Chat now with support
Chat with Support

Password Manager 5.14.2 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Third-party contributions Glossary

Force User to Change Password at Next Logon

Use this activity when users want to change their passwords during the next logon.

For example, you can use this activity in the Reset Password workflow and can force users to change passwords at the next logon once the password has been reset by a helpdesk operator.

To allow users to change password at the next logon, the helpdesk operator must select Helpdesk operators can choose whether to force users to change password at next logon check box available in the Force user to change password at next logon activity.

It is recommended to place this activity after the Reset Password in AD LDS activity in a workflow.

Subscribe to Notifications

This activity is a core activity of the My Notifications workflow. It allows users to select on the Self-Service Site the events they want to be notified about, such as when their password is changed or account is unlocked.

The event list available on the Self-Service Site depends on the settings you configure in the user notification activities included in the self-service workflows. Each user notification activity (Email user if workflow succeeds and Email user if workflow fails) has the settings that allow you to subscribe users to this notification or to allow users to choose whether they want to receive this notification or not.

If user notifications activities are not included in a workflow, users will not receive any email notifications about this workflow.

A notification text depends on the workflow in which the notification activity is used. For example, if the Email user if workflow succeeds activity is used in the Forgot My Password workflow, after successfully performing this task on the Self-Service Site the user will be notified that his password has been reset. By default, the Email user if workflow succeeds and Email user if workflow fails activities are included in each built-in self-service workflow and offer notification templates.

Note that notification templates are available for built-in activities and built-in workflows only.

For more information on configuring user notification activities, see Notification Activities.

IMPORTANT: If a user notification activity is included in a helpdesk workflow, the user will receive the corresponding notification. You cannot change user subscription settings of notifications about helpdesk workflows.

Lock Q&A Profile

If you want to lock the user’s Questions and Answers profile after several failed authentication attempts, place the Lock Q&A profile activity before the Restart workflow if error occurs activity in a workflow. The Lock Q&A profile activity locks the profile when the total number of attempts to authenticate the user by using any of the following activities equals or exceeds the lockout threshold value:

  • Authenticate with Q&A profile

  • Authenticate via phone

  • Authenticate with passcode

By default, the Lock Q&A profile activity is included in the Forgot My Password and Unlock My Account workflows.

IMPORTANT:

  • If the user’s Q&A profile gets locked, all tasks on the Self-Service Site will be unavailable for the user. In this case, the user must contact help desk to obtain a passcode and unlock the Q&A profile.

  • If an unregistered user is registering for the first time and tries to enter a wrong password beyond the specified limit, the profile shall be locked out. The user has to wait for the duration configured for Reset lockout Account.

This activity has the following settings:

  • Lockout duration: Specify the number of minutes the profile remains locked out before automatically becoming unlocked.

  • Lockout threshold: Specify the number of failed authentication attempts that will cause a the profile to be locked out.

  • Reset account lockout counter after: Specify the number of minutes that must elapse from the time a user fails to authenticate before the failed authentication attempt counter is reset to 0 bad authentication attempts.

Display User Agreement

Depending on the legislation requirements, organizations may be required to explicitly obtain users’ consent to store their personal information which is available in Questions and Answers profile.

You can use this activity to have the Self-Service Site ask users to agree that Password Manager will store their personal information.

For example, you can use this activity in the My Questions and Answers Profile workflow; it is recommended to place the activity after authentication activities and before the Edit Q&A profile activity.

To configure the Display user agreement activity

  1. Open the Display user agreement activity included in the workflow.

  2. Edit the agreement text in the default language as required. When editing the agreement text, you can use the parameters available in the editor, for example #USER_ACCOUNT_NAME# and others.

  3. To edit the agreement text in the available additional languages, click the language link in the Additional languages list. By default, the agreement text template is available in 16 languages.

  4. Click the Add new language link to select more languages for the agreement text.

  5. Click OK.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating