diff --git a/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md b/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md index 5fa3118e1a..98cfab7628 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md +++ b/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md @@ -6,32 +6,6 @@ sidebar_position: 70 # Command Line Interface -## Silent Installation - -Replace _version_ with the complete version and build number of the **msi** file. For example, -11.2.0.148. - -Install only PPE Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureServerPPE -/q - -Install only Console: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureConsole /q - -Install only Mailer Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi -ADDLOCAL=FeaturePPEMailerServer /q - -Install all 3 components: - -msiexec /i Netwrix_PPE_Server_**version**_x64.msi -ADDLOCAL=FeaturePPEMailerServer,FeatureConsole,FeatureServerPPE /q - -By default Console only installed: msiexec /i Netwrix_PPE_Server_**version**_x64.msi /q - -Uninstall all: msiexec /uninstall Netwrix_PPE_Server_**version**_x64.msi /q - -Uninstall only particular feature: msiexec /i _path_to_your_msi_file.msi_ REMOVE=_FeatureName_ /qn - -If a reboot wasn't done, add **/forcerestart** at the end - ## Mailer You can run the Password Policy Enforcer Mailer from the command line to deliver email immediately, diff --git a/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md b/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md index f3ca49c185..50b219b1c6 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md +++ b/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md @@ -12,7 +12,7 @@ The check can be scheduled to run at any time to verify existing passwords again :::note Create the **Compromised Passwords Base** file before enabling the Compromised Password -Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for instructions. +Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for instructions. ::: @@ -32,7 +32,7 @@ Click the **Compromised Password Check** toggle to enable/disable the feature. ![Compromised Password Check](/images/passwordpolicyenforcer/11.2/administration/compromisedpasswords.webp) - **Compromised Passwords Base** specify the database to use when checking for compromised - passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) to create this database. + passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) to create this database. Click **Browse** to navigate to the folder. Default is **C:\HIBP\DB** - **Domain Controller (FQDN)** specify the fully qualified domain controller name where you want to run the password check. Click **Browse** and select from the list. diff --git a/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md b/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md similarity index 93% rename from docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md rename to docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md index 036089103c..ef59bfa304 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md +++ b/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md @@ -1,7 +1,7 @@ --- title: "HIBP Updater" description: "HIBP Updater" -sidebar_position: 90 +sidebar_position: 20 --- # HIBP Updater @@ -27,17 +27,17 @@ If the HIBP database is copied to and stored local on the Domain Controllers: - The HIBP database takes up additional space on the machine where it is copied. (Aproximetly 13GB but subject to change) - If doing local the database needs to be on every Domain Controller in the same location as specified in the Rule. -- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database +- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database - The pending password candidate is checked against the archived hash file at the local level. If a password hash is matched, the pending password change is rejected. If the HIBP database is kept on a Network Share: -- The database takes up space only on the Network Share, not on each Domain Controller.  -- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check: +- The database takes up space only on the Network Share, not on each Domain Controller. +- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check: - The pending password candidate from Domain Controller against the HIBP Database stored on the Network Share, this could affect LSASS/Password Change performance depending on the environment. - HIBP database space isn't required on the domain controllers but on one Network Location. -- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted. +- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted. ## Installation and Configuration @@ -58,7 +58,7 @@ Only run this from one server. ### Passwords Hash Database -Password Policy Enforcer uses the Passwords Hash database to check if users’ new and pending +Password Policy Enforcer uses the Passwords Hash database to check if users' new and pending password (i.e. during a password reset) matches the hash of a compromised password from a data breach. @@ -83,7 +83,7 @@ size of the hash file, this download takes up a significant amount of CPU and do - Update Type: - - Full Download – Download all data from the HIBP database hosted on the Netwrix website + - Full Download – Download all data from the HIBP database hosted on the Netwrix website - Incremental Update – Download updates from the HIBP database hosted on the Netwrix website instead of downloading the full HIBP database. This option is enabled after a full download of the HIBP database has completed. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md index 219cbb13f4..87912ebf8c 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md @@ -22,5 +22,5 @@ degrades performance, and could jeopardize security. ::: -See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) +See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) database usage. diff --git a/docs/passwordpolicyenforcer/11.2/installation/writeback.md b/docs/passwordpolicyenforcer/11.2/admin/writeback.md similarity index 87% rename from docs/passwordpolicyenforcer/11.2/installation/writeback.md rename to docs/passwordpolicyenforcer/11.2/admin/writeback.md index 78e5beb5e8..c4014a5d2a 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/writeback.md +++ b/docs/passwordpolicyenforcer/11.2/admin/writeback.md @@ -1,19 +1,19 @@ --- title: "Enforce Password Reset with Azure Password Writeback" description: "Enforce Password Reset with Azure Password Writeback" -sidebar_position: 100 +sidebar_position: 85 --- # Enforce Password Reset with Azure Password Writeback You can use Password Policy Enforcer to enforce password policies for passwords reset from Microsoft -Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the +Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the [How does