Managing Policies

The Specops Password Notification snap-in Specops Password Notification is built on the Group Policy infrastructure which means that Group Policy Management Console (GPMC) is the primary tool used to create, configure and assign policies within Specops Password Notification. Password notification policies can be created and configured through any Group Policy Object (GPO) in the domain.

Create a new password notification policy
 

Note! To complete the following procedures, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

To create a new password notification policy, you must create a new GPO or edit an existing GPO for a domain or organizational unit. The recommendation is to create dedicated GPOs with describable names, to make it easier to locate GPOs containing password notification settings.

To create a new GPO:

  1. In the GPMC console tree, browse to the “Group Policy Objects” node in the forest and domain in which you want to create a new password policy
  2. Right-click the “Group Policy Objects” node and select “New”
  3. In the “New GPO” dialog box, specify a name for the new password notification policy, and then click OK.
  4. Right-click the newly created GPO and select “Edit…”
  5. Browse to “User Configuration\Windows Settings\Specops Password Notification” or to “User Configuration\Policies\Windows Settings\Specops Password Notification” if using RSAT
  6. Click the “Add Configuration” button
  7. Proceed with the configure a password notification policy section.
Note! When you create a GPO containing a password notification policy, it will not have an effect until it is linked to a domain or organizational unit (OU).
Important!
The service account configured for Specops Password Notification must have Read permissions on all Group Policy Objects that contains Specops Password Notification settings.

When a GPO is created, the Authenticated Users group gets Read permissions by default. But if the Authenticated Users group is removed from Security Filtering, the SPR service account must be given Read permission to the GPO.

Edit an existing password notification policy
 

Note! To complete the following procedures, you must have edit permissions for the GPO that you want to edit.

To edit an existing password notification policy:

  1. In the GPMC console tree, click the “Group Policy Objects” node in the forest and domain in which you want to configure an existing password notifcation policy
  2. Right-click an existing GPO and select “Edit…”
  3. Browse to “User Configuration\Windows Settings\Specops Password Notification” or to “User Configuration\Policies\Windows Settings\Specops Password Notification” if using RSAT
  4. Click the “Edit Configuration” button
  5. Proceed with the configure a password notification policy section.

Configure a password notification policy

A password notification policy contains all necessary settings that’s needed to send password expiration notification emails to users.

Email notification templates

Email notification templates Email notification templates are used to configure at which times password expiration notification emails should be sent to users and how the content of the emails should look like.

The following buttons are used to manage email notification templates within a GPO:

  • New
    Create a new email notification template with default settings.
  • New Copy
    Create a new email notification template with same values as the selected template.
  • Delete
    Delete the selecect email notification template.

Click here to get detailed information about all email notification templates settings that can be configured within a password notification policy.

Note! If email notification templates within a GPO overlap each other regarding configured days, only one email will be sent to end-users.

SMTP Configuration

SMTP Configuration The SMTP Configuration contains settings that is used by the Server component when sending password notification e-mails.

Click here to get detailed information about all SMTP settings that can be configured within a password notification policy.

Assign a password notification policy
 

Note! To link an existing GPO to a domain or organization unit, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege.

For a GPO containing a password notification policy to actually affect any users, it must be linked to the domain or to a organizational unit somewhere in the Active Directory.

To assign a password notification policy to the domain or an organizational unit

To assign a GPO containing password notification settings to an organizational unit :

  1. In the GPMC console tree (the right pane), expand “Domains”
  2. Right-click the domain or the organizational unit that you want to assign a password reset policy to
  3. Click “Link an Existing GPO…”
  4. In the “Select GPO” dialog, select the GPO containing password notification settings that you want to assign

To assign a password notification policy to a group or user

GPO security filtering is a way of refining which users and computers will receive and apply the settings in a GPO. Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO.

In order for the GPO to apply to a given user, that user must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though group membership. By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group.

To assign a GPO containing password notification settings to a group:

  1. First assign the GPO to an organizational unit
  2. In the GPMC console tree (the right pane), expand “Group Policy Objects”
  3. Select the GPO you wish to assign
  4. In the results pane, select the “Scope tab”
  5. Click “Add…” in the “Security Filtering” part
  6. In the “Enter the object name to” select box, type the name of the group or user that you want to add to assign the password reset policy
  7. Remove “Authenticated Users” from the “Security filtering” list
Note! If Security Filtering is applied on a Specops Password Notification GPO, then the service account must be granted read permissions on the GPO (not Apply permissions).

Managing inheritance of Group Policy

You can add one or more GPO links to each domain and organizational unit in Group Policy Management Console. The password reset settings deployed by GPOs linked to higher containers (parent container) in Active Directory are inherited by default to child containers. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects containing password reset policies are processed according to the following order:

  1. GPOs linked to the domain
  2. GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.

You can further control precedence and how GPO links are applied by doing the following:

  • Changing the link order within a domain or organizational unit
    The link with the higher order (with 1 being the highest order) has the higher precedence.
  • Blocking Group Policy inheritance
    Using block inheritance prevents GPOs linked to higher containers from being automatically inherited by child-level containers.
  • Enforcing a GPO link 
    An enforced GPO link takes precedence over the settings of any child object.
  • Disabling a GPO link
    A disabled GPO link is not processed at all.
  • Disabling user settings 
    If user settings are disabled for a GPO, the password reset settings configured within the GPO is not processed.

Delete a password notification policy

There are several ways to remove a password reset policy. Some of the methods are described below.

Delete the GPO link
 

Note! To remove a link, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege.

To delete the GPO link:

  1. In the GPMC console tree (the right pane), expand “Domains”
  2. Browse to the domain or organizational unit where the GPO is linked
  3. Right-click the GPO and click “Delete”

The GPO link is deleted, which means that the GPO doesn’t affect any users. But the password notification settings within the GPO still exists.

Remove password notification settings from a GPO
 

Note! This remove the password notification policy from a GPO, you must have Edit Settings permissions for the GPO.

To remove password notification settings from a GPO:

  1. In the GPMC console tree (the right pane), expand “Group Policy Objects”
  2. Select the GPO you wish to remove password reset settings from
  3. Browse to “User Configuration\Windows Settings\Specops Password Notification” or to “User Configuration\Policies\Windows Settings\Specops Password Notification” if using RSAT
  4. Click the “Remove Configuration” button

This method doesn’t delete the GPO itselt, it just remove the password notification settings from the GPO.

Delete the GPO
 

Note! To delete a GPO, you must have Edit Settings, Delete, Modify Security permissions for the GPO.

To delete a GPO:

  1. In the GPMC console tree (the right pane), expand “Group Policy Objects”
  2. Select the GPO you wish to delete
  3. Right-click and select “Delete”

Page last modified on April 28, 2009, at 02:09 PM