The administrative template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements.
The administrative template layout includes the following folders:
Generic Settings: includes policy settings that can be applied to computers running Windows 8.1, and 10 operating systems.
Brief descriptions of the administrative template policy settings are outlined in the tables below.
The following table outlines generic administrative template policy settings you can use to customize the behavior of Secure Password Extension.
|
Policy name |
Description |
|
Generic Settings | |
|
Specify URL path to the Self-Service Site |
This policy specifies the URL path for accessing the Self-Service Site from the Windows logon screen. This link opens when users click the Open the Self Service site link, which is displayed as default. Use the following URL path format: https://<COMPUTER_NAME>/PMSelfService In this URL, <COMPUTER_NAME> is the name of the server on which the Self-Service Site is installed. Substitute https:// with http:// if you don’t use HTTPS. |
|
Override URL path to the Self-Service Site |
By default, Secure Password Extension automatically locates the Self-Service Site in its domain with the help of the service connection point that was created in the Active Directory. This policy setting overrides the default behavior and forces Secure Password Extension to use the Self-Service Site URL path that was specified in the Specify URL path to the Self-Service Site setting. |
|
Password Manager realm affinity |
This policy setting forces Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm. |
|
Maximum number of attempts to connect to the Self-Service Site |
This setting specifies the maximum number of attempts to connect to the Self-Service Site from Secure Password Extension. If this setting is disabled or not configured, the default number of attempts is 5. |
|
Add the Forgot My Password link to credential provider tile |
This policy setting adds the Forgot My Password link on the logon screen to the tile of the selected credential provider. If you enable this policy setting, the Forgot my password link will be added to the tile of the selected credential provider on the logon screen. If you disable or do not configure this policy setting, the Forgot my password link will be added to the default Microsoft Password provider tile. You can select a credential provider from the list or specify the GUID of another credential provider. You must specify the GUID in the following format: {00000000-0000-0000-0000-000000000000} |
|
Refresh interval |
This policy setting changes the default settings refresh interval, that is, how often the domain settings are refreshed for Secure Password Extension. The default value is 5 minutes. To reduce network load, increase the refresh interval. If you disable or do not configure this policy setting, the default refresh interval will be used. |
|
Set the recurrence interval for toast notification |
This policy setting specifies the recurrence interval for displaying the toast notification, that is, how often the toast notification that reminds users to create or update their Q&A profiles is displayed. The default value is 5 minutes. If you disable or do not configure this policy setting, the default recurrence interval will be used. |
|
Proxy Settings | |
|
Enable proxy server access |
This policy setting determines whether connections to the Self-Service Site from the Windows logon screen are established through the specified proxy server. |
|
Configure required proxy settings |
This policy setting specifies the settings that are required to enable proxy server access to the Self-Service Site from the Windows logon screen. |
|
Configure optional proxy settings |
This policy setting specifies optional settings for the proxy server access. |
|
Shortcut Policies | |
|
Restore desktop shortcuts for the Self-Service Site |
This policy setting permits Secure Password Extension to create the desktop shortcut to the Self-Service Site again on a user's computer, if the user deletes the desktop shortcut. |
|
Do not create desktop shortcuts for the Self-Service Site |
This policy setting turns off the option that would allow Secure Password Extension to create the desktop shortcuts to the Self-Service Site on users' computers. |
|
Do not create any shortcuts for the Self-Service Site |
This policy setting turns off the option that would allow Secure Password Extension to create any shortcuts (on the desktop and in the Start menu) to the Self-Service Site on users' computers. |
|
Secure Password Extension Title Settings | |
|
Display custom names for the Secure Password Extension window title |
This policy setting replaces the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages. |
|
Set custom name for the Secure Password Extension window title in <Language> |
This group of policy settings specifies a custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. Out-of-the-box 36 language-specific policy settings are available. The name that you specify must not exceed 32 characters. If you use a hieroglyphic font, the name is limited to 14 characters because of the hieroglyph’s width. The URL length must not exceed 256 characters. |
|
Usage Policy Settings | |
|
Display the usage policy button (command link) |
Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs. The usage policy command link on Windows operating system is displayed on the Windows logon screen. This opens a document (DOC, TXT, or HTML) that describes the enterprise usage policy or contains any information that you want to make available to end-users. |
