Enzoic for Active Directory 3.3
Client Setup Instructions
Enzoic for Active Directory includes an optional Windows client application that can be deployed to domain-joined Windows workstations in your organization to provide users with better feedback and assistance when selecting a new password. The Windows client application augments the built-in Windows password change screen by adding text to indicate what your password requirements are and in the case of a rejected password change, additional details as to the reasons. For example, if a user's password is rejected due to being a known compromised password, they will be informed of this fact and asked to select a different password.
A Note About Windows Credential Providers
Windows is capable of supporting multiple credential providers. A vanilla Windows installation will have a default system credential provider which processes user password-based logins and handles user password changes. Enzoic installs as another credential provider and by default will disable the Windows system credential provider. This is necessary for Enzoic to process password changes and provide the user with feedback.
In some environments, other credential providers, such as Windows Hello for Business or 3rd party credential providers which provide multi-factor or biometric authentication, may be present and may be the default provider. Typically the Enzoic Client will NOT be able to coexist with these, since they will generally disable other credential providers on the system and make themselves the default. Therefore, it is either necessary to uninstall these other providers or forego using the Enzoic Client.
Download the Client Installer
The installer is available as an MSI to ease deployment via GPO. Microsoft .NET Framework 4.5 is required.
Links to download the most current version (Domain Controllers must all run the same version):
https://cdn.enzoic.com/files/EnzoicForADClient.msi (MD5: 270d9c84f19c8b7ee823f23f42c2fc08)
Read the current release notes.
Automated Deployment to Multiple Workstations via GPO
You can use GPO push installs to easily install the Enzoic for Active Directory Client to multiple user workstations. Note that the Enzoic Client requires .NET Framework 4.5, which does not get installed automatically when running the MSI installer.
Steps for Pushing the Enzoic Client via GPO
Create a distribution point:
- Log on to the server you wish to use as a distribution host as an administrator.
- Create a shared network folder to distribute the files from.
- Give the "Domain Computers" security group read access to the share, and limit write access to authorized personnel only.
- Copy EnzoicForADClient.msi into the distribution point
- Give the "Domain Computers" security group read access to the EnzoicForADClient.msi
file in the distribution point.
- Click Finish.
Create a Group Policy Object:
- Start the Group Policy Management Console (gpmc.msc).
- Expand the forest and domain items in the left pane.
- Right-click your domain in the left pane, and then click Create a GPO in this domain, and Link it here.... Note that by default this will deploy the Enzoic Client to all workstations in your domain. If you wish to deploy to a subset, you should apply the GPO to the desired OU or Group.
- Type "Enzoic Client Distribution" or a name of your choosing, leave Source Starter GPO set to (none), and then click OK.
Prepare the Group Policy Object:
- Right-click the newly created "Enzoic Client Distribution” GPO, and then click Edit...
- Expand the Computer Configuration, then Policies, then Software Settings nodes in the left pane.
- Right-click the Software installation item, and then select New > Package...
- Type the full UNC path to EnzoicForADClient.msi in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, \\server\distribution point share\EnzoicForADClient.msi. Do not just navigate to the file and select it.
- Click Open.
- Select the Assigned deployment method, and then click OK.
- Close the Group Policy Management Editor.
Complete the Installation:
Windows will now install the Enzoic for Active Directory Client on the targeted systems the next time they are restarted.
Troubleshooting GPO Deployments
If the client is failing to deploy via GPO, check the following:
Does the GPO apply to the affected system?
Check the Scope tab on the GPO in the Group Policy Management Console to ensure the affected workstation(s) are covered by the GPO.
Have the affected workstation(s) been restarted?
In some cases it may take two reboot cycles before the GPO gets deployed.
Is the distribution point share and MSI accessible by the affected system(s)?
Check that they can access the share and MSI.
Do the affected system(s) have at least .NET Framework 4.5 installed?
The MSI will not handle installing this, so you will need to ensure that all target systems have at least .NET Framework 4.5 before pushing the Enzoic Client.
Check the Event Log on the affected system for GPO or install failures occurring after the reboot.
If the installer is failing, there should be some indication here.