Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Password Manager 5.10 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Starling Reporting Password Manager Integration Appendixes Glossary

Customization of Password Strength Meter

You can customize the Password strength meter on the Helpdesk site and Self-Service site.

To enable Password strength meter:

  • In the web.config file, set the value of PasswordStrengthMeterEnable to true as follows:


<add key="PasswordStrengthMeterEnable" value="true"/>


To disable Password strength meter, set the value of PasswordStrengthMeterEnable to false.

You can customize the text displaying the strength of the Password strength meter.

To customize the text:

  • In the Common.xml file present in the LocalizationStorage folder, you can modify values in the Resource Ids to display the required text:

<Resource Id="PasswordStrengthMeter.Text">

<Value><![CDATA[Password strength:]]></Value>



<Resource Id="PasswordStrengthMeter.VeryWeak">

<Value><![CDATA[Very weak]]></Value>



<Resource Id="PasswordStrengthMeter.Weak">




<Resource Id="PasswordStrengthMeter.Good">




<Resource Id="PasswordStrengthMeter.Strong">




<Resource Id="PasswordStrengthMeter.VeryStrong">

<Value><![CDATA[Very strong]]></Value>


For more information, see Password Compliance .

Customization of User Name

Customization of User Name

You can customize the user name that is displayed on Self-Service site and Helpdesk site. You can configure to display either the display name or the sAMAccountName as the user name.

To set display name as user name:

  • In the web.config file, set the value of DisplayName to true as follows:

<add key="DisplayName" value="true"/>

To set display name as sAMAccountName:

  • In the web.config file, set the value of DisplayName to false as follows:

<add key="DisplayName" value="false"/>


Appendix D: Feature imparities between the legacy and the new Self-Service Sites

Password Manager does not provide feature parity between the legacy Self-Service Site (PMUser) and new Self-Service Site (PMSelfService) for self-service related activities. All new feature developments are only done for the new Self-Service Site (PMSelfService) site.

The following new features are affected:

  • Password Manager Secure Token Server: The Authenticate with external provider action cannot be used on the legacy Self-Service Site (PMUser).



A record that consists of all the information that defines a user to Active Directory. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources.

Active Directory site in domain connection

As soon as changes occur in one site, they will be replicated to the sites you select. Use this option to reduce potential downtime.Active Directory sites

Administration site

A website for Password Manager administrators. On this website, they can configure Management Policies by adding managed domains, creating question lists, specify Q&A policy, etc.

Application log

A log that lists all actions performed by Password Manager.


A piece of data that stores information that is specific to an object. A set of attributes stores the data that defines an object.


A certificate is used to encrypt traffic and provide authentication between Password Manager Service and web sites installed on different servers. View more.

Configuration storage account

An account used by Password Manager for storing its configuration data i.e. settings configured in Password Manager, for example Management Polices, general settings, etc. The configuration storage account is automatically created in the Users container of a managed domain when the managed domain is added. The configuration storage account is named QPMStorageContainer.

Custom activity

Custom activity is an activity with PowerShell handlers. Create custom activities from scratch or convert built-in activities to custom. View more.

Custom password policy rule

This rule does not check the password compliance with the configured password policy. Configure the rule to display your custom message instead of or together with other policy messages.


A logical collection of resources that consists of computers, printers, computer accounts, user accounts, and other related objects.

Domain alias

Enter the name that will be used to address the domain on the Self-Service site.

Domain controller

For a Windows Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources.

Domain controller in domain connection

Selecting several domain controllers (DCs) provides fault tolerance in your environment.If the first DC becomes unavailable, the next DC in the list will be used automatically.Domain Controller.

Domain management account

An account under which Password Manager accesses a managed domain. Domain management account must have minimum permissions required to successfully perform password management tasks in the managed domain. For more information on the minimum permissions, see Configuring Permissions for Domain Management Account.

Do not show personally identifiable information (PII) for the logged in user

When selected, the Self-Service Site truncates personally identifiable information (PII) on the user interface. Select this option if the security policies of your organization require hiding PII.