self-service password reset writeback work in Microsoft Entra ID?](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback) Microsoft knowledge base article for additional information on password writeback in Microsoft Entra -ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises +ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises domain controller to check with Password Policy Enforcer. This happens while the user is resetting their password. See the [Tutorial: Enable Microsoft Entra self-service password reset writeback to an on-premises environment](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback) and -[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft +[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft knowledge base articles for additional information on password writeback for Microsoft Entra ID. diff --git a/docs/passwordpolicyenforcer/11.2/gettingstarted.md b/docs/passwordpolicyenforcer/11.2/gettingstarted.md deleted file mode 100644 index 5ad27d2941..0000000000 --- a/docs/passwordpolicyenforcer/11.2/gettingstarted.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: "Getting Started" -description: "Getting Started" -sidebar_position: 2 ---- - -# Getting Started - -Review the [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) topic. - -## Install Products - -Install Password Policy Enforcer (PPE Server) on every domain controller to enforce the -password policy for domain user accounts, or on individual servers and workstations to enforce the -password policy for local user accounts. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) or -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topics for additional -information. - -You can install the Configuration Console on whatever servers are convenient for you to access. It -is a selectable feature in the server installation **msi** package. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) topic for additional -information. - -Install the Mailer Service on a single server in each domain. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) topic for additional -information. - -Password Policy Enforcer client is optional, but recommended. Users receive immediate feedback when -setting up their passwords. This saves your users time and frustration when picking compliant -passwords. See the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md) or -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topics for additional -information. - -Password Policy Enforcer Web is a separate product enabling users to change their Windows domain -password from a web browser. See the [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md) topic for -additional information. - -Create the **Compromised Passwords Base** before enabling the Compromised Password Check. See the -[HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for additional information. - -## Exclude PPE Files from AntiVirus Checks - -**Domain Controller** - -**PPE.DLL** if this file doesn't load, PPE can't enforce the password policy. - -**Clients** - -**PPEClt.DLL** if this file doesn't load, the client doesn't run. - -## Next Steps - -You can work through the [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.2/evaluation/evaluation_overview.md). diff --git a/docs/passwordpolicyenforcer/11.2/index.md b/docs/passwordpolicyenforcer/11.2/index.md index 6735acb4ec..430ccc1a98 100644 --- a/docs/passwordpolicyenforcer/11.2/index.md +++ b/docs/passwordpolicyenforcer/11.2/index.md @@ -37,7 +37,7 @@ The Configuration Console has some additional requirements: This component sends email from Password Policy Enforcer to your mail server. Although not required, this component supports several PPE features, so you'll most likely want to install it on one server in the domain. This component requires the [.NET Desktop Runtime 10.0 or later](https://aka.ms/dotnet/10.0/windowsdesktop-runtime-win-x64.exe). ### Password Policy Client (PPC) -The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers and virtual desktops. +The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers, virtual desktops, and Remote Desktop Session Hosts. ### Password Policy Enforcer Web Password Policy Enforcer Web is an optional component that runs on Microsoft Internet Information Services (IIS). It has similar features to the Password Policy Client, but via a web interface. Use Password Policy Enforcer Web if you prefer not to install the Password Policy Client, or if you want to integrate Active Directory password changes into your own applications. diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index a2ba937f95..751f2c2202 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -1,51 +1,36 @@ --- title: "Disable Windows Rules" -description: "Disable Windows Rules" -sidebar_position: 80 +description: "How to disable the Windows password policy rules to avoid conflicts with Password Policy Enforcer." +sidebar_position: 20 --- # Disable Windows Rules -The Windows password policy rules can place restrictions on password history, age, length, and -complexity. If you enable the Password Policy Enforcer rules and the Windows rules, then users must -comply with both sets of rules. +Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules. -Password Policy Enforcer has its own history, minimum age, and maximum age, length, and complexity rules. -See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. You can use the Password Policy Enforcer -and Windows rules together. A password is only accepted if it complies with the Windows and Password -Policy Enforcer password policies. +PPE has its own rules for password [history](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md), [minimum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md), [maximum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [length](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md), and [complexity](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration. -These steps disable the Windows password policy rules: +To disable the Windows password policy rules: -**Step 1 –** Start the Group Policy Management Console **(gpmc.msc**). - -**Step 2 –** Expand the forest and domain items in the left pane. - -**Step 3 –** Right-click the **Default Domain Policy GPO** (or whichever GPO you use to set your -domain password policy), then click **Edit...** - -**Step 4 –** Expand the **Computer Configuration**, **Policies**, **Windows Settings**, **Security -Settings**, **Account Policies**, and **Password Policy** items. - -**Step 5 –** Double-click **Enforce password history** in the right pane of the GPO Editor. - -**Step 6 –** Enter **0** in the text box, then click **OK**. - -**Step 7 –** Repeat the step above for the **Maximum password age**, **Minimum password age**, and -**Minimum password length** policies. - -**Step 8 –** Double-click **Password must meet complexity requirements** in the right pane. - -**Step 9 –** Select the **Disabled** option, and then click **OK**. - -**Step 10 –** Close the Group Policy Management Editor. +1. Start the Group Policy Management Console (`gpmc.msc`). