You can manage how password-related changes are replicated in your environment. If you want to force password changes and resets in the required Active Directory sites, select the corresponding sites on the Advanced settings tab of the Edit Domain Connection dialog, and select the Replicate password-related changes check box.
About Password Manager
Getting started
Different sites for different roles
Password Manager components
Licensing
Installing Password Manager: Checklist
Installing Password Manager
Password Manager architecture
Configuring the Password Manager service account and the application pool identity
Enabling HTTPS
Installing Password Manager
Initializing instance
Installing Legacy Self-Service Site, Password Manager Self-Service Site and Helpdesk Site on a standalone server
FailSafe support in Password Manager
Installing multiple instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites
Step 1: Obtain and install custom certificates from a trusted Windows-based certification authority
Step 2: Providing certificate issued for server computer to Password Manager Service
Step 3: Providing certificate issued for client computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring user scope
Password Manager components and third-party applications
Management policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
TeleSign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Quest Enterprise Single Sign-On (QESSO)
Redistributable Secret Management Service
Location sensitive authentication
Password Manager permission checker
Working with Power BI templates
Password Manager Credential Checker
Typical deployment scenarios
Simple deployment
Deployment of the Legacy Self-Service, Password Manager Self-Service and Helpdesk Sites on standalone servers
Realm deployment
Multiple realm deployment
Password Manager in a perimeter network
Installing Password Manager in perimeter network with read-only domain controllers
Installing Password Manager in perimeter network with reverse proxy
Installing Password Manager in perimeter network without AD DS
Management Policy overview
Password policy overview
Using One Identity password policies
Using fine-grained password policies
Applying multiple password policies
Using Password Policy Manager
Secure Password Extension overview
Locating Self-Service Site
reCAPTCHA overview
Obtaining Self-Service Site URL from service connection point
Changing the Self-Service Site URL on the Administration Site
Launching user notification
How reCAPTCHA works
How to use reCAPTCHA V2 on Password Manager sites
System requirements for using reCAPTCHA
References
User enrollment process overview
Questions and Answers policy overview
Password change and reset process overview
Resetting and changing password in connected systems
Enforcing password history when resetting password
Replicating password changes
Data replication
Phone-based authentication service overview
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring access to the Administration Site
Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site
Configuring access to the Helpdesk Site
General Settings
Specifying advanced settings for domain connection
Changing the domain management account
Removing a domain connection
Configuring Questions and Answers policy
Workflow overview
Custom workflows
Custom activities
Custom activity settings
Creating custom activities
Importing and exporting custom activities
Removing custom activities
Legacy Self-Service or Password Manager Self-Service Site workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode task
Legacy Self-Service and the Password Manager Self-Service Site activities overview
Helpdesk workflows
Authentication activities
Display CAPTCHA
Authentication methods
Authenticate with password
Authenticate with Q&A profile (random questions)
Authenticate with Q&A Profile (specific questions)
Authenticate with Q&A Profile (User-selected questions)
Authenticate with Defender
Authenticate with external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via phone
Authenticate with passcode
Action activities
Register
Manage My Profile
Edit Q&A Profile
Reset Password in Active Directory
Changing passwords in Active Directory
Reset Password in Active Directory and Connected Systems
Changing password in Active Directory and connected systems
Reset password in connected systems through embedded connectors
Unlock account
Enable Account
Force user to change password at next logon
Subscribe to notifications
Lock Q&A Profile
Display user agreement
Restart workflow if error occurs
Issue BitLocker Recovery Key
Provide product feedback
Notification activities
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Verify User Identity
Enforce Update of Profile
Helpdesk Activities Overview
Notification activities
Customizing notifications
Email user if workflow succeeds
Email user if workflow fails
Email administrator if workflow succeeds
Email administrator if workflow fails
User enforcement rules
General Settings overview
Search and logon options
Importing and exporting configuration settings
Outgoing mail servers
Diagnostic logging
Scheduled tasks
Upgrading Password Manager
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Active Directory Sites
Maximum Password Age Policy Task
User Status Statistics Task
Clear Old Records from Reporting Database
Environment Health Checker Task
Update RADIUS server status
