Using the unregister feature, users registered to the Password Manager can be removed. Note that the user is removed only from the Password Manager and not Active Directory.
To unregister a user from the Password Manager
-
On the home page of the Administration Site, click General Settings > Unregister Users.
-
On the Unregister Users page:
-
If you want to unregister individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
-
If you want to select a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
-
If you want to select the entire organization unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Add.
-
Click Unregister User to unregister the users.
NOTE:
-
If you want to run the task at a specified time, select the Schedule at check box to specify the time to run the task and click Save.
-
If a task to unregister an user is scheduled at a later time and you want to unregister the user at the current instance, click Remove Setting to delete the scheduled task settings and click Save.
-
If you have the Domain management account configured with a user other than the Active Directory Administrator then, make sure that Write permissions are available to the storage attribute of the security questions (comment, by default) for all the users/ groups/OUs that are configured to be unregistered.
-
If the users/ groups/ OUs that need to be unregistered are a member of DomainAdmins/ Administrators group in the Active Directory then, the Write Permissions are already inherited.
Use the Bulk Force Password Reset feature to force selected users, groups and Organizational Units to change their passwords.
To enforce a password change for users
-
On the home page of the Administration site, click General Settings > Bulk Force Password Reset.
-
On the Bulk Force Password Reset page:
-
If you want to enforce password change for individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
-
If you want to enforce password change for a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
-
If you want to enforce password change for the entire Organizational Unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Save.
-
Click Reset Passwords.
NOTE: Consider the following when using the Bulk Force Password Reset feature:
-
Password reset is achieved by setting the Users must change password at next logon flag of the selected user(s) to true. This flag cannot be set to true, if the Password never expires flag is also true.
-
If you have the Domain management account configured with a user other than the Active Directory Administrator, make sure that write permissions are given to the pwdlastset attribute.
Use the Fido2 key management feature to unpair FIDO2 keys from selected users, groups and Organizational Units.
TO unpair Fido2 keys
-
On the home page of the Administration Site, navigate to General Settings > Fido2 key management.
-
On the Fido2 key management page:
-
If you want to unpair Fido2 keys from individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
-
If you want to unpair Fido2 keys from a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
-
If you want to unpair Fido2 keys from the entire Organizational Unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Save.
-
Click Delete Fido2 Key(s).
Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.
An rSMS account must be created and configured to interact with the rSMS service to execute password change functionality on connected systems. After creating the rSMS account and configuring the certificate binding settings (optional), you can configure the settings to reset the password in connected systems. For more information, see Reset password in connected systems through embedded connectors.
To create rSMS account and configure certificate binding settings
-
On the home page of the Administration Site, click General Settings.
-
Click the rSMS Settings tab from the options.
The Redistributable Secret Management Service page is displayed.
NOTE: An rSMS account must be created before working with rSMS activity. An rSMS user is automatically created if the imported configuration file has the rSMS account details.
-
In the Create Account section, click Create Account to create an rSMS account.
-
In the Certificate binding section, select a custom certificate from the drop-down list, if available. By default, the built-in certificate is used. If the certificate binding settings are modified you must restart the One Identity rSMS Service.
NOTE: If you import a configuration file, the rSMS certificate binding details are not imported. The default binding settings or the certificate binding settings of the system are used.
-
Select the IP address from the rSMS IP address drop-down list.
NOTE: For built-in certificates, the Port number field is automatically populated with the value 20001. For a custom certificates, custom port number can be provided.
-
Click Save Settings to save the certificate binding settings.
NOTE:
-
By default, all Password Manager logs are available in C:\Windows\TEMP folder. If the default Password Manager log path is changed during an update, rSMS automatically uses the updated log path instead of the default path used earlier.
-
Additional rSMS logs are available in the rSMS.Service-{Date}.log file. Enable Password Manager logging from the Administrator site under General Settings > Logging Settings.