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the **Default Domain Policy** GPO (or whichever GPO you use for your domain password policy), then click **Edit**. +4. Expand **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**. +5. Double-click **Enforce password history** in the right pane. +6. Enter **0** in the text box, then click **OK**. +7. Repeat step 6 for **Maximum password age**, **Minimum password age**, and **Minimum password length**. +8. Double-click **Password must meet complexity requirements** in the right pane. +9. Select **Disabled**, then click **OK**. +10. Close the Group Policy Management Editor. ![installing_ppe_3](/images/passwordpolicyenforcer/11.2/evaluation/preparing_the_computer.webp) +:::tip +Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the steps above to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**. +::: + :::note -You don't have to disable all the Windows password policy rules to use Password Policy -Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you -like. Remember that a password is only accepted if it complies with the rules enforced by both -Windows and Password Policy Enforcer. +You don't have to disable the Windows password policy rules to use PPE. A password must comply with both the Windows and PPE policies to be accepted. +Fine-Grained Password Policies (FGPP) override the domain password policy. If your organization uses FGPP, you'll also need to remove or modify any Password Settings Objects (PSOs) that apply to your users. To do that, open **Active Directory Administrative Center**, navigate to **System** > **Password Settings Container**, and remove or modify the relevant PSOs. ::: diff --git a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md index 4bf5f4f059..5bcb7abbe2 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md @@ -1,95 +1,55 @@ --- title: "Domain and Local Policies" -description: "Domain and Local Policies" -sidebar_position: 10 +description: "Use Password Policy Enforcer to enforce domain and local password policies." +sidebar_position: 50 --- # Domain and Local Policies -Netwrix Password Policy Enforcer enforces password policies for both domain and local user accounts. +Netwrix Password Policy Enforcer (PPE) enforces password policies for both domain and local user accounts. Domain user accounts exist in Active Directory. The domain controllers store information about these accounts and replicate changes among themselves. -Local user accounts exist in the SAM database of workstations and servers. The workstations and -servers may be standalone, or domain members. The host computer stores information about these accounts locally and doesn't replicate it to any other computers. +Local user accounts exist in the SAM database of workstations and servers. The workstations and servers can be standalone or domain members. The host computer stores information about these accounts locally and doesn't replicate it to any other computers. -A typical Windows network has both domain and local user accounts, but you may not want to enforce -Password Policy Enforcer password policies for both account types. If your users normally log on with -a domain account, then you will most likely only use Password Policy Enforcer to enforce password -policies for the domain accounts. +A typical Windows network has both domain and local user accounts, but you might not want to enforce PPE policies for both account types. If your users normally log on with a domain account, you'll most likely only enforce password policies for domain accounts. ## Installation Differences -To enforce password policies for domain user accounts, you should install Password Policy Enforcer -onto all the domain controllers in the domain. If you have read-only domain controllers and aren't -using the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), or other software -(such as -[Netwrix Password Reset](https://www.netwrix.com/active_directory_password_reset_tool.html)) that -uses the Password Policy Enforcer Client protocol, then you don't need to install Password Policy -Enforcer on the read-only domain controllers. +Install Password Policy Enforcer on all the domain controllers in the domain to enforce password policies for domain user accounts. You don't need to install it on read-only domain controllers unless you're using the [Maximum Age rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. -To enforce password policies for local user accounts, you should install Password Policy Enforcer -onto the computers containing the user accounts you want to enforce password policies for. These -computers may be workstations or servers, and they may be standalone or domain members. You don't normally need to install Password Policy Enforcer onto all the workstations and servers in -a domain, because most domain users log on with a domain account. If this is the case, you -will most likely only need to install Password Policy Enforcer on the domain controllers. +To enforce password policies for local user accounts, install Password Policy Enforcer on the computers that contain the user accounts you want to enforce password policies for. These computers can be workstations or servers, and they can be standalone or domain members. You don't normally need to install PPE on the workstations and servers in a domain because most users log on with a domain account. If this is the case, you'll most likely only need to install PPE on the domain controllers. ## Operational Differences -Most of Password Policy Enforcer's rules and features work with both domain and local -policies, but there are some differences. When enforcing the password policy for domain accounts, -Password Policy Enforcer queries Active Directory to get information about the accounts. +Most of Password Policy Enforcer's rules and features work with both domain and local policies, but there are some differences. These differences are due to password filter technical limitations, and also because some information isn't in the SAM. You can't use the following rules and features with local password policies: -Although getting most of this information from the SAM database for local accounts is theoretically possible, a technical limitation prevents password filters from querying the SAM. Some information, such as the user's OU, also doesn't exist in the SAM. Because of these -limitations, you can't use the following rules and features with local password policies: +- The [Minimum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md) and [Maximum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md) rules (you can still use the Windows versions of these rules). +- [Policy assignments](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) by groups and containers. -- The Minimum Age and Maximum Age rules (you can use the Windows version of these rules with - Password Policy Enforcer). See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. -- Policy assignments by groups and containers. See the - [Assign Policies to Users & Groups](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) topic for additional information. +PPE stores configuration information in Active Directory for domain password policies, and in the Windows registry for local password policies. Use the [**Connected to**](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connected-to) box in the PPE Configuration Console's home page to choose a configuration source. -Password Policy Enforcer stores its configuration in Active Directory for domain password policies, and in the Windows registry for local password policies. The Connect To page in the Password Policy -Enforcer Configuration Console. Use it to choose a configuration source. See the -[Connected To](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connected-to) topic for additional information. Changes to Password Policy Enforcer's domain configuration replicate to all domain controllers in the -domain. Changes to a local configuration apply only to the local computer. If you want to use -the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy -Enforcer 10.0\ registry key from the configured computer, and import it into the other computers. +Changes to a domain configuration automatically replicate to all domain controllers in the domain. Changes to a local configuration apply only to the local computer. If you want to use the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 11.0\ registry key from the configured computer, and import it into the other computers. -You can also use Group Policy to distribute Password Policy Enforcer's local configuration to many -computers in a domain. This is only necessary for local password policies. Domain password policies -automatically replicate to the domain controllers because they are stored in Active Directory. +You can also use Group Policy to distribute a local configuration to many computers in a domain. This is only necessary for local password policies. Domain password policies automatically replicate to the domain controllers because they're stored in Active Directory. ### Distribute the local configuration with Group Policy -**Step 1 –** Start the Group Policy Management Console (gpmc.msc). +1. Start the Group Policy Management Console (gpmc.msc). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the Group Policy object you want to use, then click **Edit...** +4. Expand the **Computer Configuration**, **Preferences**, and **Windows Settings** items in the left pane. +5. Right-click the **Registry** item, then select **New** > **Registry Wizard**. -**Step 2 –** Expand the forest and domain items in the left pane. + ![domain_and_local_policies](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies.webp) -**Step 3 –** Right-click the **Group Policy** object that you would like to use to distribute the -configuration, and then click the **Edit...** button. +6. Select the computer that contains the Password Policy Enforcer local configuration you want to distribute, then click **Next**. +7. Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, and **ANIXIS** items. +8. Click the **Password Policy Enforcer 11.0** item, then select the check boxes beside each item in the bottom pane of the window. -**Step 4 –** Expand the Computer Configuration, Preferences, and Windows Settings items in the left -pane. + ![domain_and_local_policies_1](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies_1.webp) -**Step 5 –** Right-click the **Registry** item, and then select **New** > **Registry Wizard**. +9. Click **Finish**. +10. Close the Group Policy Management Editor. -![domain_and_local_policies](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies.webp) - -**Step 6 –** Select the computer that contains the Password Policy Enforcer local configuration that -you want to distribute, and then click **Next**. - -**Step 7 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, and **ANIXIS** items. - -**Step 8 –** Click the **Password Policy Enforcer _version_** item, and then select the check boxes -beside each item in the bottom pane of the window. - -![domain_and_local_policies_1](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies_1.webp) - -**Step 9 –** Click **Finish**. - -**Step 10 –** Close the Group Policy Management Editor. - -Windows applies Password Policy Enforcer's local configuration to the target computers in the domain. -This doesn't happen immediately, as Windows takes some time to apply the changes to Group Policy. -You can force an immediate refresh of Group Policy on the local computer with this command: -`gpupdate /target:computer` +Windows applies Password Policy Enforcer's local configuration to the target computers in the domain. This doesn't happen immediately, as Windows takes some time to apply the changes to Group Policy. You can force an immediate refresh of Group Policy on the local computer with this command: `gpupdate /target:computer` diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md index ab1450f8d3..5fb92cb972 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md @@ -1,134 +1,69 @@ --- -title: "Install Password Policy Enforcer Client" -description: "Install Password Policy Enforcer Client" +title: "Install the Password Policy Client" +description: "Install the Password Policy Client to help users choose a compliant password." sidebar_position: 30 --- -# Install Password Policy Enforcer Client +# Install the Password Policy Client -This procedure is used to install the client on your current workstation. See the -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) top for details on installing the client -across your network. You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). +The Password Policy Client (PPC) is an optional component that helps users choose a compliant password. It shows users which rules they need to comply with while they enter their new password. The PPC also displays a detailed rejection reason message if PPE rejects the new password. You typically install the PPC on users' computers, virtual desktops, and Remote Desktop Session Hosts. The list of supported operating systems is in the [introduction](/docs/passwordpolicyenforcer/11.2/index.md). -**Step 1 –** Navigate to the folder where you extracted the installers downloaded from Netwrix. - -**Step 2 –** Click the **Netwrix_PPE_Client**version**x64.msi** (64 bit OS) or -**Netwrix_PPE_Client**version**x86.msi** (32 bit OS) installation package. The installer is -launched. +:::note +The Password Policy Client doesn't store or send passwords or password hashes over the network. The protocol is encrypted for additional security, but even if an attacker compromised the encryption, it wouldn't reveal any passwords or password hashes. -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup1.webp) +PPE only enforces the [Similarity rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md) if the user changes their password from the PPC, [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. +::: -**Step 3 –** Click **Next**. +## Manual Installation -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup2.webp) +To manually install the Password Policy Client: -**Step 4 –** Review the End-User License Agreement. Click **I accept the terms in the License -Agreement**. +1. Run **Netwrix_PPE_Client_11.2.0.148_x64.msi** (64-bit) or **Netwrix_PPE_Client_11.2.0.148_x86.msi** (32-bit). The Setup wizard opens. -**Step 5 –** Click **Next**. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup1.webp) -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup3.webp) +2. Click **Next**. -**Step 6 –** Click **Install**. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup2.webp) -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup4.webp) +3. Review the End-User License Agreement, select the checkbox to accept the Agreement, then click + **Next**. -**Step 7 –** Click **Finish** when installation is complete. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup3.webp) -The client is installed. There is no associated desktop icon or menu item. +4. Click **Install**. -Restart each computer to complete the installation. Windows installs the Password Policy Client -during startup. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup4.webp) -## Testing the Password Policy Client - -Test the Password Policy Client by logging on to a computer and pressing the CTRL + ALT + DEL keys -and clicking the **Change a password** item. If you don't see the password policy, it could be -because a Password Policy Enforcer policy hasn't been assigned to you, or because the firewall -rules haven't been created. +5. Click **Finish** when installation is complete. You don't typically need to restart the computer. :::note -The Password Policy Client doesn't store or send passwords or password hashes over the -network. An attacker can't determine user passwords by sniffing the communication protocol. The -protocol is also encrypted by default for additional protection. +The Password Policy Client runs automatically during a password change. There is no associated desktop icon or start menu item. ::: +## Automated Deployment -## Creating Firewall Rules for the Password Policy Client - -You may need to create firewall rules for the Password Policy Client if your domain controllers are -running a software (host) firewall, or if the Password Policy Client and Password Policy Server -communicate through a firewall. Firewall rules aren't necessary for local policies because the -Password Policy Client and Password Policy Server are on the same computer. - -### Windows Firewall +Use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate deployment across many computers. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install the 64-bit Password Policy Client: -If Windows Firewall is enabled on your domain controllers, then you must create a port exception to -allow connections to the Password Policy Server. Windows Firewall is enabled by default on Windows -Server 2008 and later. +```batch +msiexec /i Netwrix_PPE_Client_11.2.0.148_x64.msi /q +``` -Follow the steps to create the port exception on all domain controllers. - -**Step 1 –** Use the **Group Policy Management Console** (gpmc.msc) to display the GPOs linked to -the Domain Controllers OU. - -**Step 2 –** Right-click the **Password Policy Enforcer GPO**, and then click **Edit...**. - -:::note -You need to create the GPO if you chose the Express Setup option. +:::tip +Add an exclusion for `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPEClt.DLL` to exclude the client from antivirus or other security software. This is optional. ::: +## Testing the Password Policy Client -**Step 3 –** Expand the **Computer Configuration**, **Policies**, **Administrative Templates**, -**Network**, **Network Connections**, and **Windows Firewall** items. - -**Step 4 –** Click **Domain Profile** in the left pane then double-click **Windows Firewall: Define -inbound port exceptions** in the right pane. - -![the_password_policy_client_3](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp) - -**Step 5 –** Select the **Enabled** option, and then click **Show...**. - -![the_password_policy_client_4](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp) - -**Step 6 –** Select the **Enabled** option, and then click **Show...**. - -![the_password_policy_client_5](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp) - -**Step 7 –** Click **OK** until you return to the Group Policy Management Editor. - -**Step 8 –** Close the **Group Policy Management Editor**. - -### Other Firewalls - -Use the information on this page to create appropriate rules for your firewall that allow the -Password Policy Client and Password Policy Server to communicate through the firewall. - -The Password Policy Client initiates a request by sending a datagram with the following attributes -to the Password Policy Server: - -| Attribute | Result | -| ------------------- | ---------------------------- | -| Protocol | UDP | -| Source Address | Client Computer IP address | -| Source Port | Any | -| Destination address | Domain controller IP address | -| Destination port | 1333 | - -The Password Policy Server responds by sending a datagram with the following attributes back to the -Password Policy Client: +Test the Password Policy Client by logging on to a computer, pressing **Ctrl+Alt+Del**, and clicking **Change a password**. You should see the password policy rules on the password change screen. If you don't see the rules, then ensure that: +- The [Password Policy Server (PPS)](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) is installed on all domain controllers in the domain. +- You restarted all domain controllers after installing the PPS. +- A PPE policy is [assigned](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to the logged on user account. -| Attribute | Result | -| ------------------- | ---------------------------- | -| Protocol | UDP | -| Source Address | Domain controller IP address | -| Source Port | Any | -| Destination address | Client Computer IP address | -| Destination port | Any | +## Uninstalling -:::note -If your firewall performs Stateful Packet Inspection, then only create a rule for the -request datagram as the firewall automatically recognizes and allows the response datagram. +You can uninstall the Password Policy Client from the **Installed apps** page in Windows Settings, or the **Uninstall or change a program** page in Control Panel. You can also run msiexec to uninstall from the command line. For example, run this command with elevated permissions to silently uninstall the 64-bit Password Policy Client: -::: +```batch +msiexec /x Netwrix_PPE_Client_11.2.0.148_x64.msi /q +``` diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md b/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md deleted file mode 100644 index e386218e0c..