Post Configuration

Helpdesk Administrators

To grant users access to the Helpdesk Web page they must be added to the “Specops Password Helpdesk Admins” local group on the server where the Specops Password Reset Service is installed. It’s recommended that you use global groups to allow access to the Helpdesk Web page, instead of adding individual users to the local group.

Membership to the the “Specops Password Helpdesk Admins” group gives users access to:

  • view detailed information about a user account
  • view password policy information for a user account
  • view currnet password reset enrollment status
  • reset the password for a user, including generating a new password and sending the password to the end-users mobile phone

Users that doesn’t have appropiate permissions to access the Helpdesk Web page will receive the following error message:

Request for principal permission failed.

Adding the Specops Web server to the Local Intranet Zone in Internet Explorer

If Internet Explorer requires users to provide their credentials when they browse to the Specops Password Reset Web server, it might be necessary to add the server to the “Local Intranet Zone” in Internet Explorer (see http://support.microsoft.com/kb/303650).

You can use Group Policy Objects to automatically configure the Specops Password Reset Web server to be added to the “Local Intranet Zone”.

  1. Start GPMC
  2. Select an appropiate GPO that affects all computers that’s gone be used with Specops Password Reset
  3. Right-click the GPO and select Edit…
  4. Browse to Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page or Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page if using RSAT
  5. Select properties for the Site to Zone Assignment List setting and enable the setting
  6. Press Show…
  7. Press Add…
  8. In the Enter the name of the item to be added: editbox type the name of the Specops Password Reset Web server (e.g. server01.acme.local)
  9. In the Enter the value of the item to be added: editbox type the number 1 (e.g. 1)
  10. Press OK
  11. Press OK

The setting will be applied to all affected computers during the next Group Policy refresh interval (or computer startup).

Install the self-signed SSL certificate as a trusted root CA certificate
 

Note! It is not a security best practice to use self-signed server authentication certificate in a production environment.

If the Specops Password Reset web server was configured to us a self-signed SSL certificate during setup, then users will be warned when browsing to the web server. The browser says “The security certificate was issued by a company you have not chosen to trust” or it says that it can’t trust the Certificate Authority.

You can use Group Policy Objects to install a self-signed certificate as a trusted root CA certificate.

First you need to export the certificate on the Specops Password Reset web server:

  1. Start MMC
  2. In the File menu select Add/Remove Snap-in…
  3. Add the Certificates snap-in
  4. Select Computer account and press Next
  5. Select Local computer and press Finish
  6. Press OK
  7. In the left pane, expand the Certificates (Local Computer) node
  8. Expand the Personal node
  9. Expand the Certificates node
  10. Right-click the self-signed server certificate
  11. Select All Tasks and Export…
  12. Press Next
  13. Press Next (do not export the private key)
  14. Press Next (DER encoded format)
  15. Specify a filename (with .CER as extension) and press Next
  16. Press Finish

Deploy the self-signed certificate using Group Policy Objects:

  1. Start GPMC
  2. Select an appropiate GPO that affects all computers that’s gone be used with Specops Password Reset
  3. Right-click the GPO and select Edit…
  4. Browse to Computer Configuration/Windows Settings/Security Settings/Public Key Policies or Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies if using RSAT
  5. Right-click the Trusted Root Certification Authorities and select Import…
  6. Press the Next button
  7. Press Browse… and select the file that was exported before
  8. Press Next
  9. Press Next (the certificate is placed in the Trusted Root Certification Authorities store)
  10. Press Finish

The setting will be applied to all affected computers during the next Group Policy refresh interval (or computer startup).

Active Directory Fine-Grained Password Policies
 

Note! For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.

If Specops Password Reset is installed in a domain where fine-grained password policies are used to enforce different password policies, then the Specops Password Reset Service Account must be granted permissions to read all the configured password policies.

Log on to a domaincontroller with an account that has Domain Admin permissions in the domain and run the following command from a command prompt:

dsacls “CN=Password Settings Container,CN=System,<domain DN>” /I:S /G <SPR service account>:GR;;

E.g
dsacls “CN=Password Settings Container,CN=System,DC=test,DC=local” /I:S /G test\sprsvc:GR;;

Page last modified on October 16, 2008, at 03:29 PM