If a user is found in the scopes of a default domain password policy, a fine-grained password policy, and a One Identity password policy, the applicable policy is selected in the following algorithm. The default domain policy is ignored. The rules from the fine-grained and One Identity policies are merged with the strictest value selected for each rule.
If a user is found in the scopes of several fine-grained password policies, the applicable policy is selected automatically in Active Directory.
If a user is found in the scopes of several One Identity password policies, then the policy with the highest priority is applied to the user. Note that priority can be changed for policies with the same scope.
Password Policy Manager is a separate component of Password Manager that allows enforcing One Identity password policy rules when users change or reset passwords by means other than the Self-Service Site.
For example, you have configured a One Identity password policy for users from domain My Domain. When users from this domain change or reset passwords on the Self-Service Site (the user on the left in the diagram below), the configured One Identity password policy is applied, and corresponding policy rules are displayed. This happens because Password Policy Manager is always available with the Password Manager service. But when users try to change or reset passwords by pressing Ctrl+Alt+Delete, for example (the user on the right in the diagram below), the configured One Identity password policy will not be enforced.
To enforce the configured One Identity password policy in cases when users change or reset passwords not via the Self-Service Site, you must install Password Policy Manager on all domain controllers in the domain. In the case when Password Policy Manager is installed on domain controllers in the managed domain, when the same users change or reset password by pressing Ctrl+Alt+Delete, the One Identity password policy will be applied.
Therefore, if users from your managed domain change or reset their password on the Self-Service Site only, you do not need to install Password Policy Manager on all domain controllers in the domain. But if you want to ensure that password policies are enforced when users change or reset passwords by means other than the Self-Service Site, you must install Password Policy Manager on all domain controllers in the domain.
For more information on how to install Password Policy Manager, see Installing Password Policy Manager.
This section explains how Secure Password Extension locates the Self-Service Site and launches notification dialogs on end-user computers that remind users to create or update their Questions and Answers profiles.
By default, Secure Password Extension uses a URL from a service connection point to locate the Self-Service Site. You can also override the default URL published in the service connection point by specifying a different URL in the General Settings of the Administration Site or by specifying a different URL in the supplied administrative template and applying the template to selected users.
For more information, see: