You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy account is an account that you specify when you add a domain for configuring password policies.
Password policy account must meet the following minimum requirements:
- The Read permission for attributes of the groupPolicyContainer objects.
- The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
- The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
- The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
- The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
- The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
- The Write permission for the following attributes of the msDS-PasswordSettings object:
- msDS-LockoutDuration
- msDS-LockoutThreshold
- msDS-MaximumPasswordAge
- msDS-MinimumPasswordAge
- msDS-MinimumPasswordLength
- msDS-PasswordComplexityEnabled
- msDS-PasswordHistoryLength
- msDS-PasswordReversibleEncryption
- msDS-PasswordSettingsPrecedence
- msDS-PSOApplied
- msDS-PSOAppliesTo
- name
For more information on password policies that can be configured in Password Manager, see Creating and Configuring a Password Policy.
Corporate Authentication
In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.
If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.
- The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
- If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.
|
NOTE: If the Corporate phone attribute under Reinitialization page is a custom value(say, pager) then, the Read/ Write Permissions need to be provided for that attribute instead of the mobile attribute. |
You can configure cross-platform password synchronization using One Identity Quick Connect. If used in conjunction with Quick Connect, Password Manager allows you to enable users and helpdesk operators to manage passwords across a wide variety of connected systems.
To enable Password Manager to connect to Quick Connect and set passwords in connected systems, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server. For more information on using Quick Connect with Password Manager, see Reset Password in Active Directory and Connected Systems.
Open Communication Ports for Password Manager
This section provides a list of communication ports that need to be open in the firewall for Password Manager to function properly.
Administration Site
Port 80 (Default HTTP) TCP Inbound
Port 443 (Default HTTPS) TCP Inbound/Outbound
Port 8081 TCP Inbound/Outbound
Port 25 (Default SMTP port) TCP Outbound
Port 135 TCP Inbound/Outbound
Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites
Port 80 (Default HTTP) TCP Inbound
Port 443 (Default HTTPS) TCP Inbound/Outbound
Port 8081 TCP Inbound/Outbound
The Password Manager Self-Service site has all functionality similar to the Legacy Self-Service site with a new and improved user interface. The Password Manager Self-Service site can co-exist along with the already existing Legacy Self-Service site and you can select to revert anytime to the Legacy Self-Service site.
Password Manager Service
Port 53 (Outgoing DNS lookups) UDP Outbound
Port 88 (Kerberos Authentication) TCP/UDP Outbound
Port 389 (LDAP Access) TCP/UDP Outbound
Port 636 (LDAP Access) TCP Outbound
Port 137 (NetBIOS Name Service) TCP Outbound
Port 139 (NetBIOS Session Service) TCP Outbound
SQL Server
Port 1433 (SQL Server) TCP/UDP Outbound
Port 1434 (SQL Server Browser Service) TCP/UDP Outbound
Report Server
Port 80 (SQL Server Report Services) TCP Outbound
Email Notification
Port 25 (Default SMTP port) TCP Outbound
One Identity Quick Connect Sync Engine
Port 808 TCP Outbound
Secure Password Extension
Port 80 (Default HTTP) TCP Outbound
Port 88 (Kerberos Authentication) UDP Outbound
Port 389 (LDAP Access) TCP Outbound
Port 443 (Default HTTPS) TCP Outbound
Telesign
Port 443 TCP Outbound
Defender
Port specified in the activity settings (Authenticate with Defender) is used.
BitLocker with MBAM
Port specified in the activity settings (Issue BitLocker recovery key) is used.
Customization Options Overview
There are multiple ways to customize the Self-Service and Helpdesk sites. You can customize email notifications, change company and product logos and Web sites color scheme, etc.
The following customization options are available in Password Manager: