Chat now with support
Chat mit Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Overriding automatic Self-Service Site location

By default, Secure Password Extension uses service connection points published in Active Directory to locate the Self-Service site. If you need to override the default behavior and force Secure Password Extension to use a specific Self-Service site, you must manually specify the URL path and override the default behavior of Secure Password Extension.

To override automatic Self-Service site location

  1. Click the Start button, click Run, and type mmc. Click OK.

  2. In the Console window on the File menu, click Add/Remove Snap-in.

  3. Double-click Group Policy Management Editor in the list of available snap-ins.

  4. In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.

  5. Click Finish to exit Group Policy Wizard.

  6. Click OK.

  7. Login to the Active Directory Domain Controller machine with Administrative Privileges.

  8. Copy the Administrative Template Configuration folder from <CD >/Password Manager/Setup/Tools.

  9. Copy the Administrative Template folder into the Machine from <CD>/Password Manager/Setup/Template.

  10. Double click QPM.AdministrativeTemplateConfiguration.exe tool from the Administrative Template Configuration folder.

  11. In the Password Manager Administrative Template Configuration windows, browse the Administrative Template folder path and verify the path to Policy Definitions.

  12. Click Execute to run the tool.

  13. Once the execution is complete, click Exit to close the window.

  14. Launch the Group Policy Management utility.

  15. Right click the domain, and then on the shortcut menu, click Create a GPO in the domain and Link it here to link the policy.

  16. Enter a name to the New GPO. For example, OneIdentity.

  17. Right click the new GPO (OneIdentity) and select Enforced to apply the policy.

  18. Right click the new GPO (OneIdentity) and select Edit.

  19. To view the latest Administrative Template, follow the steps mentioned below

    1. Expand the newly created GPO.

    2. Go to Computer Configuration > Policies.

    3. Expand Administrative Templates: Policy Definitions(ADMX files) retrieved from the central store > One Identity Password Manager > Generic Settings.

  20. Double-click Specify URL path to the Self-Service site.

  21. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/PMUser/, where COMPUTER_NAME is the name of the server in which the Self-Service site is installed. Substitute https:// with http:// if you don’t use HTTPS.

    IMPORTANT: It is strongly recommended that you enable HTTPS on the Password Manager server.

  22. Click OK. The specified URL will be used only if service connection points are unavailable or if the Self-Service site URL specified in the service connection point cannot be found. If you want Secure Password Extensions to always use the specified URL, perform the following steps.

  23. Double-click Override URL path to the Self-Service site.

  24. Select the Enabled option on the Settings tab.

  25. Click OK.

  26. Apply the updated policy to the computers in the managed domain.

    NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.

Password Manager Realm Affinity

In some instances, you may want Secure Password Extension to contact only specific Password Manager Service instances when locating the Self-Service site. You can force Secure Password Extension to use only Password Manager Service instances that belong to a specific Password Manager realm.

Password Manager realm is one or more Password Manager instances sharing common configuration (the same user and helpdesk scopes, Management Policies and workflow configuration, general settings). Normally, you add a member to a Password Manager realm by installing a new Password Manager instance and selecting the A replica of an existing instance option during instance initialization. To learn more about Password Manager realms, see Installing multiple instances of Password Manager.

To force Secure Password Extension to use only Password Manager Service from a specific realm, you must set the Secure Password Extension affinity for that realm.

To set Secure Password Extension affinity for a Password Manager realm

  1. Open the Administration site of the Password Manager Service instance that belongs to the target realm.

  2. On the Administration site home page, click General Settings > Realm Instances.

  3. Select the value of the Realm affinity ID setting, right-click the selection and select Copy.

  4. On the domain controller machine, click the Start button, click Run, and type mmc. Click OK.

  5. In the Console window on the File menu, click Add/Remove Snap-in.

  6. Double-click Group Policy Management Editor in the list of available snap-ins.

  7. In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.

  8. Click Finish to exit Group Policy Wizard.

  9. Click OK.

  10. Login to the Active Directory Domain Controller machine with Administrative Privileges.

  11. Copy the Administrative Template Configuration folder from <CD>/Password Manager/Setup/Tools.

  12. Copy the Administrative Template folder into the Machine from <CD>/Password Manager/Setup/Template.

  13. Double click QPM.AdministrativeTemplateConfiguration.exe from the Administrative Template Configuration folder.

  14. In the Password Manager Administrative Template Configuration windows, browse the Administrative Template folder path and verify the path to Policy Definitions.

  15. Click Execute to run the tool.

  16. Once the execution is complete click Exit to close the window, and launch the Group Policy Management utility.

  17. Right click the domain node, and on the shortcut menu, click Create a GPO in the domain and Link it here to link the policy.