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: "Install the Configuration Console" -description: "Install the Configuration Console" -sidebar_position: 50 ---- - -# Install the Configuration Console - -The Configuration Console configures and manages Netwrix Password Policy Enforcer on your domain. - -Install the Password Policy Enforcer Configuration Console on any server or workstation where you need it. - -The Configuration Console is a feature package included in the server installation **.msi** file: - -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. - -Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md), -selecting the **Configuration Console** feature. You can select the other features if appropriate -for the server. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md index 55cba924c2..ab4ea85d90 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md @@ -1,86 +1,57 @@ --- -title: "Install with Group Policy Management" -description: "Install with Group Policy Management" +title: "Deploy with Group Policy" +description: "Deploy Password Policy Enforcer to multiple computers with Group Policy." sidebar_position: 40 --- -# Install with Group Policy Management +# Deploy with Group Policy -An automated installation uses Group Policy to distribute Password Policy Enforcer. This type of -installation is recommended when you need to install Password Policy Enforcer on many computers. -This section shows you how to install Password Policy Enforcer on domain controllers to enforce -domain policies, but you can also use Group Policy to target member servers and workstations if you -need to enforce local policies. See the -[Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) topic for additional -information. +You can use Group Policy to deploy the [Password Policy Enforcer server components](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) or the [Password Policy Client (PPC)](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. ## Create a Distribution Point -A distribution point can either be a UNC path to a server share, or a DFS (Distributed File System) -path. To create a Password Policy Enforcer distribution point: +A distribution point can be a UNC path to a server share, or a Distributed File System (DFS) path. To create a distribution point: -**Step 1 –** Log on to a server as an administrator. - -**Step 2 –** Create a shared network folder to distribute the files from. - -**Step 3 –** Give the **Domain Controllers** security group read access to the share, and limit -write access to authorized personnel only. - -**Step 4 –** Download the Netwrix Password Policy Enforcer installation package from Netwrix. - -**Step 5 –** Extract the installers from the compressed file. - -**Step 6 –** Copy the **.msi** files to the distribution folder. +1. Log on to a server as an administrator. +2. Create a shared network folder to distribute the files from. +3. Give the security group for your target computers (for example, **Domain Controllers** for domain controllers or **Domain Computers** for workstations) read access to the share, and limit write access to authorized personnel only. +4. Copy the .msi installers to the distribution folder. ## Create a Group Policy Object -**Step 1 –** Start the Group Policy Management Console (**gpmc.msc**). +1. Start the Group Policy Management Console (**gpmc.msc**). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the target OU in the left pane, then click **Create a GPO in this domain, and Link it here...**. Target the Domain Controllers OU to install a package only on the domain controllers (typical for the Password Policy Server). Target the OU containing your workstations to install a package on those computers (typical for the Password Policy Client), or target the domain root to deploy to all computers in the domain. -**Step 2 –** Expand the forest and domain items in the left pane. + ![GPM installation](/images/passwordpolicyenforcer/11.2/install/gpm1.webp) -**Step 3 –** Right-click the **Domain Controllers OU** in the left pane, and then click **Create a -GPO in this domain, and Link it here...** +4. Enter a descriptive name for the GPO (for example, **Password Policy Enforcer**) in the name field, then press **Enter**. -![GPM installation](/images/passwordpolicyenforcer/11.2/install/gpm1.webp) - -**Step 4 –** Enter **Password Policy Enforcer** in the provided field, and then press **Enter**. - -![GPM Install](/images/passwordpolicyenforcer/11.2/install/gpm2.webp) + ![GPM Install](/images/passwordpolicyenforcer/11.2/install/gpm2.webp) ## Edit the Group Policy Object -**Step 1 –** Right-click the **Password Policy Enforcer GPO**, and then click the **Edit...** -button. +1. Right-click the GPO you just created, then click **Edit**. +2. Expand **Computer Configuration**, **Policies**, and **Software Settings**. +3. Right-click **Software installation**, then select **New** > **Package...** +4. Enter the full UNC path to the .msi file in the distribution point. -**Step 2 –** Expand the **Computer Configuration**, **Policies**, and **Software Settings** items. + :::note + You must enter a UNC path so that other computers can access the file over the network. For example: `\\\\Netwrix_PPE_.msi` + ::: -**Step 3 –** Right-click the **Software installation** item, and then select **New** > -**Package...