|
Set default URL |
This policy specifies an URL referring to the usage policy document that opens when users click the the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to a DOC, TXT, or HTML file. |
|
Set name and URL for the usage policy button (command link) in <Language> |
This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available. The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters. |
|
Notification Customization | |
|
Set background image for registration notification dialog |
This policy setting defines a new background image instead of the default background for the registration notification dialog. |
|
Customize registration notifications |
This policy setting replaces the default text in language-specific registration notification dialogs with your custom text. |
|
Registration Notification | |
|
Customize registration notification in <Language> |
This group of policy settings allows you to customize texts in notification dialogs individually for each of the required logon languages. 36 language-specific policy settings are available. |
|
Q&A Profile Update Notification | |
|
Customize Q&A profile update notification in <Language> |
This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available. |
|
Credential Provider’s Description NOTE: If the Credential Provider's Description and the Icon's Text Label in the ADMx template are configured with different custom labels, then according to Microsoft's Windows 10 design, the Credential Provider Icon will display the same pop-up text (on hovering over the Icon) as defined in the Credential Provider's Description instead of the label from the Icon's Text Label. In case of Windows 8.1 and other versions of Windows that were released before Windows 8.1., the Credential Provider Icon will display the pop-up text that is defined in the Icon's Text Label. The title will display the label provided in the Credential Provider's Description. | |
|
Display custom description of the Secure Password Extension credential provider |
This policy setting defines whether to replace the default description the Secure Password Extension credential provider with the text that you specify for required logon languages. The credential provider description is displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the logon screen. The customized description is displayed for the Secure Password Extension credential provider. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider is displayed. |
|
Set the custom description in <Language> |
This policy setting defines a custom description of the Secure Password Extension credential provider in the selected language. The custom text is displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the logon screen on computers that use the specified language as the logon language. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider is displayed. NOTE: If the Display custom description of the Secure Password Extension credential provider policy is disabled, then this policy has no effect. |
|
Icon’s Text Label | |
|
Display custom labels for the Secure Password Extension credential provider’s icon |
This policy setting replaces the default text label for the Secure Password Extension credential provider’s icon with the text that you specify for required logon languages. The text label for the credential provider icon appears in a pop-up when a user hovers over the credential provider’s icon under the Sign-in options on the logon screen. If you enable this policy setting, the custom label is displayed for the Secure Password Extension credential provider’s icon. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon is displayed. |
|
Set the custom label in <Language> |
This policy setting specifies custom text labels for the Secure Password Extension credential provider’s icon in the selected language. The custom label is displayed when users hover over the credential provider’s icon under the Sign-in options on the logon screen on computers that use the specified language as the logon language. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon is displayed. NOTE: If the Display custom label for the Secure Password Extension credential provider’s icon policy is disabled, then this policy has no effect. |
|
Link to the Self-Service Site | |
|
Display custom names of the Open the Self-Service Site link |
This policy setting replaces the default name of the Open the Self-Service Site link with the names that you specify for required logon languages. This link opens the Self-Service Site from the logon screen. If you enable this policy setting, the link is displayed under the specified language-specific names. If you disable or do not configure this policy setting, then the default language-specific names of the Open the Self-Service Site link are displayed. |
|
Set the custom names of the Open the Self-Service Site link in <Language> |
This policy setting specifies a custom name of the Open the Self-Service Site link in the specified language. The link is displayed under the specified name under the user tile on the logon screen on computers that use the specified language as the logon language. If you disable or do not configure this policy setting, then the default language-specific name of the link will be displayed. Note: If the Display custom names of the Open the Self-Service Site link policy is disabled, then this policy has no effect. |
|
Offline Password Reset Settings | |
|
Display the Offline Password Reset button (command link) |
This policy setting displays the Offline Password Reset buttons and command links for which you have specified the logon language-specific names. The Offline Password Reset button on Windows operating systems are displayed on the Windows logon screen, and open the Offline Password Reset wizard. These buttons and command links are available only if the Offline Password Reset feature is installed on the target user computers. To use this setting, you must specify the button (link) name for each of the required logon languages. If you enable this policy setting, the Offline Password Reset button (command link) is displayed on user computers under the specified language-specific names. Clicking the button or the command link opens the Offline Password Reset wizard. If you disable or do not configure this policy setting, the Offline Password Reset buttons and command links are not displayed on user computers. |
|
Shared secret update period (hours) |
This policy setting defines how often must the shared secret that is used for authentication during the Offline Password Reset be updated. Set the update period in hours. Lower values provide better security, but setting very low values for the update period might cause replication issues. One Identity recommends to define this value as greater than the intersite replication period in the Active Directory domain. NOTE: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect. |
|
Set custom name for the Offline Password Reset button (command link) in <Language> |
This policy setting specifies the name of the Offline Password Reset button (command link) in <Language>. The Offline Password Reset button (command link) is displayed under the specified name on computers that use <Language> as the logon language. If you disable or do not configure this policy setting, then the default language-specific name is displayed on the Offline Password Reset button (command link). The text you specify must not exceed 32 characters. NOTE: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect. |
|
Configure scope for accessing the shared secret in Active Directory |
This policy setting, when deployed to the client, defines a list of users and groups that will have the permission to read the shared secret’s copy that is published in Active Directory. NOTE: The domain management account must have this permission for the Offline Password Reset functionality to work. The computer account that is used to store the shared secret’s copy and the domain administrators group always has the permission to read the shared secret’s copy. |
You uninstall Secure Password Extension from end-user computers by removing the appropriate installation packages assigned through Group Policy. Uninstalling Secure Password Extension makes the Self-Service Site no longer available from the Windows logon screen.
To remove an assigned MSI package
Start the Group Policy Management snap-in. To do this, click Start, point to Programs, point to Administrative Tools, then click Group Policy Management.
In the console tree, click the group policy object with which you deployed the package, and then click Edit.
Expand the Software Settings container that contains the Software installation item with which you deployed the package.
Click the Software installation container that contains the package.
In the right pane of the Group Policy window, right-click the package name, point to All Tasks, and then click Remove.
Click Immediately uninstall the software from users and computers, and then click OK.
Quit the Group Policy Object Editor snap-in, and then quit the Group Policy Management snap-in.
For diagnostic purposes you can turn on logging in Secure Password Extension. The log file can contain the following information: exceptions and errors, debug messages and functions’ returns, and so on. You can use this diagnostic data to identify issues with Secure Password Extension.
|
|
Caution: This section describes how to modify the Registry. However, incorrectly modifying the Registry may severely damage the system. Therefore, you should follow the steps carefully. It is also recommended to back up the Registry before you modify it. |
To enable logging in Secure Password Extension
On a computer where Secure Password Extension is installed, click the Start button, click Run, and type regedit. Click OK.
In the Registry tree (the left tab), create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging.
Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. To do it, click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. On the Edit menu, select New, then click String Value.
Type LogLevel and then press ENTER to name the string value.
Right-click the LogLevel value and select Modify.
In the Edit String dialog, type All under Value data. Click OK.
Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. To do it, click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. On the Edit menu, select New, then click String Value.
Type LogFolder and then press ENTER to name the string value.
Right-click the LogFolder value and select Modify.
In the Edit String dialog, type the path to the log file under Value data. For example, C:\Logs. Click OK.
Exit the Registry Editor.
Restart the computer.
To disable logging in Secure Password Extension
On a computer where Secure Password Extension is installed, click the Start button, click Run, and type regedit. Click OK.
In the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key, select the LogLevel value.
Right-click the LogLevel value and select Modify.
In the Value data box, type Off, and click OK.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
