Installation

This document will guide you through the process of installing Specops Password Policy.

Key Components

Specops Password Policy flow

Specops Password Policy consists of the following components and does not require any additional servers or resources in your environment.

Specops Password Policy Administration Tools

Used to configure the central aspects of the solution and enable the creation of Specops Password Policy Settings in Group Policy Objects.

Specops Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

Sentinel Password Filter: The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.
Sentinel Service: The Sentinel Service is installed on every domain controller as part of the Specops Password Policy.

For more information on the Sentinel, please refer to the Password Policy Sentinel page.

Specops Client

(Formerly known as the Specops Password Client or the uReset Client) Displays the password policy rules when a user fails to meet the policy criteria when changing their password. The Client also notifies users when their passwords are about to expire.

Specops Arbiter: The Specops Arbiter should only be installed if you are using the Specops Breached Password Protection add-on.

The Specops Arbiter acts as a gateway between the Sentinel Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Specops Arbiter uses a customer unique API key to communicate with the Breached Password Protection Cloud API.

Requirements

Component	Requirement
Administration Tools	Windows 10/11 or Windows Server 2016/2019/2022/2025 .Net Framework 4.7.2 or later Active Directory and Users and Computers snap-in Group Policy Management Console (GPMC) Windows Powershell 5.1
Specops Password Policy Sentinel	Windows Server 2016/2019/2022/2025 (core or desktop experience) .Net Framework 4.7.2 or later Writable domain controller
Breached Password Protection Express	10GB of spare disk space on all DC’s SYSVOL volume.
Specops Client	Windows 10 x64, Windows 11 x64 or Windows Server 2016/2019/2022 Secure Access not supported on domain controllers. .Net Framework 4.7.2 or later For password resets with uReset 8, Secure Access and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed. Specops Secure Access requires .Net 8 Desktop Runtime deployed on client computers.
Specops Arbiter	Windows Server 2016/2019/2022/2025 (core or desktop experience) .Net Framework 4.7.2 or later

Installing Specops Password Policy

During installation, Specops Password Policy will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Policy:

Administration Tools
Specops Arbiter
Sentinel
Client

Download the Setup Assistant.
Save and Run the Setup Assistant on your server.

Note

By default, the file is extracted to C:\temp\SpecopsPasswordPolicy_Setup_[VersionNumber]
Double click SpecopsPasswordPolicy.Setup.exe to launch the Setup Assistant.
To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Administration Tools

Installing the Administration Tools will install the Domain Administration tool and the GPMC snap-in, as well as the powershell module. You can use the Domain Administration tool to manage configurations that apply to your entire domain including your license information, templates, and Password Policy Sentinel installations. You can use the GPMC snap-in to configure password policies in a Group Policy Object (GPO). The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

Note

This machine requires Internet access to download the online dictionaries.

In the main menu, select Administration tools.

Note

The installer will indicate whether installation prerequisites are met with a green checkmark in front of the prerequisites. If any display a red cross, please install or update that component in your system.
If you want Specops Password Policy to register the Specops Active Directory Users and Computers (ADUC) Menu Extension, click Extend menu.

Note

This will allow Specops to add the Specops Display Specifiers in the configuration partition of your Active Directory forest allowing you to administer the product directly from the right-click menu of Active Directory objects. In order to add the menu extension to Active Directory the user running the Setup Assistant must be an Enterprise Administrator.
Click Install.
In the Installation succeeded dialog box, click OK.

For information on how to set up policies, please refer to the Administration documentation.

Installing the Specops Arbiter

Note

The Specops Arbiter is installed for use with the Specops Breached Password Protection add-on, as well as to enable sending emails through the Arbiter.

In the main menu, select Specops Arbiter.
If any of the prerequisites are not met, please update or install the required elements.
Click Install.
In the Installation succeeded dialog box, click OK.

Installing the Sentinel

The Sentinel is a password filter at the domain controllers which verifies whether the new password matches the Specops Password Policy settings assigned to the user. You should install the Sentinel on all writable domain controllers in your domain. All Domain Controllers should have the same version of the Sentinel.

In the main menu, select Domain Controller Sentinel.
To install the Sentinel on all writable domain controllers in your domain you can:

Option: Create a network share on the local computer and copy the sentinel msi-package to the new network share
1. Click Create Share.
2. Select a local path to create the share for, and click OK.
3. Click Select share.
4. Verify that the network path to the network share you created is correct, and click OK.
Option: Select an existing network share and manually copy the msi-package to the existing network share
1. Click Select Share.
2. Browse to the location of the msi-package, and click OK.
  
  Note
  
  The default installer extraction path is: C:\temp\SpecopsPassword_Setup_[VersionNumber]\
Select the domain controllers you want to install the Sentinel on, and click Install.

Note

You must reach the remote domain controllers through Remote Protocol Connection (RPC).
Verify that the Sentinel state for the selected domain controllers has changed to “Installed.”

Note

If the Sentinel state for the selected domain controllers has changed to install, but the icon next to the component hasn’t changed, you can continue to the next step.

Post-installation: You must reboot your domain controllers once you have installed the Sentinel.

Installing and upgrading the Specops Client

Specops Password Policy requires installation of the Specops Client on all client computers. In organizations using Specops Password Policy only, the Specops Client must be deployed but the CefSharp Runtime is not required.

This is further described in Specops Client Installation.

Post-Installation

Please complete the following tasks after you have installed Specops Password Policy:

Reboot your domain controllers if you have not already done so.
Open the Password Policy Domain Administration app (located in Start > Specops Software > Password Policy Domain Administration)
Click Import license file....
Browse to the location where your license file is stored, select the file and click Open.
If you are using Specops Password Policy with the Breached Password Protection add-on, you will also need to register the Arbiter(s) from the Domain Administration tool:
1. From the Domain Administration tool, select Breached Password Protection, and click Register new Arbiter.
2. Select, or type the name of your Arbiter computer, and click OK. The Arbiter computer is now added to the table containing all Specops Password Arbiters.
  
  Note
  
  You can also search for your Arbiter computer by clicking the Advanced button and then Find now.
3. Click the Import API key button and paste the API key you received from Specops in the text field that comes up. Click OK. A green checkmark should appear in the API key column in the table.
  
  Note
  
  Paste only the actual API key in the text field, excluding any comments that may be present.
4. Click Test cloud connection to test the connection.
  
  Note
  
  You will receive an error prompting you to enter a valid license key once installation is complete.
Verify that the appropriate Group Policy Objects are linked to the OUs containing the correct managed users.
Configure your built-in domain password policy to the lowest settings you wish to use in your Specops Password Policies.

Note

This will allow the Client to display the Specops Password Policy rules when a user fails to meet the policy criteria when changing their password. If you do not configure your built-in domain password policy to the lowest setting, the built-in password policy rules will appear.

Next, configure your password policies as described in the Administration section.