After you specify the Active Directory sites in which you want to push changes, you can also select what kind of changes to propagate. The following options are available:
-
Propagate changes related to the user’s account in Active Directory.
-
Propagate changes related to the user’s Questions and Answers profile.
-
Propagate password-related changes.
To add domain connection
-
On the home page of the Administration Site, click the General Settings > Domain Connections tab.
-
Click Add domain connection to add a domain connection.
-
In the Add New Domain Connection dialog, configure the following options:
-
In the Domain name text box, type in the name of the domain that you want to add.
-
In the Domain alias text box, type the alias for the domain which will be used to address the domain on the Self-Service Site. This field is required because you can use the domain connection in the user scope.
-
To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password, then enter the user name and password in the corresponding text boxes.
NOTE: If you use the Password Manager Service account to access the domain, make sure it has the required permissions.
-
Click Save.
IMPORTANT: After you create a domain connection on the General Settings > Domain Connections tab, you can use it in the user scope, helpdesk scope and password policies by selecting the connection in the Add Domain Connection dialog on the corresponding page of the Administration Site.
For example, to use the domain connection in the user scope of your Management Policy, open the user scope of this Management Policy, click Add domain connection, and select the corresponding connection from the list.
Secret questions are the main part of the Questions and Answers policy that allows authenticating users on the Self-Service Site before users can perform any self-service tasks.
To create secret questions in the default language
-
Open the Administration Site by typing the Administration Site URL in the address bar of your web browser. By default, the URL is http(s)://<computer-name>/PMAdmin/.
-
On the Administration Site home page, click the Add secret questions link under the Management Policy you want to configure.
-
On the Configure Questions and Answers Policy page, select the default language for secret questions by clicking the language link in the Default language option.
-
Under Question List, click the Edit questions link to specify mandatory, optional and helpdesk questions in the default language.
-
In the Edit Questions in the Default Language dialog, specify mandatory, optional and helpdesk questions.
-
Change questions’ order by clicking the appropriate links.
-
Click Save to save the questions and close the dialog.
NOTE: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the enforcement rules that require users to update Q&A profiles when the question list is modified. For more information on the enforcement rules, see the Password Manager Administration Guide..
Configuring Helpdesk Scope
To configure a helpdesk scope, you need to add a domain connection to the scope at first, and then specify groups from the selected domain. By configuring the helpdesk scope you select groups of helpdesk operators who will have access to the Helpdesk Site. The Helpdesk Site handles typical tasks performed by helpdesk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and others. Members of the helpdesk scope are allowed to access the Helpdesk Site and manage users from the user scope of the same Management Policy only. You can also restrict groups of helpdesk operators from accessing the Helpdesk Site.
To add domain connection
-
Open the Administration Site by entering the Administration Site URL in the address bar of your web browser. By default, the URL is http://<computer-name>/PMAdmin, where <computer-name> is the name of the computer on which Password Manager is installed.
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, click Add domain connection.
-
If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
-
If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:
-
In the Domain name text box, type in the name of the domain that you want to add to the helpdesk scope.
-
In the Domain alias text box, type the alias for the domain which will be used to address the domain on the Self-Service Site. This field is required because you can reuse the domain connection in the user scope.
-
To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password, then enter the user name and password in the corresponding text boxes.
NOTE: If you use the Password Manager Service account to access the domain, make sure it has the required permissions.
-
Click Save.
To specify groups or OUs that are allowed to access the Helpdesk Site
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do the following:
-
To specify the groups, click Add under Groups allowed access to the Helpdesk Site.
-
To specify the OUs, click Add under Organizational Units allowed access to the Helpdesk Site.
-
Click Save.
To specify groups or OUs that are denied access to the Helpdesk Site
-
On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.
-
On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
-
Do the following:
-
To specify the groups, click Add under Groups denied access to the Helpdesk Site.
-
To specify the OUs, click Add under Organizational Units denied access to the Helpdesk Site.
-
Click Save.
After you have created a domain connection, you can specify advanced settings for the connection: domain controllers and Active Directory sites of the managed domain.
To specify domain controllers
-
On the Administration Site, select the Management Policy you want to configure and click the User Scope link.
-
On the User Scope page, select the domain connection for which you want to specify domain controllers and click Edit.
-
On the User Scope Settings for #Domain# page, click Edit.
-
On the Advanced settings tab of the Edit Domain Connection dialog, click Add under the domain controllers table and select required domain controllers, and click Add.
-
Click Save and select how you want to apply the updated settings. You can either apply the new settings for this user scope only, or everywhere where this domain connection is used.