Questions and Answers policy allows you to create secret questions and specify Q&A profile settings. Secret questions are questions to which users provide answers when registering with Password Manager. Using the Q&A profile settings you can specify requirements for user’s questions and answers. For example, you can prevent users from using the same answer for multiple questions.
Q&A policy settings affect user authentication and registration enforcement process. For more information, see Questions and Answers Policy Overview.
Secret questions are questions to which users provide their own answers, thus creating a personal Questions and Answers profile. Before users can register with Password Manager by creating their personal Questions and Answers profiles, you must configure a question list containing the questions that will be presented to users.
You can create the question list in several languages, so that users can select a preferred language of questions and answers.
Password Manager uses personal Question and Answers profiles as an authentication method to allow users and helpdesk operators to manage user passwords in AD LDS instances and in multiple connected systems. A Q&A profile, or personal profile, is a set of questions specified by the Password Manager administrator, to which users must provide their secret answers that later can be used to authenticate the users. You can also require users to specify their own questions in their personal profiles. Then, users can securely reset their passwords or unlock their accounts by answering a series of questions from their personal profiles.
You can set requirements for answers that users specify in their Questions and Answers profiles. For example, you can prevent users from specifying the same answer for different questions, or set a minimum answer length. For more information, see Configuring Q&A Profile Settings.
Password Manager allows you to specify criteria for recognizing users' Questions and Answers profiles as not compliant with the current password management settings. This is essential if you want users to update their profiles each time when Q&A policy settings are changed. Helpdesk operators can force users to update their Q&A profiles if the profiles do not comply with current Q&A policy.
For information on how to enforce update of Q&A profiles, see User Enforcement Rules.
Secret questions can contain the following types of questions:
Table 7: Secret questions
Mandatory questions |
Questions of this type are an integral part of a user's Q&A profile. Users must provide an answer to each of these questions. These questions can be stored using reversible encryption or hashed. |
Optional questions |
Users can select what optional questions to answer. Administrator specifies only the number of questions that users must answer. These questions can be stored using reversible encryption or hashed. |
Helpdesk questions |
Security questions used by helpdesk to verify user's identity before performing password- and account management tasks. These questions are always stored using reversible encryption. |
User-defined |
Questions that must be created by the user. |
For users to be able to create their personal Questions and Answers profiles, you must specify at least one secret question.
To create secret questions in the default language
- Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.
- On the Administration site home page, click the Q&A Policy link under the Management Policy you want to configure.
- On the Configure Questions and Answers Policy page, select the default language for secret questions by clicking the language link in the Default language option.
- Under Question List, click the Edit questions link to specify mandatory, optional and helpdesk questions in the default language.
- In the Edit Questions in the Default Language dialog box, specify mandatory, optional and helpdesk questions.
- Change questions’ order by clicking the appropriate links.
- Click Save to save the questions and close the dialog box.
|
IMPORTANT: If you add a questions to the question list in the default language, all translations of the question list will not be configured until you change them accordingly. This means that users will not be able to use the disabled languages for creating Q&A profiles. If you remove a question from the question list in the default language, this question will be automatically removed from translations of the question list. |
|
IMPORTANT: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the enforcement rules that require users to update Q&A profiles when the question list is modified. For more information on the enforcement rules, see User Enforcement Rules. |
To translate secret questions
- Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.
- On the Administration site home page, click the Q&A Policy link under the Management Policy you want to configure.
- On the Configure Questions and Answers Policy page, under Question List, click the Translate questions link.
- In the Select Additional Language dialog box, select an additional language for secret questions.
- In the Translate Questions dialog box, translate mandatory, optional and helpdesk questions from the default language into the additional language.
- To change the language, click the Change language link.
- To temporarily hide secret questions in the selected language, select the Make questions in this language unavailable to users check box. This setting will prevent users from creating or updating their Q&A profiles using the question list in this language.
- Click Save to save changes and close the dialog box.
|
IMPORTANT: If you deleted the translated question list, all users who have created their Questions and Answers profiles will be forced to update their Q&A profiles, if you have configured the enforcement rule. For more information, see Invite Users to Create/Update Profiles. |
Editing and Deleting secret questions
Translation of questions can be made only to the questions that have been added in the default language.
To delete questions of a default language
- Open the Administration site by typing the Administration site URL in the address bar of your web browser. By default, the URL is
http(s)://<ComputerName>/PMAdminADLDS/.
- On the Administration site home page, click the Q&A Policy link under the Management Policy.
- On the Configure Questions and Answers Policy page, click Edit questions under Question List. The Edit Questions in the Default Language page appears.
- Click X against the question that has to be deleted, and then click Save.
To delete questions of a specific language
- Open the Administration site by typing the Administration site URL in the address bar of your web browser. By default, the URL is
http(s)://<ComputerName>/PMAdminADLDS/.
- On the Administration site home page, click the Q&A Policy link under the Management Policy.
- On the Configure Questions and Answers Policy page, click the language for which the questions have to be deleted. The Translate Questions page appears.
- Click Delete questions, and then click OK.
To Edit questions of a default language
- On the home page of the Administration site, click Q&A Policy link under the Management Policy.
- On the Configure Questions and Answers Policy page, under Questions List, click the Edit questions link.
- In the Edit questions in the Default Language page, edit the required question.
- Click Save.
To Edit questions of a specific language
- On the home page of the Administration site, click Q&A Policy link under the Management Policy.
- On the Configure Questions and Answers Policy page, navigate to the Translations: section and click the language for which the questions have to be edited.
- In the translated text box against each of the questions, edit the required question.
- Click Save.
|
NOTE:
- Q&A Policy supports multiple languages. It requires the Password Manager Administrator to configure the required languages for the users to see the same in the Self service site.
- Change language link appears in the self-service site only when the Password Manager administrator has translated the questions in the required languages.
|
Q&A profile settings allow you to define settings and requirements for user’s questions and answers. For example, you can prevent users from using the same answer for multiple questions. Questions and answers that do not comply with the policy will not be accepted.
To configure Questions and Answers policy
-
Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/PMAdminADLDS/.
|
NOTE: When prompted to log in, provide your domain user name in a domainname\username format. |
- On the Administration site home page, click the Q&A Policy link under the Management Policy you want to configure.
- On the Configure Questions and Answers Policy page, click the Q&A profile settings link.
- In the Q&A Profile Settings dialog box, specify the following options:
Table 8: Questions and Answers profile settings
Question Settings |
Users must answer this number of optional questions to register |
Set the required number of optional questions that a user must answer to create a Questions and Answers profile. |
Users must answer this number of user-defined questions to register |
Set the required number of user-defined questions that a user must specify to create a Questions and Answers profile. |
Minimum length of user-defined questions |
Set the minimum number of characters that user-defined questions can contain. |
Answer Settings |
|
Minimum length of answers |
Set the minimum number of characters that users' answers can contain. |
Reject the same answers for different questions |
Select to prevent users from specifying same answers for different questions. |
Reject answers that contain corresponding questions |
Select to prevent users from specifying answers that contain corresponding questions. |
Store answers using reversible encryption |
Select to store users' answers using reversible encryption. If you do not select this option, answers to mandatory, optional and user-defined questions are hashed. Note, that answers to helpdesk questions are always stored using reversible encryption, even if this option is not selected. |
Security Settings |
|
Allow users to hide their answers |
Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks. |
Hide users’ answers by default |
Select this check box to have Password Manager display users' answers as asterisks while they are typing in their answers. |
Do not require users to confirm answers if answers are hidden |
Select this check box to allow users to enter their answers only once, if answers are hidden. |
- Click Save.