サポートと今すぐチャット
サポートとのチャット

Password Manager 5.14.3 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Glossary

Changing Access Account

To access a managed AD LDS instance, you can use the Password Manager Service account, an Active Directory account or an AD LDS account. For more information on how to configure the access account, see Configuring Permissions for Access Account. Password Manager Service account is the account that was configured during Password Manager installation. Password Manager Service account may be used as the access account only when the Service account has all required permissions.

To modify account used to access an AD LDS instance

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the connection for which you want to change access account and click Edit.

  3. On the Helpdesk Scope Settings for #Application Directory Partition# page, click Edit.

  4. In the Access account section of the Edit AD LDS Instance Connection dialog, select Password Manager Service account to have Password Manager access the managed instance using the Password Manager Service account. Otherwise, select The following Active Directory account or The following AD LDS account and then enter the required user name and password.

  5. Click Save and select how you want to apply the updated settings. You can either apply the new settings for this helpdesk scope only, or everywhere where this connection is used.

Removing Connection to AD LDS Instance

This section describes how to remove a connection to an AD LDS instance.

To remove a connection to AD LDS instance

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the connection you want to delete and click Remove.

NOTE: The connection will be removed from this helpdesk scope only. If you want to permanently remove the connection, remove it everywhere where it is used, then on the General Settings > AD LDS Instance Connections tab, click Remove under the required connection.

Configuring Questions and Answers Policy

Questions and Answers policy allows you to create secret questions and specify Q&A profile settings. Secret questions are questions to which users provide answers when registering with Password Manager. Using the Q&A profile settings you can specify requirements for user’s questions and answers. For example, you can prevent users from using the same answer for multiple questions.

Q&A policy settings affect user authentication and registration enforcement process. For more information, see Questions and Answers Policy Overview.

Creating Secret Questions

Secret questions are questions to which users provide their own answers, thus creating a personal Questions and Answers profile. Before users can register with Password Manager by creating their personal Questions and Answers profiles, you must configure a question list containing the questions that will be presented to users.

You can create the question list in several languages, so that users can select a preferred language of questions and answers.

Password Manager uses personal Question and Answers profiles as an authentication method to allow users and helpdesk operators to manage user passwords in AD LDS instances and in multiple connected systems. A Q&A profile, or personal profile, is a set of questions specified by the Password Manager administrator, to which users must provide their secret answers that later can be used to authenticate the users. You can also require users to specify their own questions in their personal profiles. Then, users can securely reset their passwords or unlock their accounts by answering a series of questions from their personal profiles.

You can set requirements for answers that users specify in their Questions and Answers profiles. For example, you can prevent users from specifying the same answer for different questions, or set a minimum answer length. For more information, see Configuring Q&A Profile Settings.

Password Manager allows you to specify criteria for recognizing users' Questions and Answers profiles as not compliant with the current password management settings. This is essential if you want users to update their profiles each time when Q&A policy settings are changed. Helpdesk operators can force users to update their Q&A profiles if the profiles do not comply with current Q&A policy.

For information on how to enforce update of Q&A profiles, see User Enforcement Rules.

Secret questions can contain the following types of questions:

Table 4: Secret questions

Question type

Description

Mandatory questions

Questions of this type are an integral part of a user's Q&A profile. Users must provide an answer to each of these questions. These questions can be stored using reversible encryption or hashed.

Optional questions

Users can select what optional questions to answer. Administrator specifies only the number of questions that users must answer. These questions can be stored using reversible encryption or hashed.

Helpdesk questions

Security questions used by helpdesk to verify user's identity before performing password- and account management tasks. These questions are always stored using reversible encryption.

User-defined

Questions that must be created by the user.

For users to be able to create their personal Questions and Answers profiles, you must specify at least one secret question.

To create secret questions in the default language

  1. Open the Administration Site by typing the Administration Site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.

  2. On the Administration Site home page, click the Q&A Policy link under the Management Policy you want to configure.

  3. On the Configure Questions and Answers Policy page, select the default language for secret questions by clicking the language link in the Default language option.

  4. Under Question List, click the Edit questions link to specify mandatory, optional and helpdesk questions in the default language.

  5. In the Edit Questions in the Default Language dialog, specify mandatory, optional and helpdesk questions.

  6. Change questions’ order by clicking the appropriate links.

  7. Click Save to save the questions and close the dialog.

    IMPORTANT: If you add a questions to the question list in the default language, all translations of the question list will not be configured until you change them accordingly. This means that users will not be able to use the disabled languages for creating Q&A profiles. If you remove a question from the question list in the default language, this question will be automatically removed from translations of the question list.

    IMPORTANT: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the enforcement rules that require users to update Q&A profiles when the question list is modified. For more information on the enforcement rules, see User Enforcement Rules.

To translate secret questions

  1. Open the Administration Site by typing the Administration Site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.

  2. On the Administration Site home page, click the Q&A Policy link under the Management Policy you want to configure.

  3. On the Configure Questions and Answers Policy page, under Question List, click the Translate questions link.

  4. In the Select Additional Language dialog, select an additional language for secret questions.

  5. In the Translate Questions dialog, translate mandatory, optional and helpdesk questions from the default language into the additional language.

  6. To change the language, click the Change language link.

  7. To temporarily hide secret questions in the selected language, select the Make questions in this language unavailable to users check box. This setting will prevent users from creating or updating their Q&A profiles using the question list in this language.

  8. Click Save to save changes and close the dialog.

IMPORTANT: If you deleted the translated question list, all users who have created their Questions and Answers profiles will be forced to update their Q&A profiles, if you have configured the enforcement rule. For more information, see Invite Users to Create/Update Profiles.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択