Chat now with support
Chat with Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Changing password in Active Directory and connected systems

Using this activity, you can configure Password Manager to use One Identity Quick Connect to reset passwords in connected systems. If used in conjunction with Quick Connect, Password Manager allows you to enable users and Helpdesk operators to manage passwords across a wide variety of connected systems. To be able to integrate Password Manager with Quick Connect, you must have a working knowledge of Quick Connect Sync Engine.

To enable Password Manager to set passwords in connected systems through a Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

Before you can configure Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following in Quick Connect:

  • Create a connection to the Active Directory domains managed by Password Manager.

  • Create connections to the systems you want Password Manager to synchronize passwords with.

  • Map users from the managed domains to users in the connected systems.

For more information on how to configure Quick Connect to set passwords in connected systems, see the One Identity Quick Connect documentation.

To enable Password Manager for cross-platform password synchronization

  1. Include the Change password in connected systems and Active Directory activity in a workflow and click the activity to edit its settings.

  2. In the Quick Connect server name text box, specify the IP address or the fully qualified domain name of the Quick Connect server.

  3. Select the account to be used to access the Quick Connect server. You can use either Password Manager Service account or specify another account.

    You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the user name.

  4. Specify how you want Password Manager to act when the Quick Connect server is unavailable. To do it, select one of the following and click Next:

    • Act as if no Quick Connect server were specified: Users can manage their passwords only in the Active Directory domain. No warnings are displayed to users if the Quick Connect server is not available.

    • Alert users and allow them to change passwords only in Active Directory: Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the Active Directory domain.

    • Do not allow users to change passwords: Users cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the Quick Connect server is not available.

  5. From the list of connected systems, select the systems in which you want to manage user passwords. For each selected system, specify the following options and click Next:

    • System alias

    • Change password in this system independently from Active Directory: Select this option to allow users to change their passwords in a connected system independently from Active Directory.

    • Do not allow changing password in this system independently from Active Directory: Select this option to prevent users from changing their passwords in a connected system independently from Active Directory.

      NOTE: If you select this option, the user’s password will be changed in the connected system only after the password has been successfully changed in Active Directory. If the user’s password is not changed in Active Directory, it will be not changed in the connected system. Users can specify different password for the connected system, if you select the Allow users to specify different password for this system option.

  6. Select the Enable QESSO integration to integrate Password Manager with Quest Enterprise Single Sign-On (QESSO) and notify QESSO about user’s password changes. For more information, see Quest Enterprise Single Sign-On (QESSO).

  7. Click OK to close the wizard.

Reset password in connected systems through embedded connectors

You can use this activity to reset the password in connected systems through embedded connectors. This activity has to be added after the reset or change password in Active Directory activity in the workflow.

The default configuration of this workflow is the following:

  1. Reset password in Active Directory.

  2. Change password in Active Directory.

To configure settings to reset passwords on connected systems through embedded connectors

  1. On the home page of the Administration Site, click Default Management Policy.

  2. Click Forgot My Password or Manage My Profile.

  3. In the workflows, click Change/Reset password in connected systems through embedded connectors (preview).

  4. Select the required platform from the Select platform drop-down menu.

  5. Provide configuration information for the selected platform.

    IMPORTANT: Configuration settings may vary depending on the platform you select.

    • You also have the option to enter the AD attribute regular expression phrase to find in the Find text field.

    • You also have the option to enter the AD attribute regular expression phrase to replace in the Replace text field.

  6. Click Test Connection to check the connectivity and click OK.

You can verify the regular expression results in target systems by entering the sample AD attribute find and replace fields views the results to understand how target user attributes are mapped. For example, from the email <user>@<website>.com in the AD and the email <user>@<website>.co.in in the target systems, you can find and replace the domain from .co.in to .com.

Unlock account

This activity is a core activity of the Unlock My Account workflow. It allows users to unlock their accounts using the Self-Service Site.

You do not need to configure any settings for this activity.

Enable Account

Use this activity to enable users’ disabled accounts. You can use the activity in different workflows. It is recommended to place this activity after authentication activities in a workflow.

NOTE: If you want to enable only the user accounts disabled through force enrollment, in the activity settings, select Enable user accounts disabled by force enrollment check box.

For example, to enable users with disabled accounts to reset passwords and enable their accounts, you can use the Enable Account activity in the Forgot My Password workflow:

  1. Authenticate user with Q&A profile.

  2. Enable account.

  3. Reset password in Active Directory.

  4. Restart workflow if error occurs.

  5. Email user if workflow succeeds.

  6. Email user if workflow fails.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating