By default, the access to the Administration Site is granted to only the domain user from the AD, who is a member of the local Administrators group and to the PMAdmin group, that is created during Password Manager installation.
NOTE: The account that you specified as Application Pool Identity when installing Password Manager is automatically added to the PMAdmin group.
IMPORTANT: Make sure to grant access to the Administration Site only to the most trustworthy people, since managing the Password Manager configuration may require dealing with user-sensitive information.
To configure access to the Legacy Self-Service Site or the Password Manager Self-Service Site, you need to configure a user scope for the Management Policy you want to use. The workflows and secret questions that you configure for the Management Policy will apply only to the user scope of this Management Policy. You can add groups from different domains to a single user scope.
For more information, see Configuring user scope.
In Password Manager you can easily delegate administrative tasks to dedicated Helpdesk operators. By configuring the Helpdesk scope you select groups of Helpdesk operators who will have access to the Helpdesk Site. The Helpdesk Site handles typical tasks performed by Helpdesk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and so on.
Members of the Helpdesk scope are allowed to access the Helpdesk Site and manage users from the user scope of the same Management Policy only.
You can also restrict groups of Helpdesk operators from accessing the Helpdesk Site.
To configure a Helpdesk scope, you need to add a domain connection to the scope at first, and then specify groups from the selected domain.
To manage all domain connections from a single place, click General Settings > Domain Connections on the Administration Site. For more information, view Domain Connections.
To add domain connection
-
Open the Administration Site by entering the Administration Site URL in the in the address bar of your browser. By default, the URL is http://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed.
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, click Add domain connection.
-
If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
-
If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:
-
In the Domain name text box, type in the name of the domain that you want to add to the Helpdesk scope.
-
In the Domain alias text box, type the alias for the domain that will be used to address the domain on the Self-Service Site. This field is required because you can reuse the domain connection in the user scope.
-
To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Domain management account, and then enter user name and password for the domain management account. Note, that if Password Manager Service account is used to access the domain, it should have the same permissions as the domain management account.
For information on how to prepare a domain management account, see Configuring permissions for domain management account.
-
Click Save.
To specify groups or OUs that are allowed to access the Helpdesk Site
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do the following:
-
To specify the groups, click Add under Groups allowed access to the Helpdesk Site.
-
To specify the OUs, click Add under Organizational Units allowed access to the Helpdesk Site.
-
Click Save.
To specify groups or OUs that are denied access to the Helpdesk Site
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do the following:
-
To specify the groups, click Add under Groups denied access to the Helpdesk Site.
-
To specify the OUs, click Add under Organizational Units denied access to the Helpdesk Site.
-
Click Save.
After you have created a domain connection, you can specify advanced settings for the connection: domain controllers and Active Directory sites of the managed domain. For more information about domain controllers, see Domain Controller.
To specify domain controllers
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, select the domain connection for which you want to specify domain controllers and click Edit.
-
On the Helpdesk Scope Settings for #Domain# page, click Edit.
-
On the Advanced settings tab of the Edit Domain Connection dialog, click Add under the domain controllers table and select required domain controllers, and click Add.
-
Click Save and select how you want to apply the updated settings. You can either apply the new settings for this helpdesk scope only, or everywhere where this domain connection is used.