To install the Password Policy Manager component in your managed domain, you must deploy it on all Domain Controllers (DC) via a Group Policy. You can create a new Group Policy Object (GPO), or use an existing one, to assign the Password Manager installation package with Password Policy Manager to the destination computers. Password Policy Manager is then installed on the computers to which the GPO applies.
The installer of the Password Policy Manager component is located at the following subfolder of the Password Manager ISO image or extracted installation archive:
/Password Manager/Setup/PasswordPolicyManager_x64.msi
To install Password Policy Manager on a single DC
-
Run the PasswordPolicyManager_x64.msi installation package.
-
Restart the computer once the installation is completed.
To deploy Password Policy Manager on multiple domain controllers
-
Copy the PasswordPolicyManager_x64.msi installation package to a network share accessible from all DCs in the managed domain.
-
Create a GPO and link it to all DCs in your managed domain. You may also choose an existing GPO to deploy Password Policy Manager.
-
Under the selected GPO, open Computer Configuration > Software Settings.
-
Right-click Software installation, then select New > Package.
-
Select the PasswordPolicyManager_x64.msi installation package.
-
Click Open.
-
Select the deployment method and click OK.
-
Verify and configure the installation properties, if needed.
To uninstall Password Policy Manager, remove it from all Domain Controllers (DC) in your managed domain.
To uninstall Password Policy Manager
-
Remove Password Policy Manager from the DC of the managed domain.
-
Restart the computer when prompted.
-
Repeat the previous steps for all remaining DCs in the managed domain.
If you have deployed Password Policy Manager via a Group Policy, then uninstall Password Policy Manager by removing the PasswordPolicyManager_x64.msi installation package from the Software installation list.
To remove the Password Policy Manager installation package from a Group Policy
-
Start the Group Policy Management snap-in. To do so, click Start, and navigate to Programs > Administrative Tools > Group Policy Management.
-
In the console tree, click the group policy object that you used to deploy the package, and click Edit.
-
Expand the Software Settings container that contains the Software installation item that you used to deploy the package.
-
Click the Software installation container that contains the PasswordPolicyManager_x64.msi package.
-
In the right pane of the Group Policy window, right-click the PasswordPolicyManager_x64.msi package, point to All Tasks, and then click Remove.
-
Click Immediately uninstall the software from users and computers, and then click OK.
-
Quit the Group Policy Object Editor snap-in, and then quit the Group Policy Management snap-in.
IMPORTANT: If you uninstall Password Manager, but do not remove Password Policy Manager from DCs in a managed domain, configured password policies will still be enforced. To stop the enforcement of password policies configured in Password Manager, uninstall Password Policy Manager from all DCs in the managed domain.
To create a password policy, you need add a connection to the domain to which this policy will be applied.
IMPORTANT: By default, native Windows domain policies are not displayed on the Self-Service Site when resetting or changing password. To display these policies, you must add the required domain on the Password Policies tab of the Administration Site.
The account you use to access the domain for which you want to create password policies should have the following permissions:
-
The Read permission for attributes of the groupPolicyContainer objects.
-
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
-
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
-
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
-
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the following attributes of the msDS-PasswordSettings object:
-
msDS-LockoutDuration
-
msDS-LockoutThreshold
-
msDS-MaximumPasswordAge
-
msDS-MinimumPasswordAge
-
msDS-MinimumPasswordLength
-
msDS-PasswordComplexityEnabled
-
msDS-PasswordHistoryLength
-
msDS-PasswordReversibleEncryption
-
msDS-PasswordSettingsPrecedence
-
msDS-PSOApplied
-
msDS-PSOAppliesTo
-
name
To add domain connection
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click Add domain connection to add a domain for which you want to create password policies.
-
If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
-
If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:
-
In the Domain name text box, enter the name of the domain that you want to add.
-
In the Domain alias text box, enter the alias for the domain which will be used to address the domain on the Self-Service Site. This field is required because you can reuse the domain connection in the user scope.
-
To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password and then enter user name and password in the corresponding text boxes. Note, that if Password Manager Service account is used to access the domain, it should have the required permissions.
-
Click Save.
For more information on modifying settings for the domain connection, see Domain Connections.
To create a domain password policy
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click the <N> One Identity Password Policies or One Identity Password Policies are not configured link under the domain that you want to manage.
-
On the One Identity Password Policies for Domain <DomainName> page, click Add a policy.
-
In the Add New Policy dialog, type a name for the new policy and click Save.
To configure settings for a password policy
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click the <N> One Identity Password Policies link under the domain connection that you want to manage.
-
On the One Identity Password Policies for Domain <DomainName> page, click Edit under the policy whose properties you want to view or modify.
-
On the Policy Settings tab of the Password Policy Properties dialog, view or modify the following options, and then click Save:
Table 15: Password Policy Properties
Disable this policy |
Select this check box to temporarily turn off the policy. |
Domain |
View the name of the managed domain to which this policy is linked. |
Policy name |
View or modify the name of the password policy. |
- Click the Policy Rules tab to configure the password policy rules by using the procedure outlined in Configuring Password Policy Rules, and then click Save.
- Click the Policy Scope tab to manage the password policy links by using the procedure outlined in Managing Password Policy scope, and then click Save.
IMPORTANT: The password policies do not override domain security settings; both the Password Manager password policies and the domain security settings are applied.
In case you are running Microsoft Windows Server 2016 or later, Password Manager allows configuring and using not only One Identity Password Policies, but Windows fine-grained password policies as well. For Windows fine-grained password policies, among other options, you can configure policy precedence that defines Windows fine-grained password policies application order. Note, that when configuring the scope of these password policies, you can apply the policies only to groups in the managed domain.
For each of the domain password policies, you can configure a set of policy rules that define what passwords to reject or accept in the domain to which a particular policy is applied.
For each password policy, you can set up the following rules:
-
Password age rule: Ensures that users cannot use expired passwords or change their passwords too frequently.
-
Length rule: Ensures that passwords contain the required number of characters.
-
Complexity rule: Ensures that passwords meet minimum complexity requirements.
-
Required characters rule: Ensures that passwords contain certain character categories.
-
Disallowed characters rule: Rejects passwords that contain certain character categories.
-
Sequence rule: Rejects passwords that contain more repeated characters than it is allowed.
-
User properties rule: Rejects passwords that contain part of a user account property value.
-
Dictionary rule: Rejects passwords that match dictionary words or their parts.
-
Symmetry rule: Ensures that password or its part does not read the same in both directions.
-
Custom rule: Use this rule to display custom messages to users or to hide configured policy rules from users when they reset or change password on the Self-Service Site.