The Manage My Profile workflow allows the administrator to manage user profiles in Active Directory by using the Admin site. Manage My Profile uses settings of Register workflow.
Use this workflow only if the user's Questions and Answers profile is pending for update. To configure, do the following:
This activity is a part of the Register and Manage My Profile workflow. Use this activity to allow users to create and update their Questions and Answers profiles.
You can also use this activity in the Forgot My Password and Unlock My Account workflows, if you want to force users to update their Q&A profiles after they reset passwords or unlock their accounts. When you use this activity in the Forgot My Password and Unlock My Account workflows, select the Run this activity only if user’s Q&A profile should be updated check box to make users update their Q&A profiles only if the profiles are not compliant with the current requirements.
When you use Run this activity only if user’s profile should be updated activity in workflows other than Register and Manage My Profile, for example, in Forgot My Password and Unlock My Account workflows, select this check box to make users update their Q&A profiles only if the profiles are not compliant with the current Q&A policy.
This is a core activity of the Forgot My Password workflow. The activity allows users to reset passwords in Active Directory only. If you want to enable users to reset passwords in several systems, configure the Reset password in Active Directory and connected systems, Reset password in connected systems through embedded connectors(Preview) activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Reset Password in Active Directory and Connected Systems.
In this activity you can configure the Enforce password history option. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings.
Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:
The Use auto generated password option enables Helpdesk users to generate a new password during password reset process.
The Use manual password option enables Helpdesk users to reset the password manually.
The Send password using Starling push notification option enables HelpDesk users to send the password using a push notification to their mobile devices to reset password.
The Enable QESSO integration option allows you to integrate Password Manager with Quest Enterprise Single Sign-On (QESSO) and notify QESSO about user’s password changes. For more information, see Quest Enterprise Single Sign-On (QESSO).
Select the Allow users to reset passwords offline option to enable users to use the offline password reset functionality provided by Password Manager. This functionality allows resetting passwords when users have forgotten their current passwords and their computers are not connected to the intranet (Active Directory is not available).
This functionality is based on resetting user password in locally cached logon data. The security is provided by using the challenge-response mechanism that guarantees the following:
When offline password reset is enabled on users’ computers, a user must perform the following steps to reset his or her password:
Enabling the offline password reset functionality
Note that Secure Password Extension must be installed on target user computers, as well. For more information on installing Secure Password Extension, see Deploying and Configuring Secure Password Extension.
|
NOTE: Use the latest prm_gina.admx file by removing the older file from group policy. |
To provide authentication during the offline password reset procedure, a shared secret is used. The shared secret is stored locally on a user computer and its copy is published in Active Directory in the computer’s account during the first login if the computer is connected to the domain. By default, only domain administrators and the computer account have access to the shared secret. You can specify other users and groups who will have the permission to read the shared secret from the domain. To do it, use the Configure scope for accessing the shared secret in Active Directory setting in the administrative template. For more information on the administrative template, see Managing Secure Password Extension UsingAdministrative Templates.
|
IMPORTANT: Note that the domain management account must have the permission to read the shared secret from the domain for the offline password reset functionality to work. |
You can also use the Shared secret update period (hours) setting in the administrative template to specify how often the shared secret should be updated. The recommended value is every 24 hours. For more information on the administrative template, see Managing Secure Password Extension UsingAdministrative Templates.
This is a core activity of the Manage My Passwords workflow. The activity allows users to change passwords in Active Directory only. If you want to enable users to change passwords in several systems, configure the Change password in Active Directory and connected systems activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Change Password in Active Directory and Connected Systems.
Run this activity only when user must change password at next logon Select this check box when you use this activity in workflows other than Manage My Passwords. By using this option, you can force users who are required to change password at next login to change password while performing other tasks on the Self-Service site.
For example, if you add the Change password in Active Directory activity with this option selected to the Manage My Profile workflow, you will force users who are required to change password at next logon to change password when creating or updating their Q&A profiles.
The Enable QESSO integration option allows you to integrate Password Manager with Quest Enterprise Single Sign-On (QESSO) and notify QESSO about user’s password changes. For more information, see Quest Enterprise Single Sign-On (QESSO).
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책