When you add a domain connection, you can create a new one or use existing connections, if any. When creating the domain connection, you must specify a domain management account — an account under which Password Manager will access the domain.
For the domain connection that you want to use in the user and Helpdesk scopes, make sure the domain management account has the following minimum set of permissions:
-
Membership in the Domain Users group
-
The Read permission for all attributes of user objects
-
The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
NOTE: If the Storage attribute for Security questions under the Reinitialization page is a custom value (such as userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.
-
The right to reset user passwords
-
The permission to create user accounts and containers in the Users container
-
The Read permission for attributes of the organizationalUnit object and domain objects
-
The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
-
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
-
The permission to create container objects in the System container
-
The permission to create the serviceConnectionPoint objects in the System container
-
The permission to delete the serviceConnectionPoint objects in the System container
-
The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
If you want to use the same domain connection in password policies, as well, make sure the account has the following permissions:
-
The Read permission for attributes of the groupPolicyContainer objects.
-
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
-
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
-
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
-
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the following attributes of the msDS-PasswordSettings object:
-
msDS-LockoutDuration
-
msDS-LockoutThreshold
-
msDS-MaximumPasswordAge
-
msDS-MinimumPasswordAge
-
msDS-MinimumPasswordLength
-
msDS-PasswordComplexityEnabled
-
msDS-PasswordHistoryLength
-
msDS-PasswordReversibleEncryption
-
msDS-PasswordSettingsPrecedence
-
msDS-PSOApplied
-
msDS-PSOAppliesTo
-
name
Corporate Authentication
In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.
If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.
-
The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
-
If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.
NOTE: If the Corporate phone attribute under Reinitialization page is a custom value (for example, pager) then, the Read/ Write Permissions need to be provided for that attribute instead of the mobile attribute.
After adding a domain connection to the user scope, you need to specify groups from the domain that will be able to access the Self-Service site. By default, the group Domain Users is included in the scope when you add the domain connection to the user scope. You can also restrict some domain groups from accessing the Self-Service site.
NOTE: When you add a domain to the user scope, the group Domain Users from this domain is automatically included in the user scope.
To add a domain connection
-
Open the Administration site by entering the Administration site URL in the address bar of your browser. By default, the URL is http(s)://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed.
-
On the Administration site, select the Management Policy you want to configure and click the User Scope link.
-
On the User Scope page, click Add domain connection.
-
If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
-
If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure access to the domain with the following steps:
-
In the Domain name text box, type the name of the domain that you want to register with Password Manager.
-
In the Domain alias text box, type the alias for the domain that will be used to address the domain on the Self-Service site.
-
To have Password Manager access the managed domain using the Password Manager Service account, select Password Manager Service account. Otherwise, select Domain management account, then enter user name and password for the domain management account.
NOTE: If you use the Password Manager Service account to access the domain, the Password Manager Service account must have the same permissions as the domain management account.
For information on how to prepare a domain management account, see Configuring Permissions for Domain Management Account.
-
Click Save.
To specify groups or OUs that are allowed to access the Self-Service site
-
On the Administration site, select the Management Policy you want to configure and click the User Scope link.
-
On the User Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do one the following, depending on whether you want to specify groups or OUs:
-
To specify the groups, click Add under Groups allowed access to the Self-Service site.
-
To specify the OUs, click Add under Organizational units allowed access to the Self-Service site.
-
Click Save.
NOTE: If you have the Domain Management account configured with a user other than the Active Directory Administrator, provide the Security permissions to all the groups, OUs that are added as Included groups, and Included OUs in the user scope. To provide Security permissions to a user/group/OU, go to Domain object properties > Security tab, then add the configured Domain Management account to the Group or usernames in the Active Directory.
If the users/groups/OUs included in the user scope are members of Domain Admins group or Administrators group in the Active Directory, then the Write Permissions are already inherited.
To specify groups or OUs that are denied access to the Self-Service site
-
On the Administration site, select the Management Policy you want to configure and click the User Scope link.
-
On the User Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do one of the following, depending on whether you want to configure groups or OUs:
-
To specify the groups, click Add under Groups denied access to the Self-Service site.
-
To specify the OUs, click Add under Organizational units denied access to the Self-Service site.
-
Click Save.
Password Manager supports both LDAP and LDAPS for communicating with the Active Directory Server. This section explains how to enable LDAP over SSL.
NOTE: Configuration is required for all installations of Password Manager servers.
On a computer where Password Manager is installed, create the following value in the HKLM/SOFTWARE/One Identity/Password Manager registry key using the Registry Editor:
PasswordEncodeMethod |
REG_SZ |
ADS_PASSWORD_ENCODE_REQUIRE_SSL |
PasswordSetPortNumber |
REG_DWORD |
636 |
NOTE: The default port for REG_DWORD is 636.
After you have created a domain connection, you can specify advanced settings for the connection: domain controllers and Active Directory sites of the managed domain.