Chat now with support
Chat with Support

Password Manager 5.11.3 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Appendixes Glossary

Enforcing Password History When Resetting Password

When you use Password Manager to reset your password, Active Directory does not automatically check the new password against the password history. As a result, the “Enforce password history” policy setting may have no effect. To ensure that this password policy setting is applied in Active Directory when your password is reset by using Password Manager, the Enforce password history option must be selected in the Reset password in Active Directory and Reset password in Active Directory and connected systems activities.

Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.

When the password history is enforced for resetting passwords, Password Manager resets users' old password to an automatically generated password that complies with password policies. It is required for the user to go through the Quick Connect workflow once again where the Reset password in Active Directory and connected systems activity is configured. This time the password is changed to the one provided by the user. Note that, if an error occurs when changing the password, users may end up with the automatically generated password they do not know.

For more information, see Reset Password in Active Directory.

Replicating Password Changes

You can manage how password-related changes are replicated in your environment. If you want to force password changes and resets in the required Active Directory sites, select the corresponding sites on the Advanced settings tab of the Edit Domain Connection dialog, and select the Replicate password-related changes check box.

Data Replication

This section provides information on how Password Manager stores and replicates data.

Storing Data

There are two types of data stored by Password Manager: Password Manager configuration data, and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.

Q&A profiles are stored in the attribute of a user account in Active Directory that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance. For more information, see Instance Reinitialization .

Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.

The Shared.storage file contains configuration data that is shared among all instances of a realm: management policies, general settings, domain connections, custom activities and workflows, instance settings, and so on.

The Local.storage file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.

The LocalizationStorage folder contains the user interface texts localized in several languages.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating