Chatta subito con l'assistenza
Chat con il supporto

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Reset Password in Active Directory

This is a core activity of the Forgot My Password workflow. The activity allows users to reset passwords in Active Directory only. If you want to enable users to reset passwords in several systems, configure the Reset password in Active Directory and connected systems, Reset password in connected systems through embedded connectors(Preview) activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Reset Password in Active Directory and Connected Systems.

In this activity you can configure the Enforce password history option. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings.

Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:

  • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.

  • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.

The Use auto generated password option enables Helpdesk users to send the password via email or SMS to reset password.

The Use manual password option enables Helpdesk users to reset the password manually.

NOTE: Send password via SMS or email is the most secure password reset option in Password Manager. It is recommended to use this option in combination with Random characters of answers to the specified questions option from Authenticate with Q&A Profile for most secure password reset process. To use Random characters of answers to the specified questions configure Helpdesk questions.

The Enable QESSO integration option allows you to integrate Password Manager with Quest Enterprise Single Sign-On (QESSO) and notify QESSO about user’s password changes. For more information, see Quest Enterprise Single Sign-On (QESSO).

Select the Allow users to reset passwords offline option to enable users to use the Offline Password Reset functionality provided by Password Manager. This functionality allows resetting passwords when users have forgotten their current passwords and their computers are not connected to the intranet (Active Directory is not available).

This functionality is based on resetting user password in locally cached logon data. The security is provided by using the challenge-response mechanism that guarantees the following:

  • A user can reset the locally cached password only after resetting the password online on the Self-Service Site.

  • A user must specify the same password on the Self-Service Site and on the computer in the Offline Password Reset wizard.

When Offline Password Reset is enabled on users’ computers, a user must perform the following steps to reset his or her password:

  1. Open the Offline Password Reset wizard by clicking the corresponding link on the Windows login screen.

  2. In the wizard, enter the user name (this step is optional). Click Next.

  3. Open the Self-Service Site on a computer connected to the internet and find their account.

  4. Select the corresponding task to reset password.

  5. When performing the task, the user must specify a new password. When the task is successfully performed, a response code is displayed for the user.

  6. Then, in the Offline Password Reset wizard, the user must enter the response code and the new password the user specified on the Self-Service Site. Click Next.

  7. If the password is successfully reset, click Finish to close the wizard.

Enabling the Offline Password Reset functionality

  1. Install the Offline Password Reset component on target user computers via group policy. Use the OfflinePasswordReset_x64.msi or OfflinePasswordReset_x86.msi files located in the \Password Manager\Setup folder on the installation CD.

    NOTE: Secure Password Extension must be installed on target user computers, as well. For more information on installing Secure Password Extension, see Deploying and configuring Secure Password Extension.

  2. Set the required number of cached user login attempts. This is necessary because the Offline Password Reset functionality will be available only for users who have previously logged in on their computers. For more information on changing the number of cached login attempts, see Cached domain logon information. It is recommended to use the default value.

  3. Use the administrative template prm_gina.admx to turn on the Offline Password Reset functionality. The administrative template file is located in the \Password Manager\Setup\Template\Administrative Template\ folder of the installation CD. In the template, enable the following settings: Display the Offline Password Reset button (command link) and Set custom name for the Offline Password Reset button (command link) in <Language>. For more information on using the administrative template, see Managing Secure Password Extension using Administrative Templates.

  4. Use the Reset password in Active Directory activity in a required workflow and select the Allow users to reset passwords offline option.

  5. Save the workflow.

NOTE: Use the latest prm_gina.admx file by removing the older file from group policy.

To provide authentication during the Offline Password Reset procedure, a shared secret is used. The shared secret is stored locally on a user computer and its copy is published in Active Directory in the computer’s account during the first login if the computer is connected to the domain. By default, only domain administrators and the computer account have access to the shared secret. You can specify other users and groups who will have the permission to read the shared secret from the domain. To do it, use the Configure scope for accessing the shared secret in Active Directory setting in the administrative template. For more information on the administrative template, see Managing Secure Password Extension using Administrative Templates.

IMPORTANT: The domain management account must have the permission to read the shared secret from the domain for the Offline Password Reset functionality to work.

You can also use the Shared secret update period (hours) setting in the administrative template to specify how often the shared secret should be updated. The recommended value is every 24 hours. For more information on the administrative template, see Managing Secure Password Extension using Administrative Templates.

Reset Password in Active Directory and Connected Systems

Using this activity, you can configure Password Manager to use One Identity Quick Connect to reset passwords in connected systems. If used in conjunction with Quick Connect, Password Manager allows you to enable users and Helpdesk operators to manage passwords across a wide variety of connected systems. To be able to integrate Password Manager with Quick Connect, you must have a working knowledge of Quick Connect Sync Engine.

To enable Password Manager to set passwords in connected systems through a Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

Before you can configure Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following in Quick Connect:

  • Create a connection to the Active Directory domains managed by Password Manager.

  • Create connections to the systems you want Password Manager to synchronize passwords with.

  • Map users from the managed domains to users in the connected systems.

For more information on how to configure Quick Connect to set passwords in connected systems, see One Identity Quick Connect documentation.

To enable Password Manager for cross-platform password synchronization

  1. Include the Reset password in Active Directory and connected systems activity in a workflow and click the activity to edit its settings.

  2. In the Quick Connect server name text box, specify the IP address or the fully qualified domain name of the Quick Connect server.

  3. Select the account to be used to access the Quick Connect server. You can use either Password Manager Service account or specify another account.

    You can use either pre-Windows 2000 login name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the user name.

  4. Specify how you want Password Manager to act when the Quick Connect server is unavailable. To do it, select one of the following and click Next:

    • Act as if no Quick Connect server was specified: Users can manage their passwords only in the Active Directory domain. No warnings are displayed to users if Quick Connect server is not available.

    • Alert users and allow them to reset passwords only in Active Directory: Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the Active Directory domain.

    • Do not allow users to reset passwords: Users cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the Quick Connect server is not available.

  5. From the list of connected systems, select the systems in which you want to manage user passwords. For each selected system, specify the following options and click Next:

    • System alias

    • Reset password in this system independently from Active Directory: Select this option to allow users to reset their passwords in a connected system independently from Active Directory.

    • Do not allow resetting password in this system independently from Active Directory: Select this option to prevent users from resetting their passwords in a connected system independently from Active Directory. Note that if you select this option, a user’s password will be reset in the connected system only after the password has been successfully reset in Active Directory. If the user's password is not reset in Active Directory, it will be not reset in the connected system. Users can specify a different password for the connected system, if you select the Allow users to specify different password for this system option.

  6. To enforce password history in the Active Directory domains managed by Password Manager, select the Enforce password history check box. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings.

    NOTE: Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:

    • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.

    • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.

  7. Select the Enable QESSO integration to integrate Password Manager with Quest Enterprise Single Sign-On (QESSO) and notify QESSO about user’s password changes. For more information, see Quest Enterprise Single Sign-On (QESSO).

  8. Click OK to close the wizard.

Unlock account

This activity is a core activity of the Unlock Account workflow. It allows helpdesk operators to unlock users’ accounts using the Helpdesk Site.

You do not need to configure any settings for this activity.

Enable Account

Use this activity to enable users’ disabled accounts. You can use the activity in different workflows. It is recommended to place this activity after authentication activities in a workflow.

NOTE: If you want to enable only the user accounts disabled through force enrollment, in the activity settings, select Enable user accounts disabled by force enrollment check box.

For example, to enable users with disabled accounts to reset passwords and enable their accounts, you can use the Enable Account activity in the Forgot My Password workflow:

  1. Authenticate user with Q&A profile.

  2. Enable account.

  3. Reset password in Active Directory.

  4. Restart workflow if error occurs.

  5. Email user if workflow succeeds.

  6. Email user if workflow fails.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione