-
Título
How to Remove the PMReplication container in Active Directory -
Descrição
By default, Password Manager creates user objects in Active Directory which are used for Replication between Password Manager server.
Blocking Password Manager from creating these objects will stop Replication functionality.
However, for some customers that may have internal tightened security requirements in a single Password Manager instance, the Replication feature can be disabled, and the corresponding user objects can be removed from Active Directory. Keep in mind that if any additional Password Manager hosts are added to the Realm, Replication will have to be re-enabled and the Replication user objects will be re-created in Active Directory.
-
Resolução
To delete the PMReplication container and all of its child objects in Active Directory:
1. On the Password Manager server navigate to C:\ProgramData\One Identity\Password Manager
2. Create a backup copy of the file Shared.storage (i.e. Copy the file to C:\Temp or the Desktop)
3. Open Shared.storage in a text editor such as Notepad
4. Find the following test string: StorageReplication
5. Replace enabled="true" with enabled="false"
6. Save and close the file
7. In Windows Services, stop the Password Manager Service
8. Open Active Directory Users and Computers (Note: This may have to be performed on a Domain Controller)
9. Navigate to Users
10. Delete the PMReplication container and all the objects it contains. (Note: A warning may be displayed to delete all child object. Select Yes/Yes to All)
11. On the Password Manager server, start the Password Manager Service service
12. In Active Directory Users and Computers, right-click on the Users container and click Refresh. The PMReplication container should not exist.
If the container reappears, try the following:
1. Repeat the process to ensure Shared.Storage file was updated properly
2. Check the environment to ensure there is not another Password Server
- In Active Directory, navigate to: System | One Identity | Password Manager
3. If there are additional Password Manager objects listed, navigate to each host (as noted in the object name) and confirm whether or not that host is live and is part of the existing Realm, or an old server that should be decommissioned
If it is the only Password Manager server in the domain and repeating the process does not work, open a Service Request with One Identity Support for assistance.