Encryption algorithm

This algorithm is used to encrypt users’ answers to secret questions. Users’ answers will be encrypted if the “Store answers using reversible encryption” option is selected in the Q&A profile settings. Otherwise, the answers will be hashed.


Provide regular expression based on the selected Active Directory attribute to find a matching pattern in the target system.

Group Policy

An administrator’s tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization.

Hashing algorithm

This algorithm is used to hash users’ answers to secret questions if reversible encryption is not used to store the answers.

Helpdesk site

A website for helpdesk operators. On this website, they can reset users’ passwords, unlock accounts, assign temporary passcodes, etc.

In-place upgrade

The installation of the latest version of Password Manager without removing the older version.

Locked Questions and Answers Profile

A Questions and Answers Profile that temporarily cannot be used.

A Questions and Answers Profile can become locked after a number of unsuccessful attempts to answer the questions.

Mandatory question

A question, the same for all users in a domain, that users must answer in order to authenticate themselves using Password Manager.

Managed domain

A domain registered with Password Manager. You can manage multiple domains by using Password Manager.

Management Policy

Management Policy allows you to configure workflows and secret questions for specified groups of users, and select helpdesk operators to manage these users. See Management Policy components.

Optional question

A question that users should select from a list of pre-defined questions and answer to authenticate themselves using Password Manager.

Organizational unit

An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain.

Password Manager realm

Realm is a set of Password Manager Service instances sharing realm settings and configuration. You can use the realm to enhance the service availability.

Password Manager realm affinity

An association between Secure Password Extension and a Password Manager Service. If you enforce an affinity to specific Password Manager realm using Group Policy, all the clients running Secure Password Extension and affected by this policy will use only the Password Manager Service instances that belong to the specified realm.

Password Manager Service Account

An account used to install Password Manager. The Password Manager Service account must be a member of the Administrators group on the Web Server where Password Manager is installed.

Password Policy Manager

A component of Password Manager that enforces password policies configured in Password Manager, when users change their passwords using tools other than Password Manager. Password Policy Manager is installed on domain controllers.

Questions and Answers Profile (Q&A Profile)

A set of questions selected by a user from the Question list and user's answers to them. A Questions and Answers Profile is used to authenticate a person using Password Manager.

Question list

A set of questions used in creating users' Questions and Answers profiles. The list is defined by the administrator and contains a series of questions in a certain language that users from a specific domain must answer in order to create or update their personal Questions and Answers profiles. A question list defines the number of questions of each type and the wording of mandatory and optional questions.


Provide a value to replace the matched pattern in the target system.

Secure Password Extension

A component of Password Manager that facilitates access to the Self-Service site from the Windows logon screen. This component is installed on end-user computers.

Self-Service site

A website for Password Manager end-users. On this site, end-users can create their Questions and Answers Profiles and manage their passwords.

Service connection point

An Active Directory object that represents instance of a service. The service connection point contains binding information which is used to connect to the service.

Show only user display name on the Self-Service site option

By default, in the toolbar of the Self-Service site a user's name is displayed as domain\username. For example, “mydomain\JDoe”.

To show “John Joe” instead, select this option.

Special character

A character that is neither alphabetic nor numeric.

Test attribute value

Provide a sample Active Directory attribute value to evaluate the matching pattern.

User-defined question

A question that users must provide along with the answer in order to authenticate themselves using Password Manager.

Users must enter the following user account attribute for identification: Helpdesk Site

If you leave the Helpdesk Site field empty, Password Manager will use Ambiguous Name Resolution (ANR) by default.

Workflow availability (helpdesk)

If a user is not registered, then only Reset Password, Unlock Account, and Assign Passcode workflows are enabled. For more information, see Workflow settings.

Workflow availability (self-service)

If a user is not registered, only Register, Manage My Profile and I Have a Passcode workflows are enabled. For more information, see Workflow settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating