The Password Capture Agent provides a Windows PowerShell module for remote and automated installation, configuration, and uninstall. You can use this method to automatically uninstall the Password Capture Agent on each domain controller in the source Active Directory domain.
For uninstalling the Password Capture Agent remotely, use the following command in an elevated Windows PowerShell.
Import-Module OneIM-PasswordCaptureAgentMgmt
Uninstall-PasswordCaptureAgent`
-ComputerName <Computer name>`
-LogFile <UNC path to log file>`
–LogVerbose
Related topics
Fine-tuning automated password synchronization
This section provides information about the optional tasks related to configuring automated password synchronization from an Active Directory domain to connected target systems.
Detailed information about this topic
The Password Capture Agent has several settings you can modify. After you install the Password Capture Agent, each of its parameters is assigned a default value.
NOTE: If you do not configure the thumbprint for the Password Capture Agent, the password is secured by transport layer security only (HTTPS).
Detailed information about this topic
Some of the configuration parameters for the Password Capture Agent can be changed using the Windows Registry Editor. The parameters are split up into those used by the Password Capture Agent service and those used by the Password Capture Agent driver.
Registry configuration parameters for the Password Capture Agent service
The base path for the parameters of the Password Capture Agent service is:
HKLM\SOFTWARE\One Identity\One Identity Manager\Password Capture Agent\Service\
WebService_URL
This setting determines the location - Uniform Resource Locator (URL) - of the web service to which the Password Capture Agent provides information about changed user passwords.
Syntax: https://<serverfqdn>/AppServer/
Type: REG_SZ
Values: URL of the web service
Default: (empty)
CertificateThumbprint
This setting specifies a certificate used to encrypt the data transfer channel between the Password Capture Agent and the web service. The certificate must be accessible both for the Password Capture Agent and the web service.
Type: REG_SZ
Values: Certificate used to encrypt the password befor submiting to the web service.
Default: (empty)
NOTE: If you disable this setting or do not configure it, the password will be secured by transport layer security only (HTTPS).
EncryptedPasswordTransmission
This setting specifies whether the password is encrypted when being sent to the web service. Requires the CertificateThumbprint parameter to be set.
Type: DWORD
Values: 0 | 1 - Disables or enables encrypted password transmission.
Default: 1
EncryptedPasswordTransmissionSigning
This setting specifies whether the password is signed after encryption, when being sent to the web service. Requires the CertificateThumbprint parameter to be set to a certificate with private key and the EncryptedPasswordTransmission parameter to be enabled.
Type: DWORD
Values: 0 | 1 - Disables or enables signed and encrypted password transmission.
Default: 1
Registry configuration parameters for the Password Capture Agent driver
The base path for the parameters of the Password Capture Agent driver is:
HKLM\SOFTWARE\One Identity\One Identity Manager\Password Capture Agent\Driver\
NOTE: No reboot is required to take effect.
DeactivateOnStart
Disables the Password Capture Agent without uninstalling. If the value is set to 1, the Password Capture Agent is disabled after the next reboot. The only action after reboot is a single hint, logged to the Password Capture Agent event log - named One Identity Manager Password Capture Agent - in the Windows Event Viewer.
Type: REG_DWORD
Values: 0 | 1
Default: 0
Diagnostic
Enables some diagnostic behavior if this parameter is set to 1.
-
Verbose logging to log file if it is specified (LogFile parameter). Every operation and its result is logged.
-
All logs are also sent as an operating system debug message for appropriate live viewers (for example, DebugView from Windows Sysinternals).
-
The LogFile parameter is enabled.
Type: REG_DWORD
Values: 0 | 1
Default: 0
FaultToleranceWaitTimeBeforeRetryInSeconds
If an error occurs, the value specified is the wait time in seconds before retrying. If the value is 0, a retry is run immediately.
Type: REG_DWORD
Values: Time in seconds
Default: 120
Logfile
Specifies a name for a log file that must be created. If no value is specified, no log file is created. Only the file name, without a path, needs to be specified, so the file will reside in the %ProgramData%\One Identity\One Identity Manager\Password Capture Agent\Driver installation folder.
The log file logs all activities, and more details if the Diagnostic parameter is enabled. The log file is read-only but can be accessed from any text viewer. It is always recreated on reboot and does not yet contain any history. The time format of the logged time stamps depends on the local language of the operating system and not on the user.
Type: REG_SZ
Values: File name (without a path)
Default: (empty)
LoggingSuccessfulOperations
Enable to force the One Identity Manager to log successful transmissions to the web service to the event log.
Type: REG_DWORD
Values: 0 | 1
Default: 0
RequiredServices
Services that the Password Capture Agent driver is waiting for, before starting the Password Capture Agent service.
Type: REG_MULTI_SZ
Values: List of services
Default: RpcSs EventSystem COMSysApp
PendingCapturesArchiveDepthInDays
Specifies the number of days for undelivered password changes to be saved for retrying. Undelivered password changes can arise if errors have occurred: for example, if the associated web service is not available due to network errors, timeouts, and so on. Every password change that cannot be delivered is also logged to the Password Capture Agent event log in Windows Event Viewer. If 0 is specified, no undelivered password changes are saved; they will be lost.
Type: REG_DWORD
Value: Number of days
Default: 7
Synchronous
If this parameter is set with a value of 1, every password change is handled sequentially. As a result, the initialization process is blocked until all other components in the beyond-processing chain are complete. All password change events that occur in parallel are also blocked until the current password change is complete. This setting also means that a user who only changes their password in the password-change-dialog must wait until the entire processing is complete. This setting is only for test purposes.
Type: REG_DWORD
Values: 0 | 1
Default: 0
Ignoring\PasswordResetOperations
Enable to force One Identity Manager to ignore password resets and only transmit password changes to the One Identity Manager Service.
Type: REG_DWORD
Values: 0 | 1
Default: 0
Ignoring\UserNames
Specifies a list of names of accounts that are to be ignored and whose password changes are irrelevant and are not to be tracked. It can be built-in accounts, such as machine accounts and guest accounts, or other operating system-related accounts, such as virtual machine accounts. Every account in this list is specified as a regular expression. The default is the machine account (^.*$$), which is to be ignored.
Type: REG_MULTI_SZ
Values: List of account names as regular expressions
Default: ^.*$$
Ignoring\UserRids
Specifies a list of User-RIDs (relative part of a user SID number) that are to be ignored and whose password changes are irrelevant and are not to be tracked. These are built-in accounts, such as machine accounts and guest accounts. Every account in this list is specified as a User-RID. RIDs of built-in accounts are the same on every machine. The default for this parameter is the RID of the built-in administrator account (500), the RID of the built-in guest account (501), and the RID of the built-in Kerberos ticket-granting ticket account (502).
Type: REG_MULTI_SZ
Values: List of numbers
Default: 500 501 502
