Chat now with support
Chat with Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Configuring access to the Administration Site

By default, the access to the Administration Site is granted to only the domain user from the AD, who is a member of the local Administrators group and to the PMAdmin group, that is created during Password Manager installation.

NOTE: The account that you specified as Application Pool Identity when installing Password Manager is automatically added to the PMAdmin group.

IMPORTANT: Make sure to grant access to the Administration Site only to the most trustworthy people, since managing the Password Manager configuration may require dealing with user-sensitive information.

Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site

To configure access to the Legacy Self-Service Site or the Password Manager Self-Service Site, you need to configure a user scope for the Management Policy you want to use. The workflows and secret questions that you configure for the Management Policy will apply only to the user scope of this Management Policy. You can add groups from different domains to a single user scope.

For more information, see Configuring user scope.

Configuring access to the Helpdesk Site

In Password Manager you can easily delegate administrative tasks to dedicated Helpdesk operators. By configuring the Helpdesk scope you select groups of Helpdesk operators who will have access to the Helpdesk Site. The Helpdesk Site handles typical tasks performed by Helpdesk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and so on.

Members of the Helpdesk scope are allowed to access the Helpdesk Site and manage users from the user scope of the same Management Policy only.

You can also restrict groups of Helpdesk operators from accessing the Helpdesk Site.

To configure a Helpdesk scope, you need to add a domain connection to the scope at first, and then specify groups from the selected domain.

To manage all domain connections from a single place, click General Settings > Domain Connections on the Administration Site. For more information, view Domain Connections.

To add domain connection

  1. Open the Administration Site by entering the Administration Site URL in the in the address bar of your browser. By default, the URL is http://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed.

  2. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  3. On the Helpdesk Scope page, click Add domain connection.

  4. If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.

  5. If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:

    • In the Domain name text box, type in the name of the domain that you want to add to the Helpdesk scope.

    • In the Domain alias text box, type the alias for the domain that will be used to address the domain on the Self-Service Site. This field is required because you can reuse the domain connection in the user scope.

    • To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Domain management account, and then enter user name and password for the domain management account. Note, that if Password Manager Service account is used to access the domain, it should have the same permissions as the domain management account.

    For information on how to prepare a domain management account, see Configuring permissions for domain management account.

  6. Click Save.

To specify groups or OUs that are allowed to access the Helpdesk Site

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups allowed access to the Helpdesk Site.

    • To specify the OUs, click Add under Organizational Units allowed access to the Helpdesk Site.

  4. Click Save.

To specify groups or OUs that are denied access to the Helpdesk Site

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups denied access to the Helpdesk Site.

    • To specify the OUs, click Add under Organizational Units denied access to the Helpdesk Site.

  4. Click Save.

Specifying advanced settings for domain connection

After you have created a domain connection, you can specify advanced settings for the connection: domain controllers and Active Directory sites of the managed domain. For more information about domain controllers, see Domain Controller.

To specify domain controllers

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the domain connection for which you want to specify domain controllers and click Edit.

  3. On the Helpdesk Scope Settings for #Domain# page, click Edit.

  4. On the Advanced settings tab of the Edit Domain Connection dialog, click Add under the domain controllers table and select required domain controllers, and click Add.

  5. Click Save and select how you want to apply the updated settings. You can either apply the new settings for this helpdesk scope only, or everywhere where this domain connection is used.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating