Chat now with support
Chat with Support

Password Manager 5.7.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Secure Password Extension Password Policies Reporting Password Manager Integration Appendixes Glossary About us

Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites

Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites

In this step, you provide the certificate issued for the client computers to the Self-Service and Helpdesk sites installed separately from the Password Manager Service.

To provide the certificate to the Self-Service Site

  1. Open the Self-Service site by entering the following address: http(s)://<ComputerName>/PMUser, where <ComputerName> is the name of the computer on which Self-Service site is installed. The Self-Service Site Initialization page will be displayed automatically if the Self-Service site is opened for the first time.
  2. From the Certificate name drop-down list, select the custom certificate issued for the client computer.
  3. Click Save.

To provide the certificate to the Helpdesk Site

  1. Open the Helpdesk site by entering the following address: http(s)://<ComputerName>/PMHelpdesk, where <ComputerName> is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically if the Helpdesk site is opened for the first time.
  2. From the Certificate name drop-down list, select the custom certificate issued for the client computer.
  3. Click Save.

Configuring Management Policy

After initializing the Administration site, you need to configure the default Management Policy to enable users to use the Self-Service site.

The required settings you need to configure for the Management Policy are a user scope and secret questions.

Configuring User Scope

To configure the user scope, add one or more domain connections. Domain connections created for the user scope can also be used in the helpdesk scope and password policies. The same domain connection can be used in different Management Policies. Wherever you create a domain connection, you can use it elsewhere, i.e. a domain connection configured for password policies can be used in the helpdesk scope.

To manage all domain connections from a single place, click General Settings|Domain Connections on the Administration site. For more information, view Domain Connections.

Configuring Permissions for Domain Management Account

When you add a domain connection, you can create a new one or use existing connections, if any. When creating the domain connection, you must specify a domain management account - an account under which Password Manager will access the domain.

For the domain connection that you want to use in the user and helpdesk scopes, make sure the domain management account has the following minimum set of permissions:

  • Membership in the Domain Users group
  • The Read permission for all attributes of user objects
  • The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
  • The right to reset user passwords
  • The permission to create user accounts and containers in the Users container
  • The Read permission for attributes of the organizationalUnit object and domain objects
  • The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
  • The permission to create container objects in the System container
  • The permission to create the serviceConnectionPoint objects in the System container
  • The permission to delete the serviceConnectionPoint objects in the System container
  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

If you want to use the same domain connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.
  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
  • The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the following attributes of the msDS-PasswordSettings object:
    • msDS-LockoutDuration
    • msDS-LockoutThreshold
    • msDS-MaximumPasswordAge
    • msDS-MinimumPasswordAge
    • msDS-MinimumPasswordLength
    • msDS-PasswordComplexityEnabled
    • msDS-PasswordHistoryLength
    • msDS-PasswordReversibleEncryption
    • msDS-PasswordSettingsPrecedence
    • msDS-PSOApplied
    • msDS-PSOAppliesTo
    • name
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating