Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Password Manager 5.10 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Starling Reporting Password Manager Integration Appendixes Glossary

Logging in Secure Password Extension

For diagnostic purposes you can turn on logging in Secure Password Extension. The log file can contain the following information: exceptions and errors, debug messages and functions’ returns, etc. You can use this diagnostic data to identify issues with Secure Password Extension.

Caution: This section describes how to modify the Registry. However, incorrectly modifying the Registry may severely damage the system. Therefore, you should follow the steps carefully. It is also recommended to back up the Registry before you modify it.

To enable logging in Secure Password Extension

  1. On a computer where Secure Password Extension is installed, click the Start button, click Run, and type regedit. Click OK.
  2. In the Registry tree (the left tab), create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging.
  3. Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. To do it, click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. On the Edit menu, select New, and then click String Value.
  4. Type LogLevel and then press ENTER to name the string value.
  5. Right-click the LogLevel value and select Modify.
  6. In the Edit String dialog box, type All under Value data. Click OK.
  7. Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. To do it, click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key. On the Edit menu, select New, and then click String Value.
  8. Type LogFolder and then press ENTER to name the string value.
  9. Right-click the LogFolder value and select Modify.
  10. In the Edit String dialog box, type the path to the log file under Value data. For example, C:\Logs. Click OK.
  11. Exit the Registry Editor.
  12. Restart the computer.

To disable logging in Secure Password Extension

  1. On a computer where Secure Password Extension is installed, click the Start button, click Run, and type regedit. Click OK.
  2. In the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key, select the LogLevel value.
  3. Right-click the LogLevel value and select Modify.
  4. In the Value data box, type Off, and click OK.

 

Password Policies

About Password Policies

You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy settings are stored in Group Policy objects (GPOs). A GPO is applied by linking the GPOs to a target container defined in Active Directory, such an organizational unit or a group.

Group Policy objects from parent containers are inherited by default. When multiple Group Policy objects are applied, the policy settings are aggregated.

For information on how to apply a password policy and change policy link order, see Managing Password Policy Scope.

Password Policy Manager

Password Policy Manager is an independently deployed component of Password Manager. Password Policy Manager is required to enforce Password Manager password policies when users change their passwords using tools other than Password Manager. To enforce Password Manager password policies, you must deploy Password Policy Manager on all Domain Controllers (DC) of your managed domain.

When a user changes their password in Password Manager, the new password is checked right away. If it complies with password policies configured in Password Manager, the new password is accepted.

However, when a user changes their password outside of Password Manager (for example, within the operating system by pressing Ctrl+Alt+Delete), Password Manager can not check the new password immediately. Instead, the compliance of the new password to the password policy rules is checked on a DC of the managed domain where Password Policy Manager is installed. If PPM is not installed on the DCs of the managed domain, then new passwords set outside Password Manager will not be checked against the password policies configured in Password Manager.

As such, Password Policy Manager extends the default password policy settings and allows administrators to configure policy scopes for each policy, so that only specified organizational units and groups are affected by the policy.

Password policy settings are stored as Group Policy Objects (GPOs). Password Policy Manager can only create new GPOs: it does not change any existing GPOs.

The installer of the Password Policy Manager component is located at the following subfolder of the Password Manager ISO image or extracted installation archive:

/Password Manager/Setup/PasswordPolicyManager_x64.msi

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating