllers in your domain.
Install the Sentinel
1. In the main menu, select Domain Controller Sentinel.
2. To install the Sentinel on all writable domain controllers in your domain you can:
Option
Create a network
share on the local
computer and
copy the sentinel
msi-package to
the new network
share
Select an existing
network share and
manually copy the
msi-package to
the existing
network share
Step
1. Click Create Share.
2. Select a local path to create the share for, and click OK.
3. Click Select share.
4. Verify that the network path to the network share you created is correct,
and click OK.
1. Click Select Share.
2. Browse to the location of the msi-package, and click OK.
Note: The default installer extraction path is:
C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]\product\Specops
PaswordPolicy
3. Select the domain controllers you want to install the Sentinel on, and click Install.
Note: You must reach the remote domain controllers through Remote Protocol Connection
(RPC).
4. Verify that the Sentinel state for the selected domain controllers has changed to
“Installed.”
Note: If the Sentinel state for the selected domain controllers has changed to install, but the icon
next to the component hasn’t changed, you can continue to the next step.
Post-installation: You must reboot your domain controllers once you have installed the Sentinel.
9
Specops Password Policy
Installation Guide
Installing the Client
Installing the Client will allow Specops to display the password policy rules when a user fails to
meet the policy criteria when changing their password. The client will also notify users when
their passwords are about to expire.
Deploy the Client using GPSI
You can automatically configure an existing Group Policy Object with Software Installation
settings to deploy the Client in your domain. Alternatively, you can use another deployment
solution to install the client on the computers in your organization by downloading the msi-files.
1. In the main menu, select Deploy Specops Password Client using GPSI.
2. To select the Group Policy Object that will be used to deploy the client, click Select
GPO. You will be given the following options:
Option
Create New GPO
Select an existing GPO
Step
1. Click Create New GPO.
2. Enter a new Group Policy Object name.
3. Select the location you want to link the Group
Policy object.
4. Click OK.
1. Select an existing GPO from the list.
2. Select a link for the chosen GPO, and click OK.
3. Click Download… to download the installation files for the Client.
a. In the dialog box, click Download Files.
b. When the dialog box is complete, click OK.
Note: The files are copied to:
C:\temp\SpecopsPasswordPolicy_Setup[VersionNumber]\products\specopspasswordpolicy
4. To install the Client on all computers in your organization you can:
Option
Create a network share on the local
computer and copy the sentinel msipackage to the new network share
Select an existing network share and
manually copy the msi-package to the
existing network share
Step
1. Click Create Share.
2. Select a local path to create the share for, and
click OK.
3. Click Select share.
4. Verify that the network path to the network share
you created is correct, and click OK.
1. Click Select Share
10
Specops Password Policy
Installation Guide
2. Browse to the location of the msi-package, and
click OK.
Note: It is recommended that you use a Distributed
File Share (DFS). If DFS is used with load balancing,
verify that the setup files are copied to all servers
before proceeding.
5. To create the packages for x86 and x64 deployments in the selected GPO, click Add
Settings.
Note: The Client Side Extension MSI will be deployed through a computer software installation
and may not take effect until the computers have been restarted.
Deploy the Client using Specops Deploy / App or other
deployment tools
If you are not deploying using Group Policy Software Installation (GPSI), you can download the
Client for alternative deployment methods, such as Specops Deploy.
1. Download the Specops Client:
https://download.specopssoft.com/Release/Client/Specops.uReset.Client-x64.msi
https://download.specopssoft.com/Release/Client/Specops.uReset.Client-x86.msi
2. Double click the Specops.uReset.Client-x64 or Specops.uReset.Client-x86 Windows
Installer Package.
3. Accept the terms in the License Agreement, and click Install.
4. Click Finish.
11
Specops Password Policy
Installation Guide
Post-installation
Please complete the following tasks after you have installed Specops Password Policy:
1. Reboot your domain controllers if you have not already done so.
2. Enter your license key in the Domain Administration tool and enable the policy.
Note: You will receive an error prompting you to enter a valid license key once installation is
complete.
3. Verify that the appropriate Group Policy Objects are linked to the OUs containing the
correct managed users.
4. Configure your built-in domain password policy to the lowest settings you wish to use in
your Specops Password Policies.
Note: This will allow the client to display the Specops Password Policy rules when a user fails to
meet the policy criteria when changing their password. If you do not configure your built-in
domain password policy to the lowest setting, the built-in password policy rules will appear.
12
Specops Password Policy
Installation Guide
Support
For helpful tips and solutions for troubleshooting the product, download the Specops Password
Policy Troubleshooting Guide from http://www.specopssoft.com/support-docs/specopspassword-policy/troubleshooting/.
If you are unable to resolve a product related issue, contact Specops Support for assistance.
Online
We recommend submitting your case directly on our website at:
http://www.specopssoft.com/support-contact/
Telephone
International
+46 8 465 012 50
Monday - Friday: 09:00 - 17:00 CET
North America
+1-877-SPECOPS (773-2677)
Monday - Friday: 09:00 - 17:00 EST
13