A Management Policy is a core concept in Password Manager. Management Policies allow you to organize and group settings for dedicated users and helpdesk operators.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Upgrading Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
FailSafe support in Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Working with Power BI
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with an external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Enforce Update of Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authentication Methods
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Configuring Security Settings
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
Update RADIUS server status
User Status Statistics Task
Clear Old Records from Reporting Database
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
RADIUS Two-Factor Authentication
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
Enable S2FA for Administrators and Enable S2FA for HelpDesk Users
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Appendix D: Feature imparities between the legacy and the new Self-Service Sites
Glossary
Management Policy Overview
Management Policy Components
The following diagram illustrates the Management Policy components:
User scope defines user groups from specified AD LDS instances that can access the Self-Service site and use the corresponding workflows. To a single user scope you can add multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.
Helpdesk scope defines groups of helpdesk operators from specified AD LDS instances that can access the Helpdesk site and manage users from the user scope using the helpdesk workflows. To a single helpdesk scope you can multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.
Self-Service and helpdesk workflows define the tasks that are available to users and helpdesk operators on the Self-Service and Helpdesk sites. For example, Forgot My Password, Assign Passcode, Unlock Account, etc.
Questions and Answers policy comprises a list of secret questions (in the default and additional languages) that users must answer to authenticate themselves and Q&A profile settings that specify various settings for questions and answers such as a minimum length of an answer or a question, a number of required user-defined questions, etc.
User enforcement rules define how users should be enforced to register with Password Manager and reminded to change password. For each enforcement rule a corresponding scheduled task exists. For example, the Invitation to Create/Update Profile scheduled task corresponds to the Invite Users to Create/Update Profiles enforcement rule. By default, the enforcement rules are not configured. To start notifying users to create/update their Q&A profiles and change password, you need to configure the rules after Password Manager installation.
Management Policy and Other Password Manager Settings
Password Manager Architecture > Management Policy Overview > Management Policy and Other Password Manager Settings
Management Policy and Other Password Manager Settings
The following diagram illustrates how several Management Policies interact with other Password Manager settings:
In a single Password Manager instance you can create multiple Management Policies. Different Management Policies may use the same AD LDS connections (specified in the user and helpdesk scopes). If a user is included in the user scopes of both Management Policies, the settings from the first Management Policy in which scope the user is found will be applied to the user.
Settings from each Management Policy use the same scheduled tasks and password policies.
The Invitation to Create/Update Profile, Reminder to Create/Update Profiles, Reminder to Change Password scheduled tasks allow notifying users from scopes of user enforcement rules configured in Management Policies. For more information, see Scheduled Tasks and User Enforcement Rules.
To set password policies for users from user scopes of Management Policies, you need to configure password policies and include corresponding users to the password policy scope. For more information about password policies, see Creating a Password Policy.
Password Policy Overview
Password Manager provides the opportunity to granularly apply and manage password policies.
The following diagram shows available password policies and their structure:
By default, AD LDS enforces the local or domain policy applied to the computer on which an AD LDS instance runs. You can also configure password policies. Note, that the password policy applied to the computer on which the AD LDS instance runs cannot be automatically displayed on the Self-Service site when users change or reset passwords. To display such policy, use the Custom rule available in password policies. In this rule, enter the settings of the password policy applied to the computer running the AD LDS instance. For more information, see Custom Rule.
To create and manage password policies, you need to add a connection to the AD LDS instance on the Password Policies tab of the Administration site. When adding the connection, you specify the application directory partition to which password policies will be applied and the credentials that will be used to access the partition.
After you have added the connection, you can create password policies for this application directory partition. For each password policy, you can specify a name, a set of policy rules, and a scope.
Note, that password policy rules are applied and displayed on the Self-Service site when users change or reset passwords, only after you have added the connection and created policies for the corresponding application directory partition.
If a user is found in the scopes of several password policies, then the policy with the highest priority is applied to the user. Note, that priority can be changed for policies with the same scope.