** +5. Click **Open**. -**Step 4 –** Enter the full **UNC path** to your **msi** files. + ![installing_ppe_2](/images/passwordpolicyenforcer/11.2/install/installing_ppe_2.webp) -:::note -You must enter a UNC path so that other computers can access this file over the network. -For example: \\file server\distribution point share\Netwrix*PPE\_\_version*.msi -::: - - -**Step 5 –** Click **Open**. - -![installing_ppe_2](/images/passwordpolicyenforcer/11.2/install/installing_ppe_2.webp) - -**Step 6 –** Select **Assigned** as the deployment method. - -**Step 7 –** Click **OK**. - -**Step 8 –** Close the Group Policy Management Editor. +6. Select **Assigned** as the deployment method. +7. Click **OK**. +8. Close the Group Policy Management Editor. ## Complete the Installation -Restart each domain controller to complete the installation. Windows installs Password Policy -Enforcer during startup, and then immediately restarts the computer a second time to complete the -installation. +Allow time for the GPO to replicate to all domain controllers before proceeding, then restart each target computer to complete the installation. Windows installs the component during startup, then restarts the computer a second time if necessary. -Password Policy Enforcer doesn't enforce a password policy until the policies are defined. Users -can still change their password, and must comply only with the Windows password policy rules -(if enabled). +:::note +The Password Policy Server won't start enforcing a password policy until you [configure](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md) it. Users can still change their passwords during this time, and must comply with the Windows password policy rules (if enabled). +::: diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md b/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md deleted file mode 100644 index 22e072b3cc..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: "Install Mailer Service" -description: "Install Mailer Service" -sidebar_position: 60 ---- - -# Install Mailer Service - -Netwrix Password Policy Enforcer sends email reminders to domain users before their passwords -expire. This is especially useful for users who log on infrequently, and for remote users who access -the network without logging on to the domain. You must install the Password Policy Enforcer Mailer -and configure the email delivery and email message options to send email reminders to users. See the -[Notifications](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#notifications) topic for additional information. - -Add your email address to a service account, and the Password Policy Enforcer Mailer reminds you to -change the service account password before it expires. - -The Password Policy Enforcer Mailer isn't installed by default. Only install it on one server in -each domain. The Password Policy Enforcer Mailer can be installed on any server. - -The mailer is a feature package included in the server installation **.msi** file: - -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. - -Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md), -selecting the **Mailer Service** feature. You can select the other features if appropriate for the -server. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index 672252d024..7568c35ba0 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -1,79 +1,65 @@ --- -title: "Install Password Policy Enforcer on a Server" -description: "Install Password Policy Enforcer on a Server" -sidebar_position: 20 +title: "Install the Server Components" +description: "Install the Password Policy Enforcer server components with the Setup wizard or the command line." +sidebar_position: 10 --- -# Install Password Policy Enforcer on a Server +# Install the Server Components -Password Policy Enforcer server should be installed on every domain controller to enforce the -password policy for domain user accounts, or on individual servers and workstations to enforce the -password policy for local user accounts. +The Password Policy Enforcer (PPE) server installer includes the following components: +- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. +- **Configuration Console** — Graphical and command-line tools to configure PPE. Install this component on any computer that you want to configure Password Policy Enforcer from. This could be a domain controller, a management server, or your computer. +- **Mailer Service** — Sends email on behalf of PPE. It is typically installed on one server in the domain. -If your domain contains some read-only domain controllers, then installation of Password Policy -Enforcer on these servers is only necessary if you are using the following features: - -- [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) -- [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md) -- [Netwrix Password Reset](https://helpcenter.netwrix.com/category/passwordreset) -- [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md) +:::note +The [introduction](/docs/passwordpolicyenforcer/11.2/index.md) has more information about these components, including their system requirements. +::: -The Server installation package includes multiple features selected during installation: +## Manual Installation -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. +To manually install one or more server components: -**Step 1 –** Download the installation package from Netwrix. +1. Run **Netwrix_PPE_Server_11.2.0.148_x64.msi**. The Setup wizard opens. -**Step 2 –** Extract the installers from the compressed file. If you are going to use Group Policy -Manager to install Netwrix Password Policy Enforcer, copy the **msi** files to a distribution -folder. See the [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topic for additional -details. You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup1.webp) -:::note -Continue with these steps to install one or more features on your current server or domain -controller. You must repeat these steps for each server where the features are installed. -::: +2. Click **Next**. + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup2.webp) -**Step 3 –** Click the **Netwrix_PPE_Server_version_x64.msi** installation package. The -installer is launched. +3. Review the End-User License Agreement, select the checkbox to accept the Agreement, then click **Next**. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup1.webp) + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup3.webp) -**Step 4 –** Click **Next**. +4. Select one or more components to install, then click **Next**. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup2.webp) + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup4.webp) -**Step 5 –** Review the End-User License Agreement. Click **I accept the terms in the License -Agreement**. +5. Review your selections, then click **Install**. -**Step 6 –** Click **Next**. + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup5.webp) -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup3.webp) +6. Click **Finish** when installation is complete. If prompted to restart the computer, then restart before using the installed components. -**Step 7 –** Select the features to install. The required storage is shown for each selection. +## Automated Deployment -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. It isn't - selected by default. -- Configuration Console – manages policy configuration. Install wherever needed. Selected by - default. -- Mailer Service – sends email reminders. It isn't selected by default. +If you have many domain controllers, use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate the deployment. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install only the PPS component and immediately restart the computer: -**Step 8 –** The default location is shown. Click **Browse** and select a new location if needed. + ```batch +msiexec /i Netwrix_PPE_Server_11.2.0.148_x64.msi ADDLOCAL=FeatureServerPPE /q +``` -**Step 9 –** Click **Next**. +The ADDLOCAL argument tells msiexec which components to install. `ADDLOCAL=FeatureServerPPE,FeatureConsole,FeaturePPEMailerServer` installs all the server components. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup4.webp) +:::tip +Add an exclusion for `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPE.DLL` to exclude PPE from antivirus or other security software. This is optional. +::: -**Step 10 –** Review your selections. Click **Back** to make any changes. When ready, click -**Install**. +## Uninstalling -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup5.webp) +You can uninstall, repair, or change the installed server components from the **Installed apps** page in Windows Settings, or the **Uninstall or change a program** page in Control Panel. You can also run msiexec to uninstall from the command line. For example, run this command with elevated permissions to silently uninstall all the PPE server components without restarting the computer: -**Step 11 –** Click **Finish** when installation is complete. You are prompted to restart your -system for the changes to take effect. +```batch +msiexec /x Netwrix_PPE_Server_11.2.0.148_x64.msi /q /norestart +``` +Use the REMOVE argument to remove individual components. For example, `REMOVE=FeaturePPEMailerServer` diff --git a/docs/passwordpolicyenforcer/11.2/installation/uninstall.md b/docs/passwordpolicyenforcer/11.2/installation/uninstall.md deleted file mode 100644 index 78e7f5e3d9..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/uninstall.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: "Uninstall Netwrix Password Policy Enforcer" -description: "Uninstall Netwrix Password Policy Enforcer" -sidebar_position: 120 ---- - -# Uninstall Netwrix Password Policy Enforcer - -You can uninstall Password Policy Enforcer on every domain server and computer, or use Group Policy -Management to remove the PPE Server and PPE Client on all machines. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). - -**Step 1 –** Open **Start** > **Control Panel** > **Programs and Features** on each system where a -PPE component is installed. - -**Step 2 –** Click **Uninstall a program**. - -**Step 3 –** Select Netwrix Password Policy Enforcer to uninstall the PPE Server, PPE Configuration -Console and Mailer. - -**Step 4 –** Click **Uninstall**. - -**Step 5 –** Select Netwrix Password Policy Client to uninstall the client. - -**Step 6 –** Click **Uninstall**. - -**Step 7 –** Reboot the Domain Controller. diff --git a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md index d8f7bbd0ae..cdc59b152f 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md +++ b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md @@ -1,7 +1,7 @@ --- title: "Upgrading Password Policy Enforcer" description: "Upgrading Password Policy Enforcer" -sidebar_position: 110 +sidebar_position: 60 --- # Upgrading Password Policy Enforcer @@ -11,7 +11,7 @@ Upgrades are supported for versions 9.0 and above. Contact Customer Support at upgrading older versions You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md#automated-deployment). **Upgrading the Password Policy Server** @@ -48,8 +48,8 @@ recommended. **Upgrading the Mailer** The Password Policy Enforcer installer detects existing installations of the Password Policy -Enforcer Mailer and upgrades them to 11. See the [Install Mailer Service](/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md) -topic for additional information. +Enforcer Mailer and upgrades them to 11. See [Install the Password Policy Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) +for information on installing the Mailer Service feature. **Upgrade Notes** diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationweb.md b/docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md similarity index 85% rename from docs/passwordpolicyenforcer/11.2/installation/installationweb.md rename to docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md index a4d21f3558..fd165bb83b 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationweb.md +++ b/docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md @@ -1,7 +1,7 @@ --- title: "Install Password Policy Enforcer Web" description: "Install Password Policy Enforcer Web" -sidebar_position: 70 +sidebar_position: 10 --- # Install Password Policy Enforcer Web @@ -34,7 +34,7 @@ click **Next** if you accept all the terms. **Step 5 –** Click **Browse...** if you want to choose a different folder for the Password Policy Enforcer Web documentation and tools, then click **Next**. -**Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if +**Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if needed. :::note @@ -53,8 +53,8 @@ is recommended. #### Before You Begin -The HTML templates and associated images are overwritten during an upgrade. You must back up and -customized HTML templates and images before upgrading. The HTML templates and images are installed +The HTML templates and associated images are overwritten during an upgrade. You must back up and +customized HTML templates and images before upgrading. The HTML templates and images are installed in the `\Inetpub\wwwroot\ppeweb\` folder by default. :::note @@ -76,5 +76,5 @@ integration. **Step 1 –** Start the PPE Web Setup Wizard and follow the prompts. The Setup Wizard uninstalls the previous version. There is no need to manually uninstall previous versions. -**Step 2 –** Restore any customized HTML templates and images after upgrading. Don't restore +**Step 2 –** Restore any customized HTML templates and images after upgrading. Don't restore PPEWeb.dll from the backup as it belongs to the previous version. diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp deleted file mode 100644 index 0a9f8b7fce..0000000000 Binary files a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp and /dev/null differ diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp deleted file mode 100644 index 688a5338f5..0000000000 Binary files a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp and /dev/null differ diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp deleted file mode 100644 index c9c02b4ac0..0000000000 Binary files a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp and /dev/null differ