Q&A profile settings allow you to define settings and requirements for user’s questions and answers. For example, you can prevent users from using the same answer for multiple questions. Questions and answers that do not comply with the policy will not be accepted.
To configure Questions and Answers policy
-
Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/PMAdminADLDS/.
NOTE: When prompted to log in, provide your domain user name in a domainname\username format.
-
On the Administration site home page, click the Q&A Policy link under the Management Policy you want to configure.
-
On the Configure Questions and Answers Policy page, click the Q&A profile settings link.
-
In the Q&A Profile Settings dialog box, specify the following options:
Table 5: Questions and Answers profile settings
Question Settings |
Users must answer this number of optional questions to register |
Set the required number of optional questions that a user must answer to create a Questions and Answers profile. |
Users must answer this number of user-defined questions to register |
Set the required number of user-defined questions that a user must specify to create a Questions and Answers profile. |
Minimum length of user-defined questions |
Set the minimum number of characters that user-defined questions can contain. |
Answer Settings |
|
Minimum length of answers |
Set the minimum number of characters that users' answers can contain. |
Reject the same answers for different questions |
Select to prevent users from specifying same answers for different questions. |
Reject answers that contain corresponding questions |
Select to prevent users from specifying answers that contain corresponding questions. |
Store answers using reversible encryption |
Select to store users' answers using reversible encryption. If you do not select this option, answers to mandatory, optional and user-defined questions are hashed. Note, that answers to helpdesk questions are always stored using reversible encryption, even if this option is not selected. |
Security Settings |
|
Allow users to hide their answers |
Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks. |
Hide users’ answers by default |
Select this check box to have Password Manager display users' answers as asterisks while they are typing in their answers. |
Do not require users to confirm answers if answers are hidden |
Select this check box to allow users to enter their answers only once, if answers are hidden. |
-
Click Save.
To customize the behavior of Password Manager for AD LDS, configure workflows in the Password Manager Administration Site. Workflows have 2 types:
-
Self-service workflows customize the behavior of the Password Manager Self-Service Site. All configured and enabled self-service workflows are available as tasks on the Self-Service Site for Password Manager users.
-
Helpdesk workflows customize the behavior of the Password Manager Helpdesk Site. All configured and enabled Helpdesk workflows are available on the Helpdesk Site as helpdesk operator actions.
To modify the behavior of an existing workflow task, in the Home page of the Password Manager Administration Site, click the management policy workflow you want to configure, and click Workflow settings.
A workflow consists of activities. You can configure each activity independently.
Workflow activities have 3 types:
-
Authentication provides authentication options, such as password-based authentication, Questions and Answers profiles, or phone-based authentication.
-
Actions are core components in workflows, including activities like unlocking accounts, editing Q&A profiles, or resetting passwords.
-
Notifications let you configure email notifications for users and administrators, and specify the conditions under which Password Manager for AD LDS will send these notifications.
You can also create custom activities. For more information, see Custom Activities.
Password Manager for AD LDS lists the available activities in the left pane of the Workflow Designer. To add an activity to a workflow, drag and drop it into the right pane of the Workflow Designer. To remove an activity, click Close on the activity box.
Password Manager for AD LDS displays the workflow structure in the right pane of the Workflow Designer, indicating the type and order of activities to perform in the workflow. To change the order of the activities, simply move them up or down.
Figure 1: Home > <management-policy> > <workflow> > Workflow Settings
Workflow states determine how Password Manager for AD LDS ran a workflow and which activities of the workflow it initiated. Workflows have 3 states:
-
Success is the state of the workflow if no errors occur when running a workflow. In this state, Password Manager for AD LDS performs all workflow activities, except the following:
-
Email user if workflow fails
-
Email administrator if workflow fails
-
Lock Q&A profile
-
Restart workflow if error occurs
-
Failure is the state of the workflow if an error occurs when running a workflow activity. If any errors occur during the workflow, Password Manager for AD LDS performs only the following activities:
-
Email user if workflow fails
-
Email administrator if workflow fails
-
Lock Q&A profile
-
Restart workflow if error occurs
NOTE: The Restart workflow if error occurs activity resets the workflow state to Success and runs the workflow from the beginning.
-
Critical Error is the state of the workflow if a critical error occurs (for example, locking a user account or a Q&A profile). If any critical errors occur when running the workflow, Password Manager for AD LDS performs only the following activities: