Managing Password Reset Policies
Specops Password Reset is built on the Group Policy infrastructure which means that Group Policy Management Console (GPMC) is the primary tool used to create, configure and assign password reset policies within Specops Password Reset. Policies can be created and configured through any Group Policy Object (GPO) in the domain.
Important!
The Specops Password Reset service account must have Read permissions on all Group Policy Objects that contains Specops Password Reset settings.
When a GPO is created, the Authenticated Users group gets Read permissions by default. But if the Authenticated Users group is removed from Security Filtering, the SPR service account must be given Read permission to the GPO.
Create a new password reset policy
Note! To complete the following procedures, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
To create a new password reset policy, you must create a new GPO or edit an existing GPO for a domain or organizational unit. The recommendation is to create dedicated GPOs with describable names, to make it easier to locate GPOs containing password reset settings.
To create a new GPO:
In the GPMC console tree, browse to the “Group Policy Objects” node in the forest and domain in which you want to create a new password policy- Right-click the “Group Policy Objects” node and select “New”
- In the “New GPO” dialog box, specify a name for the new password reset policy, and then click OK.
- Right-click the newly created GPO and select “Edit…”
- Browse to “User Configuration\Windows Settings\Specops Password Reset” or to “User Configuration\Policies\Windows Settings\Specops Password Reset” if using RSAT
- Click the “Enable Password Reset” button
- Proceed with the configure a password reset policy section.
Note! When you create a GPO containing a password reset policy, it will not have an effect until it is linked to a domain or organizational unit (OU).
Edit an existing password reset policy
Note! To complete the following procedures, you must have edit permissions for the GPO that you want to edit.
To edit an existing password reset policy:
- In the GPMC console tree, click the “Group Policy Objects” node in the forest and domain in which you want to configure an existing password reset policy
- Right-click an existing GPO and select “Edit…”
- Browse to “User Configuration\Windows Settings\Specops Password Reset” or to “User Configuration\Policies\Windows Settings\Specops Password Reset” if using RSAT
- Click the “Configure settings” button
- Proceed with the configure a password reset policy section.
Configure a password reset policy
Click here to get detailed information about all settings that can be configured within a Password Reset policy.
Assign a password reset policy
Note! To link an existing GPO to a domain or organization unit, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege.
For a GPO containing a password reset policy to actually affect any users, it must be linked to the domain or to a organizational unit somewhere in the Active Directory.
To assign a password reset policy to the domain or an organizational unit
To assign a GPO containing password reset settings to an organizational unit :
- In the GPMC console tree (the right pane), expand “Domains”
- Right-click the domain or the organizational unit that you want to assign a password reset policy to
- Click “Link an Existing GPO…”
- In the “Select GPO” dialog, select the GPO containing password reset settings that you want to assign
To assign a password reset policy to a group or user
GPO security filtering is a way of refining which users and computers will receive and apply the settings in a GPO. Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO.
In order for the GPO to apply to a given user, that user must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though group membership. By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group.
To assign a GPO containing password reset settings to a group:
- First assign the GPO to an organizational unit
- In the GPMC console tree (the right pane), expand “Group Policy Objects”
- Select the GPO you wish to assign
- In the results pane, select the “Scope tab”
- Click “Add…” in the “Security Filtering” part
- In the “Enter the object name to” select box, type the name of the group or user that you want to add to assign the password reset policy
- Remove “Authenticated Users” from the “Security filtering” list
Managing inheritance of Group Policy
You can add one or more GPO links to each domain and organizational unit in Group Policy Management Console. The password reset settings deployed by GPOs linked to higher containers (parent container) in Active Directory are inherited by default to child containers. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects containing password reset policies are processed according to the following order:
- GPOs linked to the domain
- GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.
You can further control precedence and how GPO links are applied by doing the following:
- Changing the link order within a domain or organizational unit.
The link with the higher order (with 1 being the highest order) has the higher precedence.
- Blocking Group Policy inheritance.
Using block inheritance prevents GPOs linked to higher containers from being automatically inherited by child-level containers.
- Enforcing a GPO link.
An enforced GPO link takes precedence over the settings of any child object.
- Disabling a GPO link.
A disabled GPO link is not processed at all.
- Disabling user settings.
If user settings are disabled for a GPO, the password reset settings configured within the GPO is not processed.
Delete a password reset policy
There are several ways to remove a password reset policy. Some of the methods are described below.
Delete the GPO link
Note! To remove a link, you must have Link GPOs permission on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this privilege.
To delete the GPO link:
- In the GPMC console tree (the right pane), expand “Domains”
- Browse to the domain or organizational unit where the GPO is linked
- Right-click the GPO and click “Delete”
The GPO link is deleted, which means that the GPO doesn’t affect any users. But the password reset settings within the GPO still exists.
Remove password reset settings from a GPO
Note! This remove the password reset policy from a GPO, you must have Edit Settings permissions for the GPO.
To remove password reset settings from a GPO:
- In the GPMC console tree (the right pane), expand “Group Policy Objects”
- Select the GPO you wish to remove password reset settings from
- Browse to “User Configuration\Windows Settings\Specops Password Reset” or to “User Configuration\Policies\Windows Settings\Specops Password Reset” if using RSAT
- Click the “Remove Password Reset Settings” button
This method doesn’t delete the GPO itselt, it just remove the password reset settings from the GPO.
Delete the GPO
Note! To delete a GPO, you must have Edit Settings, Delete, Modify Security permissions for the GPO.
To delete a GPO:
- In the GPMC console tree (the right pane), expand “Group Policy Objects”
- Select the GPO you wish to delete
- Right-click and select “Delete”
Page last modified on November 20, 2008, at 10:55 PM