Chat now with support
Chat with Support

Password Manager 5.14.3 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Glossary

Connecting to AD LDS Instance

After adding a connection to the user scope, you need to specify groups from the application directory partition that will be able to access the Self-Service Site. By default, the group “Users” is included in the scope when you add the connection to the user scope. You can also restrict some groups from accessing the Self-Service Site.

To connect to AD LDS instance

  1. Open the Administration Site by entering the Administration Site URL in the address bar of your browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed.

  2. On the Administration Site, select the Management Policy you want to configure and click the User Scope link.

  3. On the User Scope page, click Connect to AD LDS instance.

  4. If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.

  5. If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:

    • In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.

    • In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.

    • In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.

    • In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service Site.

    • In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.

    For information on how to prepare the access account, see Configuring Permissions for Access Account.

  6. Click Save.

    NOTE: When you add an AD LDS instance to the user scope, the group “Users” from the specified application directory partition is automatically included in the user scope.

To specify groups or OUs that are allowed to access the Self-Service Site

  1. On the Administration Site, select the Management Policy you want to configure and click the User Scope link.

  2. On the User Scope page, select the connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups allowed access to the Self-Service Site.

    • To specify the OUs, click Add under Organizational Units allowed access to the Self-Service Site.

  4. Click Save.

NOTE: If you have the Domain Management account configured with a user other than the Active Directory Administrator then, provide Security permissions to all the groups, OUs that are added as Included groups, and Included OUs in the user scope.

If the users/ groups/ OUs included in the user scope, are a member of Readers/ Administrators group in the ADLDS then, the Write Permissions are already inherited.

To specify groups or OUs that are denied access to the Self-Service Site

  1. On the Administration Site, select the Management Policy you want to configure and click the User Scope link.

  2. On the User Scope page, select the connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups denied access to the Self-Service Site.

    • To specify the OUs, click Add under Organizational Units denied access to the Self-Service Site.

  4. Click Save.

Changing Access Account

To access a managed AD LDS instance, you can use the Password Manager Service account, an Active Directory account or an AD LDS account. For more information on how to configure the access account, see Configuring Permissions for Access Account. Password Manager Service account is the account that was configured during Password Manager installation. Password Manager Service account may be used as the access account only when the Service account has all required permissions.

To modify account used to access an AD LDS instance

  1. On the Administration Site, select the Management Policy you want to configure and click the User Scope link.

  2. On the User Scope page, select the connection for which you want to change access account and click Edit.

  3. On the User Scope Settings for #Application Directory Partition# page, click Edit.

  4. In the Access account section of the Edit AD LDS Instance Connection dialog, select Password Manager Service account to have Password Manager access the managed instance using the Password Manager Service account. Otherwise, select The following Active Directory account or The following AD LDS account, then enter the required user name and password.

  5. Click Save and select how you want to apply the updated settings. You can either apply the new settings for this user scope only, or everywhere where this connection is used.

Removing Connection to AD LDS Instance

This section describes how to remove a connection to an AD LDS instance.

To remove a connection to AD LDS instance

  1. On the Administration Site, select the Management Policy you want to configure and click the User Scope link.

  2. On the User Scope page, select the connection you want to delete and click Remove. If you want to permanently remove the connection, remove it everywhere where it is used, then on the General Settings > AD LDS Instance Connections tab, click Remove under the required connection.

NOTE: The connection will be removed from the selected user scope only

Adding Secret Questions

Secret questions are the main part of the Questions and Answers policy that allows authenticating users on the Self-Service Site before users can perform any self-service tasks.

For more information on the Questions and Answers policy, see Configuring Questions and Answers Policy.

To create secret questions in the default language

  1. Open the Administration Site by typing the Administration Site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.

  2. On the Administration Site home page, under the Management Policy that you want to configure, click Add secret questions.

  3. On the Configure Questions and Answers Policy page, click Add questions in the default language.

  4. In the Edit Questions in the Default Language dialog, specify mandatory, optional and helpdesk questions. To change the default language for secret questions click Change language.

  5. To change the order of the questions, click the appropriate links.

  6. To save the questions, click Save.

    NOTE: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the enforcement rules that require users to update Q&A profiles when the question list is modified. For more information on the enforcement rules, see User Enforcement Rules.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating