Select this option to propagate information about editing, locking and unlocking Questions and Answers profile, and passcodes issued by Helpdesk. It is recommended to use this option when users and Password Manager Service use domain controllers from different sites. In this case, if users update their Q&A profiles using Secure Password Extension (via the domain controller in one site), and then attempt to use the profiles on the Self-Service (via the domain controller in another site), they may encounter the issue when the updated Q&A profile is not yet available because of intersite replication latency.
Select this option to propagate information about changing or resetting user password. It is recommended to use this option in the following environment. You have several Active Directory sites in your environment; a user’s computer and Password Manager Service are located in different sites. User authentication is performed via a read-only domain controller (RODC).
In this environment, users may experience downtime in the following scenario:
- A user changes password via a domain controller used by Password Manager Service in site A.
- The user attempts to authenticate to an RODC in site B, the RODC forwards the authentication request to a writable domain controller in the site, but the password has not be replicated yet to site B.
- User authentication is failed because of intersite replication latency.
To mitigate this issue, after selecting the corresponding Active Directory site (in which the RODC is located) and the writable domain controller from the site, select the Propagate password-related changes check box to immediately propagate password changes to the selected writable domain controller and enable user authentication via the RODC.
To access a managed domain, you can use either a domain management account or Password Manager Service account. For more information on how to configure a domain management account, see Configuring Permissions for Domain Management Account. Password Manager Service account is the account that was configured during Password Manager installation. Password Manager Service account may be used as a domain management account only when the Service account has all the permissions required for the domain management account.
To modify account used to access a domain
- On the Administration site, select the Management Policy you want to configure and click the User Scope link.
- On the User Scope page, select the domain connection for which you want to change access account and click Edit.
- On the User Scope Settings for #Domain# page, click Edit.
- In the Access account section of the Edit Domain Connection dialog, select Password Manager Service account to have Password Manager access the managed domain using the Password Manager Service account. Otherwise, select Domain management account, and then enter user name and password for the domain management account.
- Click Save and select how you want to apply the updated settings. You can either apply the new settings for this user scope only, or everywhere where this domain connection is used.
To remove a domain connection
- On the Administration site, select the Management Policy you want to configure and click the User Scope link.
- On the User Scope page, select the domain connection you want to delete and click Remove. Note that the domain connection will be removed from this user scope only. If you want to permanently remove the domain connection, remove it from everywhere where it is used, and then on the General Settings|Domain Connections tab, click Remove under the required connection.
