In an effort to alleviate the Help Desk from one of the more consistent calls they receive, “I forgot my password”, I have recently helped setup Specops Password Reset. Specops Password Reset software allows end users to reset their Active Directory user accounts through self service secure processes. Administrators control the various Specops settings, and push out local workstation installs, through Group Policy. Optionally, administrators may forego actually installing the software on client computers and just use the web links to service users.
So the basic steps to setting up Specops Password Reset, and then using, are as follows:
1)Setup a management server that will host Specops.
The server, 2008 R2 in this case, will require IIS as users will be coming through via a webpage link. Deploy the server and install the IIS role.
2)Install GPMC and AD Users and Computers roles on the management server.
Install these roles so you can work with the Specops GPO on the management server. The installation will have a policy extension that will allow you to configure the software and the user settings such as challenge questions.
3)Create a service account in the AD.
Specops will be running as a service on the management server and in the AD. This service account will have security privileges on users accounts such as, allow Specops to reset this user’s password.
Start the installer. The installer will verify that the pre-requisites are fulfilled. Keep moving through the 5 steps and the installation will be complete.
5)You will then need to install the Group Policy extensions to manage the various Specops settings on the Specops server.
After these steps Specops is basically up. From here on you, the administrator, will be configuring what the end user will see. You can customize email messages that will go out to the user after they perform various password related activities (reset/change/enroll), apply branding to make it yours, configure lockouts in the Specops software, and configuring challenge questions that are available to users. Depending on what type of security is required for your work, you may want to lower the number of attempts users are allowed to fail on entering challenge response answers. Depending on what type of entity you are operating under, all challenge questions that are prepackaged may not be appropriate for your environment or allowing users to craft their own.
In the next Specops post I will cover:
1)Linking the GPO to users.
2)Creating a GPO that will provide pass-through/SSO for Firefox users. Both Chrome and IE will pass the Kerberos settings from the current logged on session to the browser and the enrollment page.
3)Creating the GPO with the MSI installer to deploy to computers and the wait for network GPO (XP and Windows 7).
5)Using the Reporting and Helpdesk tool.