Chat now with support
Chat with Support

Password Manager 5.10.1 - How-to Guide

Overview Licensing Upgrading Secure Password Extension Password Policy Manager Configuration Reinitialization Reports Starling 2FA Customizations Troubleshooting

Installing Password Policy Manager

Password Policy Manager is deployed on all Domain Controllers (DC) via the Group Policy. You can create a new Group Policy Object (GPO) or use an existing one to assign the Password Policy Manager installation package to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies.

The installation package is located in the \Password Manager\Setup folder of the ISO image or the extracted installation archive, and has the following file name:

PasswordPolicyManager_x64.msi

Settings Controlled by the Password Policy

  • Password Age Rule: Ensures that users cannot use expired passwords or change their passwords too frequently.
  • Length Rule: Ensures that passwords contain the required number of characters.
  • Complexity Rule: Ensures that passwords meet minimum complexity requirements.
  • Required Characters Rule: Ensures that passwords contain certain character categories.
  • Disallowed Characters Rule: Rejects passwords that contain certain character categories.
  • Sequence Rule: Rejects passwords that contain more repeated characters than it is allowed.
  • User Properties Rule: Rejects passwords that contain part of a user account property value.
  • Dictionary Rule: Rejects passwords that match dictionary words or their parts.
  • Symmetry Rule: Ensures that password or its part does not read the same in both directions.
  • Custom Rule: Use this rule to display the custom policy rule message for users when other policy rules cannot be read or to hide the configured policy rules.

Configuring rules for a Password Policy

To configure rules for a password policy:

  1. On the home page of the Administration site, click the Password Policies tab
  2. Under the Password Policies for Managed Domains tab, click Add domain connection
  3. If you already have a Domain Connection configured (such as for User and Helpdesk scopes), click Use this connection
  4. Click One Identity password policies are not configured
  5. Click Add new password policy
  6. Enter an appropriate policy name when prompted
  7. Click Edit and configure the required settings under the Policy Rules tab
  8. Click Policy Scope tab
  9. Click Add in both the Organizational Units and Groups options to link the Policy to the appropriate Organizational Unit and corresponding Group.

NOTE: You must select both or the policy will not be applied to users. The options set here are exactly as you would see the Link option in the native Microsoft Group Policy Management Console (GPMC.msc) MMC Snap-In.
  1. Once the Policy Rules are configured and the Policy is linked, click the Policy Settings tab and un-check the Disable this policy feature to enable the policy
  2. Click Save

Configuration

The following are the common configuration recommendations:

  • Use the same Domain Connection for User Scope, Helpdesk Scope and Password Policy settings.

Example:

Figure 8:  

  • When adding in a User Scope, choose Use this connection if you already have a connection to that Domain.

Example:

Figure 9:  

Figure 10:  

Why?

The duplicate entries increase the size of the Shared.storage file, which in turn gets replicated to Active Directory, which will increase network traffic with a larger replicated data size. The duplicate entries also cause numerous duplicate connections with the Scheduled Tasks and thus increases the time it takes to complete each Scheduled Task.

For example, if you have a total of 20 Management Scopes, you should only have 20 Domain Connections. If you were to select Add domain connection for every User Scope, Helpdesk Scope and Password Policy setting you would have 60 total Domain Connections.

  • It is not possible to use Optional questions to authenticate for the Helpdesk site. Only Mandatory and Helpdesk questions can be used
  • It is recommended to use a Helpdesk question as the Helpdesk staff can see the answers which allows the Helpdesk staff to authenticate the user
  • To pre-populate and pre-register users, use the Bulk Import Wizard. Please follow solution 128944:

    https://support.oneidentity.com/password-manager/kb/128944

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating