Yes, it is possible for older SPE versions to communicate with Password Manager but in a very limited capacity.
The only option available for older SPE clients is the “Forgot My Password” link on the Windows logon screen. Options such as Registration are not supported.
To be able to accommodate this scenario, you can perform any of the following options:
- Leave one old Password Manager server live so that the old SPE clients can still reach it.
- Create a GPO using the Password Manager ADM template to force the Self Service URL to the new server
|NOTE: Older SPE clients will work with the new Self Service site, but only if URL redirection is enabled. |
- Update DNS to have the old Password Manager server IP updated to the new server IP.
It is recommended to upgrade the SPE clients as soon as possible to avoid having the overlap.
Once you upgrade to 5.9.7, it is not possible to roll back due to the security enhancements implemented. The configuration is encrypted in a new manner, along with all of the user profiles.
The only possible roll back option is to use a product such as Quest Recovery Manager for Active Directory (RMAD) to backup prior to upgrading, and then restore the "comment" attribute for all users after you have restored the Password Manager configuration to the pre-upgrade version.
Password Policy Manager must also be upgraded on all Domain Controllers. Note that the Domain Controllers must be rebooted.
|NOTE: Although an older version of the components such as the SPE and Password Policy Manager may work with later Password Manager server versions, it has not been fully tested and is not officially supported.|