Web Interface customization
Instance reinitialization
Realm Instances
Domain Connections
Using domain connections
Specifying access account for domain connections
Changing the access account for domain connections
Specifying advanced settings for domain connection
Removing a domain connection
Extensibility features
RADIUS Two-Factor Authentication
Internal Feedback
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Fido2 key management
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email templates
Upgrade requirements
About Secure Password Extension
Upgrading multiple instances of Password Manager
Upgrading Password Manager
Administrative Templates
In-place upgrade from 5.8.2 or later versions to 5.13.2
Manual upgrade from 5.9.x or later versions
Running the Migration Wizard
Modifying the service account
Converting Q&A Profiles
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Installing Administrative Templates
Configuring Administrative Templates
Updating Administrative Templates
Removing Administrative Templates
Secure Password Extension
Configuring access to the Self-Service Site from the Windows login screen
Deploying and configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Managing Secure Password Extension using Administrative Templates
Uninstalling Secure Password Extension
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy scope
Deleting a Password Policy
Enable 2FA for administrators and helpdesk users
Reporting
Reporting and User Action History overview
Password Manager integration
Accounts used in Password Manager
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Setting up Reporting environment
Best practices for configuring Reporting Services
Password Manager Service account
Application pool identity
Domain management account
Password policy account
Account for using One Identity Quick Connect
Open communication ports for Password Manager
Customization options overview
Customization of steps in Legacy Self-Service, Password Manager Self-Service Site, and Helpdesk Tasks
Email notification customization
User agreement customization
Account search options customization
Web Interface customization
Customization of Password Policies list
Customization of Password strength meter
Customization of user name
Feature imparities between the legacy and the new Self-Service Sites
Third-party contributions
Glossary
Replicating password changes
Password Manager architecture > Password change and reset process overview > Replicating password changes
Data replication
This section provides information on how Password Manager stores and replicates data.
Storing data
There are two types of data stored by Password Manager: Password Manager configuration data, and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.
Q&A profiles are stored in the attribute of a user account in Active Directory that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance. For more information, see Instance reinitialization.
Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.
-
Shared.storage: This file contains configuration data that is shared among all instances of a realm: management policies, general settings, domain connections, custom activities and workflows, instance settings, and so on.
-
Local.storage: This file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.
-
LocalizationStorage: This folder contains the user interface texts localized in several languages.
Replicating data
If you install a realm (several Password Manager instances sharing the same configuration), changes in the configuration of one instance are automatically propagated to other instances. To propagate the data, Password Manager replicates the data from the shared.storage file and the LocalizationStorage folder to Active Directory.
Before being written to Active Directory, the data is split into several segments and archived.
To distribute the configuration data from one instance to another, Password Manager uses a scheduled task and the PMReplication container in a managed domain to which the data is copied. The PMReplication container is a container that is automatically created in the Users container of the managed domain. To this container, containers for each Password Manager realm are added.
Names of these containers correspond to the realm affinity id. Each realm container has the containers for every instance belonging to this realm. Names of instance containers correspond to the instance id.
In the instance container, several user accounts are created. The number of user accounts is one more than the number of data segments. For example, if there are 20 data segments, then the instance container has 21 user accounts. Note that the created user accounts are disabled.
The same attribute that you specify for storing users’ Q&A profiles is used to store the configuration data segments. The first user account stores the data replica id, all other accounts store the data segments.
Replication mechanism analyses all data segments from all instances, selects data with the latest changes, and propagates it.
|
|
Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss. |
Note that the domain management account must have the permission to create user accounts and containers in the Users container for configuration data to be replicated. For more information on configuring the domain management account, see Configuring permissions for domain management account.