Chat now with support
Chat with Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Replicating password changes

You can manage how password-related changes are replicated in your environment. If you want to force password changes and resets in the required Active Directory sites, select the corresponding sites on the Advanced settings tab of the Edit Domain Connection dialog, and select the Replicate password-related changes check box.

Data replication

This section provides information on how Password Manager stores and replicates data.

Storing data

There are two types of data stored by Password Manager: Password Manager configuration data, and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.

Q&A profiles are stored in the attribute of a user account in Active Directory that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance. For more information, see Instance reinitialization.

Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.

  • Shared.storage: This file contains configuration data that is shared among all instances of a realm: management policies, general settings, domain connections, custom activities and workflows, instance settings, and so on.

  • Local.storage: This file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.

  • LocalizationStorage: This folder contains the user interface texts localized in several languages.

Replicating data

If you install a realm (several Password Manager instances sharing the same configuration), changes in the configuration of one instance are automatically propagated to other instances. To propagate the data, Password Manager replicates the data from the shared.storage file and the LocalizationStorage folder to Active Directory.

Before being written to Active Directory, the data is split into several segments and archived.

To distribute the configuration data from one instance to another, Password Manager uses a scheduled task and the PMReplication container in a managed domain to which the data is copied. The PMReplication container is a container that is automatically created in the Users container of the managed domain. To this container, containers for each Password Manager realm are added.

Names of these containers correspond to the realm affinity id. Each realm container has the containers for every instance belonging to this realm. Names of instance containers correspond to the instance id.

In the instance container, several user accounts are created. The number of user accounts is one more than the number of data segments. For example, if there are 20 data segments, then the instance container has 21 user accounts. Note that the created user accounts are disabled.

The same attribute that you specify for storing users’ Q&A profiles is used to store the configuration data segments. The first user account stores the data replica id, all other accounts store the data segments.

Replication mechanism analyses all data segments from all instances, selects data with the latest changes, and propagates it.

Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

Note that the domain management account must have the permission to create user accounts and containers in the Users container for configuration data to be replicated. For more information on configuring the domain management account, see Configuring permissions for domain management account.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating