Chat now with support
Chat with Support

Password Manager 5.13.0 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Accounts Used in Password Manager Open Communication Ports for Password Manager Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Authenticate with RADIUS Two-Factor Authentication

Use this activity to configure Password Manager to use a RADIUS server for two-factor authentication.

It uses one-time passwords (OTP) generated by hardware or software tokens for authentication.

You can use RADIUS Two-Factor Authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.

Before using RADIUS Two-Factor Authentication for authentication, users have to configure it in General Settings tab on the home page of the Administration site. For more information, see RADIUS Two-Factor Authentication

Action Activities

This section describes activities that provide core actions of the helpdesk workflows, such as Reset password in Active Directory, Unlock account, etc.

Reset Password in Active Directory

Reset Password in Active Directory

This is a core activity of the Reset Password workflow. The activity allows helpdesk operators to reset user passwords in Active Directory only. If you want to enable helpdesk operators to reset passwords in several systems, configure the Reset password in connected systems and Active Directory activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Reset Password in Active Directory and Connected Systems.

In this activity you can configure the Enforce password history option. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings.

Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:

  • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.
  • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.

Reset Password in Active Directory and Connected Systems

Reset Password in Active Directory and Connected Systems

Using this activity, you can configure Password Manager to use One Identity Quick Connect to reset passwords in connected systems. If used in conjunction with Quick Connect, Password Manager allows you to enable users and helpdesk operators to manage passwords across a wide variety of connected systems. To be able to integrate Password Manager with Quick Connect, you must have a working knowledge of Quick Connect Sync Engine.

To enable Password Manager to set passwords in connected systems through a Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

Before you can configure Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following in Quick Connect:

  • Create a connection to the Active Directory domains managed by Password Manager.
  • Create connections to the systems you want Password Manager to synchronize passwords with.
  • Map users from the managed domains to users in the connected systems.

For more information on how to configure Quick Connect to set passwords in connected systems, see One Identity Quick Connect documentation.

To enable Password Manager for cross-platform password synchronization

  1. Include the Reset password in Active Directory and connected systems activity in a workflow and click the activity to edit its settings.
  2. In the Quick Connect server name text box specify the IP address or the fully qualified domain name of the Quick Connect server.

  1. Select the account to be used to access the Quick Connect server. You can use either Password Manager Service account or specify another account.

    You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the user name.

  2. Specify how you want Password Manager to act when the Quick Connect server is unavailable. To do it, select one of the following and click Next:
    • Act as if no Quick Connect server was specified. Helpdesk operators can manage users’ passwords only in the Active Directory domain. No warnings are displayed if Quick Connect server is not available.
    • Alert users and allow them to reset passwords only in Active Directory. Helpdesk operators are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing users’ passwords only in the Active Directory domain.
    • Do not allow users to reset passwords. Helpdesk operators cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the Quick Connect server is not available.
  3. From the list of connected systems, select the systems in which you want to manage user passwords. For each selected system, specify the following options and click Next:
    • System alias
    • Reset password in this system independently from Active Directory. Select this option to allow helpdesk operators to reset users’ passwords in a connected system independently from Active Directory.
    • Do not allow resetting password in this system independently from Active Directory. Select this option to prevent helpdesk operators from resetting users’ passwords in a connected system independently from Active Directory. Note, if you select this option, a user’s password will be reset in the connected system only after the password has been successfully reset in Active Directory. If the user’ password is not reset in Active Directory, it will be not reset in the connected system. Helpdesk operators can specify a different password for the connected system, if you select the Allow specifying different password for this system option.
  4. To enforce password history in the Active Directory domains managed by Password Manager, select the Enforce password history check box. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings.

    IMPORTANT:Before selecting this option,you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:
    • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.
    • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.
  1. Click OK to close the wizard.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating