nFront Security, Inc :: Knowledge Base

Article ID 35
Created 19 March 2017
Last Updated 19 March 2017

How to apply the MPE version to partial amount of users in the domain

Problem

This article explains how to apply nFront Password Filter MPE to a partial amount of users.

Solution

You can apply nFront Password Filter product to a portion of your Active Directory users. There are two methods to apply the product to a portion of the users:

Leave the Default Password Policy Configuration in a "Not Configured" state and use Policies 1 through 5 to target the groups and OUs with targeted users.
Enable the Default Password Policy Configuration but exclude groups and OUs that you do not wish to count towards licensing.

If you are modifying your configuration due to a licensing concern you will need to restart the nFront Group Filter service after making these changes. The service has two threads. One thread determines the users targeted by each policy and it runs every 5 minutes. There is also a license check thread that runs once per day. So if you are making changes to "re-activate" the software it is best to restart the nFront Group Filter Service instead of waiting up to 24 hours. Any changes to affect licensing should be understood within 1 minute of restarting the service.

If you wish to see the license calculation you can add the following registry value and after restarting the nFront Group Filter service it will show the license count.

Method 1: Do not enable Default Password Policy Configuration

Simply leave the Default Password Policy "Not Configured."

Using this method you can target as many groups and OUs as you wish with Policies 1 - 5. If a user is targeted by multiple policies they are only counted once towards licensing.

Apply MPE to partial amount of users screen 1

Method 2: Enable Default Password Policy Configuration and Exclude Groups/OUs

If you enable the Default Password Policy Configuration with no exclusions the license check will count all non-disabled user objects towards your licensing. You can change this by excluding groups and/or OUs from the Default Policy. Below is an example excluding two groups - Service Accounts and Retail Users.