Deploying Secure Password Extension
Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with Secure Password Extension for installing it on the destination computers. Secure Password Extension is then installed on computers to which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:
- SecurePasswordExtension_x86.msi - Installs Secure Password Extension on computers running x86 versions of operating systems.
- SecurePasswordExtension_x64.msi - Installs Secure Password Extension on computers running x64 versions of operating systems.
You can modify the behavior and on-screen appearance of Secure Password Extension components by configuring an administrative template's settings, and then applying the template to the target computers through Group Policy.
The administrative template is available in only one format: prm_gina.admx.
The prm_gina.admx administrative template file is located in the \Password Manager\Setup\Template\Administrative Template\ folder of the installation CD. This administrative template is designed to be used with Windows Server 2012 R2 or later operating systems. Before using this administrative template, copy the prm_gina.admx and prm_gina.adml files from the installation CD to the following locations: %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions(for the prm_gina.admx file) and %systemroot%\SYSVOL\sysvol\domain\Policies\PolicyDefinitions\en-US (for the prm_gina.adml file).
Alternatively, you could use the Administrative Template configuration tool to copy and use the admx templates.
Follow the steps below to configure and deploy the Secure Password Extension on end-user computers.
To deploy and configure Secure Password Extension
- Copy the required installation package (SecurePasswordExtension_x86.msi or SecurePasswordExtension_x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install Secure Password Extension. The MSI packages are located in the \Password Manager\Setup\ folder of the installation CD.
- Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use Secure Password Extension. You may also choose an existing GPO to use with Secure Password Extension.
- Open the Group Policy Management Editor in the Group Policy Management, and then do the following
- Expand Computer Configuration/Policies/Software Settings, right-click Software installation, and then select New | Package.
- Browse for the MSI package you have copied in step 1, and then click Open.
- In the Deploy Software window, select a deployment method and click OK.
- Verify and configure the properties of the installation, if needed.
Configuring Secure Password Extension
This section describes how to override automatic location of the Self-Service site and customize Secure Password Extension.
Overriding Automatic Self-Service Site Location
By default, Secure Password Extension uses service connection points published in Active Directory to locate the Self-Service site. If you need to override the default behavior and force Secure Password Extension to use a specific Self-Service site, you must manually specify the URL path and override the default behavior of Secure Password Extension.
To override automatic Self-Service site location on a computer running Windows Server 2012 R2 or later
- Click the Start button, click Run, and type mmc. Click OK.
- In the Console window on the File menu, click Add/Remove Snap-in.
- Double-click Group Policy Management Editor in the list of available snap-ins.
- In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.
- Click Finish to exit Group Policy Wizard.
- Click OK.
-
Login to the Active Directory Domain Controller machine with Administrative Privileges.
-
Copy the Administrative Template Configuration folder from <CD >/Password Manager/Setup/Tools.
-
Copy the Administrative Template folder into the Machine from <CD>/Password Manager/Setup/Template.
-
Double click QPM.AdministrativeTemplateConfiguration.exe tool from the Administrative Template Configuration folder.
-
In the Password Manager Administrative Template Configuration windows, browse the Administrative Template folder path and verify the path to Policy Definitions.
-
Click Execute to run the tool.
- Once the execution is complete, click Exit to close the window.
-
Launch the Group Policy Management utility.
-
Right click the domain, and then on the shortcut menu, click Create a GPO in the domain and Link it here to link the policy.
- Enter a name to the New GPO, say "OneIdentity".
-
Right click the new GPO (OneIdentity) and select Enforced to apply the policy.
-
Right click the new GPO (OneIdentity) and select Edit.
- To view the latest Administrative Template, follow the steps mentioned below
- Expand the newly created GPO.
- Go to Computer Configuration >> Policies.
- Expand Administrative Templates: Policy Definitions(ADMX files) retrieved from the central store >> One Identity Password Manager >> Generic Settings .
- Double-click Specify URL path to the Self-Service site.
- Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/PMUser/, where COMPUTER_NAME is the name of the server in which the Self-Service site is installed. Substitute https:// with http:// if you don’t use HTTPS.
|
IMPORTANT: It is strongly recommended that you enable HTTPS on the Password Manager server. |
- Click OK. The specified URL will be used only if service connection points are unavailable or if the Self-Service site URL specified in the service connection point cannot be found. If you want Secure Password Extensions to always use the specified URL, perform the following steps.
- Double-click Override URL path to the Self-Service site.
- Select the Enabled option on the Settings tab.
- Click OK.
- Apply the updated policy to the computers in the managed domain.
|
NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete. |
Password Manager Realm Affinity
In some instances, you may want Secure Password Extension to contact only specific Password Manager Service instances when locating the Self-Service site. You can force Secure Password Extension to use only Password Manager Service instances that belong to a specific Password Manager realm.
Password Manager realm is one or more Password Manager instances sharing common configuration (the same user and helpdesk scopes, Management Policies and workflow configuration, general settings). Normally, you add a member to a Password Manager realm by installing a new Password Manager instance and selecting the “A replica of an existing instance” option during instance initialization. To learn more about Password Manager realms, see Installing multiple instances of Password Manager.
To force Secure Password Extension to use only Password Manager Service from a specific realm, you must set the Secure Password Extension affinity for that realm.
To set Secure Password Extension affinity for a Password Manager realm on a computer running Windows Server 2012 R2 or later
- Open the Administration site of the Password Manager Service instance that belongs to the target realm.
- On the Administration site home page, click General Settings|Realm Instances.
- Select the value of the Realm affinity ID setting, right-click the selection and select Copy.
- On the domain controller machine, click the Start button, click Run, and type mmc. Click OK.
- In the Console window on the File menu, click Add/Remove Snap-in.
- Double-click Group Policy Management Editor in the list of available snap-ins.
- In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.
- Click Finish to exit Group Policy Wizard.
- Click OK.
-
Login to the Active Directory Domain Controller machine with Administrative Privileges.
-
Copy the Administrative Template Configuration folder from <CD>/Password Manager/Setup/Tools.
-
Copy the Administrative Template folder into the Machine from <CD>/Password Manager/Setup/Template.
-
Double click QPM.AdministrativeTemplateConfiguration.exe from the Administrative Template Configuration folder.
-
In the Password Manager Administrative Template Configuration windows, browse the Administrative Template folder path and verify the path to Policy Definitions.
-
Click Execute to run the tool.
-
Once the execution is complete click Exit to close the window, and launch the Group Policy Management utility.
-
Right click the domain node, and on the shortcut menu, click Create a GPO in the domain and Link it here to link the policy.
-
Enter a name to the New GPO, say "OneIdentity"
-
Right click the new GPO (OneIdentity) and select Enforced to apply the policy.
-
Right click the new GPO (OneIdentity) and select Edit.
- To view the latest Administrative Template, follow the steps mentioned below.
- Expand the newly created GPO.
-
Go to Computer Configuration >> Policies.
-
Expand Administrative Templates: Policy Definitions(ADMX files) retrieved from the central store >>One Identity Password Manager >> Generic Settings.
- In the right pane, double-click Password Manager Realm Affinity.
- Select the Enabled option on the Settings tab, then right-click the Realm Affinity ID text box, and select Paste.
- Click OK.
- Apply the updated policy to the computers in the managed domain.
|
NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete. |