  18. Enter a name to the New GPO. For example, OneIdentity.

  19. Right click the new GPO (OneIdentity) and select Enforced to apply the policy.

  20. Right click the new GPO (OneIdentity) and select Edit.

  21. To view the latest Administrative Template, follow the steps mentioned below.

    1. Expand the newly created GPO.

    2. Go to Computer Configuration > Policies.

    3. Expand Administrative Templates: Policy Definitions (ADMX files) retrieved from the central store > One Identity Password Manager > Generic Settings.

  22. In the right pane, double-click Password Manager Realm Affinity..

  23. Select the Enabled option on the Settings tab, then right-click the Realm Affinity ID text box, and select Paste.

  24. Click OK.

  25. Apply the updated policy to the computers in the managed domain.

    NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.

Managing Secure Password Extension using Administrative Templates

The administrative template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements.

The administrative template layout includes the following folders:

  • Generic Settings: includes policy settings that can be applied to computers running Windows 8.1, and 10 operating systems.

Brief descriptions of the administrative template policy settings are outlined in the tables below.

Generic Settings

The following table outlines generic administrative template policy settings you can use to customize the behavior of Secure Password Extension.

Table 14: Generic administrative template policy settings 

Policy name

Description

Generic Settings

Specify URL path to the Self-Service Site

This policy lets you specify the link for the access to the Self-Service Site from the Windows logon screen. This link is opened when users click the Open the Self Service site link, which is displayed as default.

Use the following URL path format: https://COMPUTER_NAME/PMUser, where COMPUTER_NAME is the name of the server on which the Self-Service Site is installed.

Substitute https:// with http:// if you don’t use HTTPS.

Override URL path to the Self-Service Site

By default, Secure Password Extension automatically locates the Self-Service Site in its domain with the help of the service connection point created in the Active Directory. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service Site specified in the “Specify URL path to the Self-Service Site” setting.

Password Manager realm affinity

This policy setting lets you force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm.

Maximum number of attempts to connect to the Self-Service Site

This setting specifies the maximum number of attempts to connect to the Self-Service Site from Secure Password Extension.

If this setting is disabled or not configured, the default number of attempts is 5.

Add the Forgot My Password link to credential provider tile

This policy setting allows adding the Forgot my password link on the logon screen to the tile of the selected credential provider. If you enable this policy setting, the Forgot my password link will be added to the tile of the selected credential provider on the logon screen. If you disable or do not configure this policy setting, the Forgot my password link will be added to the default Microsoft Password provider tile. You can select a credential provider from the list or specify the GUID of another credential provider. GUID should be specified in the following format: {00000000-0000-0000-0000-000000000000}

Refresh interval

This policy setting allows you to change the default settings refresh interval. This policy setting determines how often domain settings are refreshed for Secure Password Extension. The default value is five minutes. If you want to reduce network load, you can increase the refresh interval. If you disable or do not configure this policy setting, the default refresh interval will be used.

Set the recurrence interval for toast notification

This policy setting allows you to specify the recurrence interval for displaying the toast notification. This policy setting determines how often toast notification reminding users to create or update their Q&A profiles is displayed. The default value is five minutes. If you disable or do not configure this policy setting, the default recurrence interval will be used.

Proxy Settings

Enable proxy server access

This policy setting determines whether connections to the Self-Service from the Windows logon screen are established through the specified proxy server.

Configure required proxy settings

Specifies the settings required to enable proxy server access to the Self-Service Site from the Windows logon screen.

Configure optional proxy settings

Specifies optional settings for the proxy server access.

Shortcut Policies

Restore desktop shortcuts for the Self-Service Site

This policy setting lets you define whether the desktop shortcut to the Self-Service Site on a user's computer should be re-created by Secure Password Extension if the user deletes the desktop shortcut.

Do not create desktop shortcuts for the Self-Service Site

This policy setting lets you define whether the desktop shortcuts to the Self-Service Site on users' computers should not be created by Secure Password Extension.

Do not create any shortcuts for the Self-Service Site

This policy setting lets you define whether any shortcuts to the Self-Service Site on users' computers (on the desktop and in the Start menu) should not be created by Secure Password Extension.

Secure Password Extension Title Settings

Display custom names for the Secure Password Extension window title

This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages.

Set custom name for the Secure Password Extension window title in <Language>

This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters.

Usage Policy Settings

Display the usage policy button (command link)

Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs.

The usage policy command link on Windows operating system is displayed on the Windows logon screen, and is intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users.

Set default URL

This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to a a DOC, TXT, and HTML file.

Set name and URL for the usage policy button (command link) in <Language>

This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available.

The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters.

Notification Customization

Set background image for registration notification dialog

This policy setting allows you to change the default background by specifying an image that will be used as a new background.

Customize registration notifications

This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialogs with your custom text.

Registration Notification

Customize registration notification in <Language>

This group of policy settings allows you to customize texts in notification dialogs individually for each of the required logon languages. 36 language-specific policy settings are available.

Q&A Profile Update Notification

Customize Q&A profile update notification in <Language>

This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available.

Credential Provider’s Description

NOTE: If the Credential Provider's Description and the Icon's Text Label in the ADMx template are configured with different custom labels, then as per Microsoft's Windows10 design, the Credential Provider Icon will get the same pop-up text(on hovering the Icon) as provided in the Credential Provider's Description instead of the label from the Icon's Text Label.

However, it is a different case with Windows 8.1 and other flavors of Windows released before Windows 8.1 and hence, the Credential Provider Icon will get the pop-up text from the Icon's Text Label and the title will have the label provided in the Credential Provider's Description.

Display custom description of the Secure Password Extension credential provider

This policy setting lets you define whether to replace the default description the Secure Password Extension credential provider with the text that you specify for required logon languages. The credential provider description is displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the logon screen. If you enable this policy setting, the customized description will be displayed for the Secure Password Extension credential provider. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider will be displayed.

Set the custom description in <Language>

This policy setting lets you specify custom description of the Secure Password Extension credential provider in the selected language. If you enable this policy setting, then the custom text will be displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the logon screen on computers that use the specified as the logon language. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider will be displayed.

NOTE: If the Display custom description of the Secure Password Extension credential provider policy is disabled, then this policy has no effect.

Icon’s Text Label

Display custom labels for the Secure Password Extension credential provider’s icon

This policy setting lets you define whether to replace the default text label for the Secure Password Extension credential provider’s icon with the text that you specify for required logon languages. The text label for the credential provider icon appears in a pop-up when a user hovers over the credential provider’s icon under the Sign-in options on the logon screen. If you enable this policy setting, the custom label will be displayed for the Secure Password Extension credential provider’s icon. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon will be displayed.

Set the custom label in <Language>

This policy setting lets you specify custom text labels for the Secure Password Extension credential provider’s icon in the selected language. If you enable this policy setting, then the custom label will be displayed when users hover over the credential provider’s icon under the Sign-in options on the logon screen on computers that use the specified language as the logon language. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon will be displayed. Note: If the “Display custom label for the Secure Password Extension credential provider’s icon” policy is disabled, then this policy has no effect.

Link to the Self-Service Site

Display custom names of the Open the Self-Service Site link

This policy setting lets you define whether to replace the default name of the Open the Self-Service Site link with the names that you specify for required logon languages. This link is intended to open the Self-Service Site from the logon screen. If you enable this policy setting, the link will be displayed under the specified language-specific names. If you disable or do not configure this policy setting, then the default language-specific names of the Open the Self-Service Site link will be displayed.

Set the custom names of the Open the Self-Service Site link in <Language>

This policy setting lets you specify custom name of the Open the Self-Service Site link in the specified language. If you enable this policy setting, then the link will be displayed under the specified name under user tile on the logon screen on computers that use the specified language as the logon language. If you disable or do not configure this policy setting, then the default language-specific name of the link will be displayed. Note: If the “Display custom names of the Open the Self-Service Site link” policy is disabled, then this policy has no effect.

Offline Password Reset Settings

Display the Offline Password Reset button (command link)

This policy setting lets you define whether to display the Offline Password Reset buttons and command links for which you have specified the logon language-specific names.

The Offline Password Reset button on Windows operating systems are displayed on the Windows logon screen, and are intended to open the Offline Password Reset wizard. These buttons and command links will be available only if the Offline Password Reset feature is installed on target user computers.

To use this setting, you must specify the button (link) name for each of the required logon languages.

If you enable this policy setting, the Offline Password Reset button (command link) will be displayed on user computers under the specified language-specific names. Clicking the button or the command link will open the Offline Password Reset wizard.

If you disable or do not configure this policy setting, the Offline Password Reset buttons and command links will not appear on user computers.

Shared secret update period (hours)

This policy setting lets you define how often the shared secret used for authentication during the Offline Password Reset should be updated. Set the update period in hours. Lower values provide better security, but setting very low values for the update period may cause replication issues.

It is recommended to make this value greater than the intersite replication period in the Active Directory domain.

Note: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect.

Set custom name for the Offline Password Reset button (command link) in <Language>

This policy setting lets you specify the name of the Offline Password Reset button (command link) in <Language>.

If you enable this policy setting, then the Offline Password Reset button (command link) will be displayed under the specified name on computers that use <Language> as the logon language.

If you disable or do not configure this policy setting, then the default language-specific name will be displayed on the Offline Password Reset button (command link).

The text you specify must not exceed 32 characters.

Note: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect.

Configure scope for accessing the shared secret in Active Directory

This policy setting, when deployed to the client, lets you define a list of users and groups that will have the permission to read the shared secret’s copy published in Active Directory.

Note, that the domain management account must have this permission for the Offline Password Reset functionality to work.

Note, that the computer account used to store the shared secret’s copy and the domain administrators group always have the permission to read the shared secret’s copy.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen