The following accounts can be used in Password Manager:
-
Password Manager Service account
-
Application pool identity
-
Access account for AD LDS
-
Password policy account
-
Account for One Identity Quick Connect
The following accounts can be used in Password Manager:
Password Manager Service account
Application pool identity
Access account for AD LDS
Password policy account
Account for One Identity Quick Connect
Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, the Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager websites.
Application pool identity account must meet the following requirements:
This account must be a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
This account must have permissions to create files in the <Password Manager installation folder>\App_Data folder.
Application pool identity account must the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager for AD LDS.
When you connect to an AD LDS instance, you can create a new connection or use existing connections, if any. When creating the connection, you must specify an access account - an account under which Password Manager will access the AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:
Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account)
Membership in the Readers group in the application directory partition (for the AD LDS account)
Membership in the Administrators group in the configuration directory partition
The Read permission for all attributes of user objects
The Write permission for the following attributes of user objects: pwdLastSet, comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled
The right to reset user passwords
The permission to create user accounts and containers in the Users container
The Read permission for attributes of the organizationalUnit object and container objects
The Write permission for the gpLink attribute of the organizationalUnit objects and container objects
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
The permission to create container objects in the System container
The permission to create the serviceConnectionPoint objects in the System container
The permission to delete the serviceConnectionPoint objects in the System container
The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
If you want to use the same connection in password policies as well, make sure the account has the following permissions:
The Read permission for attributes of the groupPolicyContainer objects.
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
In the Register workflow, if the Admin selects Corporate authentication, the user can only review the corporate account details during the registration process. If the Admin selects Allow user to edit corporate details, the user can update the respective corporate details, for example, Corporate email and Corporate phone number, if the details are not previously populated by the administrator in the AD.
If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.
The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.
NOTE: If the Corporate phone attribute under Reinitialization page is a custom value (for example, pager) then the Read/Write Permissions need to be provided for that attribute instead of the mobile attribute.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center