Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Upgrading Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
FailSafe support in Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Working with Power BI
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Enforce Update of Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authentication Methods
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Configuring Security Settings
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
Update RADIUS server status
User Status Statistics Task
Clear Old Records from Reporting Database
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
RADIUS Two-Factor Authentication
Unregistering users from Password Manager
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
One Identity Starling
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Glossary
Password Manager Service Account
Application Pool Identity
Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
- This account must be a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
- This account must have permissions to create files in the <Password Manager installation folder>\App_Data folder.
- Application pool identity account must the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager for AD LDS.
Access Account for Application Directory Partition Connection
Appendix A: Accounts Used in Password Manager for AD LDS > Access Account for Application Directory Partition Connection
When you connect to an AD LDS instance, you can create a new connection or use existing connections, if any. When creating the connection, you must specify an access account - an account under which Password Manager will access the AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:
- Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account)
- Membership in the Readers group in the application directory partition (for the AD LDS account)
- Membership in the Administrators group in the configuration directory partition
- The Read permission for all attributes of user objects
- The Write permission for the following attributes of user objects: pwdLastSet, comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled
- The right to reset user passwords
- The permission to create user accounts and containers in the Users container
- The Read permission for attributes of the organizationalUnit object and container objects
- The Write permission for the gpLink attribute of the organizationalUnit objects and container objects
- The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
- The permission to create container objects in the System container
- The permission to create the serviceConnectionPoint objects in the System container
- The permission to delete the serviceConnectionPoint objects in the System container
- The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
If you want to use the same connection in password policies as well, make sure the account has the following permissions:
- The Read permission for attributes of the groupPolicyContainer objects.
- The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
- The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
- The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
- The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
Corporate Authentication
In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.
If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.
- The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
- If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.
Account for Using One Identity Quick Connect
Appendix A: Accounts Used in Password Manager for AD LDS > Account for Using One Identity Quick Connect
You can configure cross-platform password synchronization using One Identity Quick Connect. If used in conjunction with Quick Connect Sync Engine, Password Manager allows you to enable users and helpdesk operators to manage their passwords across a wide variety of connected systems.
To enable Password Manager to set passwords in connected systems, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.
For more information on using Quick Connect with Password Manager, see Reset Password in AD LDS and Connected Systems.