This section provides information on how to apply a password policy to organizational units and groups in a managed AD LDS instance.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Upgrading Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
FailSafe support in Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Working with Power BI
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with an external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Enforce Update of Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authentication Methods
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Configuring Security Settings
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
Update RADIUS server status
User Status Statistics Task
Clear Old Records from Reporting Database
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
RADIUS Two-Factor Authentication
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
Enable S2FA for Administrators and Enable S2FA for HelpDesk Users
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Appendix D: Feature imparities between the legacy and the new Self-Service Sites
Glossary
Managing Password Policy Scope
Applying Password Policies
In Password Manager (PM) application, scopes can be defined at multiple levels. Scopes act as a boundary in which you can define the groups and Organization Unit (OU), and can also associate policies into it.
The Default Management Policy allows you to configure both the user scope and the help desk scope. In the Management Policy scope, an admin can also associate the workflows, activities, and Q&A policy to the configured user groups and OU.
While configuring the user scope/help desk scope, an admin must define either a Group or an OU to indicate which group or OU can access the self-service site/helpdesk site. This means the users who are part of the configured group/OU comes under included group category. You could also define a different group/OU under an excluded group category. This means users who are part of these excluded group or OU cannot access self-service site/helpdesk site.
In case of Password Policy scope, admin needs to ensure the following
- Password policies should only be applied to the user groups/ OUs that are part of the Userscope.
- Group that will be associated into the password policy scope must be part of the OU as well. This means users who are part of the group must also be the part of the OU as those users will have the same set of activities to be performed in the self-service site.
- An Administrator can create one or more password policies and can map each policy to single/ multiple user groups or OUs.
- By default, the newly created password policy is linked to the Domain name created in the management policy scope and gets applied to the “Authenticated users group. It means that all the users that are part of the usergroups and OUs configured in the user scope, will have the password policy applied.
- Group that will be associated into the password policy scope must be part of the OU as well. This means users who are part of the group must also be the part of the OU as those users will have the same set of activities to be performed in the self-service site.
|
|
|
The table below provides more information on different scenarios.
Let us consider the following groups/OU
|
|
NOTE: Do not define both OU and the group in the Management policy scope for the set password policy rule to get applied in the self-service site. |
| S.No | Userscope
|
Password Policy Scope
|
Password Policy | Logged in self-service site |
Is Password Policy applicable?
| ||||
| Included Group | Included OU |
Excluded Group |
Excluded OU |
OU | Group | ||||
| 1. | Group1 | OU1 |
|
|
OU1 | Group1 | Password Policy1 | User1 |
Yes |
| 2. | Group1 | OU2 |
Group2 |
|
OU1 | Group2 |
Password Policy2
|
User2 |
No |
|
3. |
Group3 |
OU1 |
Group1 |
|
OU2 |
Group3 |
User2 |
No | |
|
4. |
Group3 |
OU3 |
|
OU1 |
OU3 |
Group3 |
Password Policy3
|
User3 |
Yes |
|
5. |
Group2 |
OU2 |
|
|
OU1 |
Group2 |
User2 |
No | |
|
6. |
Group1 |
OU1 |
|
OU4 |
OU4 |
Group1 |
Password Policy4
|
User1 |
No |
|
7. |
Group2 |
OU2 |
|
OU5 |
OU5 |
Group2 |
User2 |
No | |
|
8. |
Group3 |
OU3 |
Group1 |
|
|
Group3 |
Password
|
User3 |
No |
|
9. |
Group3 |
OU3 |
Group2 |
|
OU3 |
|
User3 |
No | |
To link a password policy to organizational units and groups
- On the home page of the Administration site, click the Password Policies tab.
- Click the One Identity Password Policies link under the application directory partition that you want to manage.
- On the One Identity Password Policies for <application directory partition> page, click Edit under the policy whose properties you want to view or modify.
- Click the Policy Scope tab.
- Click the Add button under This policy is applied to the following organizational units, and then browse for an organizational unit.
- Click the Add button under This policy is applied to the following groups, and then browse for a group.
- Click Save.
Changing Policy Priority
When multiple password policies affect an organizational unit or a group, only the policy with the highest priority is applied to such group or organizational unit. A newly created password policy is disabled by default.
|
|
NOTE: Only priority of policies with the same scope can be changed. |
To change policy priority
- On the home page of the Administration site, click the Password Policies tab.
- Click the One Identity Password Policies link under the AD LDS instance for which you want to change the policy link order and click Policy priority.
- In the Change Policy Priority dialog box, move policies up or down in the list by selecting them and clicking the Move Up or Move Down buttons.
Configuring Password Policy Rules
Password Manager uses a set of powerful and flexible rules to define requirements for passwords. Each password policy has rules that are configured independently of the rules in other policies.
|
|
NOTE: Password Manager for ADLDS does not support Dictionary rule in OI Password policies. |
For each password policy, you can set up the following rules:
- Password age rule. Ensures that users cannot use expired passwords or change their passwords too frequently.
- Length rule. Ensures that passwords contain the required number of characters.
- Complexity rule. Ensures that passwords meet minimum complexity requirements.
- Required characters rule. Ensures that passwords contain certain character categories.
- Disallowed characters rule. Rejects passwords that contain certain character categories.
- Sequence rule. Rejects passwords that contain more repeated characters than it is allowed.
- User properties rule. Rejects passwords that contain part of a user account property value.
- Symmetry rule. Ensures that password or its part does not read the same in both directions.
- Custom rule. Use this rule to enter the settings of the local or domain password policy applied to the server on which AD LDS is running, if you want to display these settings to users on the Self-Service site when users reset or change passwords. You can also use this rule to display your custom messages and to hide the configured policy rules.