To create a password policy, you need add a connection to the domain to which this policy will be applied.
IMPORTANT: By default, native Windows domain policies are not displayed on the Self-Service Site when resetting or changing password. To display these policies, you must add the required domain on the Password Policies tab of the Administration Site.
The account you use to access the domain for which you want to create password policies should have the following permissions:
-
The Read permission for attributes of the groupPolicyContainer objects.
-
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
-
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
-
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
-
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
-
The Write permission for the following attributes of the msDS-PasswordSettings object:
-
msDS-LockoutDuration
-
msDS-LockoutThreshold
-
msDS-MaximumPasswordAge
-
msDS-MinimumPasswordAge
-
msDS-MinimumPasswordLength
-
msDS-PasswordComplexityEnabled
-
msDS-PasswordHistoryLength
-
msDS-PasswordReversibleEncryption
-
msDS-PasswordSettingsPrecedence
-
msDS-PSOApplied
-
msDS-PSOAppliesTo
-
name
-
To add domain connection
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click Add domain connection to add a domain for which you want to create password policies.
-
If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
-
If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:
-
In the Domain name text box, enter the name of the domain that you want to add.
-
In the Domain alias text box, enter the alias for the domain which will be used to address the domain on the Self-Service Site. This field is required because you can reuse the domain connection in the user scope.
-
To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password and then enter user name and password in the corresponding text boxes. Note, that if Password Manager Service account is used to access the domain, it should have the required permissions.
-
-
Click Save.
For more information on modifying settings for the domain connection, see Domain Connections.
To create a domain password policy
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click the <N> One Identity Password Policies or One Identity Password Policies are not configured link under the domain that you want to manage.
-
On the One Identity Password Policies for Domain <DomainName> page, click Add a policy.
-
In the Add New Policy dialog, type a name for the new policy and click Save.
To configure settings for a password policy
-
On the home page of the Administration Site, click the Password Policies tab.
-
Click the <N> One Identity Password Policies link under the domain connection that you want to manage.
-
On the One Identity Password Policies for Domain <DomainName> page, click Edit under the policy whose properties you want to view or modify.
-
On the Policy Settings tab of the Password Policy Properties dialog, view or modify the following options, and then click Save:
Option |
Description |
Disable this policy |
Select this check box to temporarily turn off the policy. |
Domain |
View the name of the managed domain to which this policy is linked. |
Policy name |
View or modify the name of the password policy. |
- Click the Policy Rules tab to configure the password policy rules by using the procedure outlined in Configuring Password Policy Rules, and then click Save.
- Click the Policy Scope tab to manage the password policy links by using the procedure outlined in Managing Password Policy scope, and then click Save.
IMPORTANT: The password policies do not override domain security settings; both the Password Manager password policies and the domain security settings are applied.
In case you are running Microsoft Windows Server 2016 or later, Password Manager allows configuring and using not only One Identity Password Policies, but Windows fine-grained password policies as well. For Windows fine-grained password policies, among other options, you can configure policy precedence that defines Windows fine-grained password policies application order. Note, that when configuring the scope of these password policies, you can apply the policies only to groups in the managed domain.