Chat now with support
Chat with Support

Password Manager 5.7.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Secure Password Extension Password Policies Reporting Password Manager Integration Appendixes Glossary About us

Customizing Position of the Secure Password Extension Window

You can specify the position of the Secure Password Extension window on the logon screen of user computers.

To change the position of Secure Password Extension window on end-user computers

  1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template.
  2. Expand Computer Configuration/Administrative Templates and then click One Identity Password Manager.
  3. Under One Identity Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers.
  4. Click OK.

Managing Secure Password Extension UsingAdministrative Templates

Managing Secure Password Extension Using
Administrative Templates

The administrative template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements.

The administrative template layout includes the following folders:

  • Generic Settings - includes policy settings that can be applied to computers running Windows 8, 8.1, and 10 operating systems.
  • Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-Vista operating systems.
  • Windows 8 Settings - includes policy settings that can be applied to computers running Windows 8, 8.1, and 10 operating systems.

Brief descriptions of the administrative template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy.

Generic Settings

The following table outlines generic administrative template policy settings you can use to customize the behavior of Secure Password Extension.

Table 18:

 

Policy name

Description

Generic Settings

Specify URL path to the Self-Service site

This policy lets you specify the link for the access to the Self-Service site from the Windows logon screen. This link is opened when users click the Forgot My Password or Manage My Password buttons on the Windows logon screen in pre-Vista operating systems, and the Forgot My Password command link in Windows 7 operating systems.

Use the following URL path format: https://COMPUTER_NAME/PMUser, where COMPUTER_NAME is the name of the server on which the Self-Service site is installed.

Substitute https:// with http:// if you don’t use HTTPS.

Override URL path to the Self-Service site

By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the “Specify URL path to the Self-service site” setting.

Password Manager realm affinity

This policy setting lets you force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm.

Maximum number of attempts to connect to the Self-Service site

This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension.

If this setting is disabled or not configured, the default number of attempts is 5.

Add the Forgot My Password link to credential provider tile

This policy setting allows adding the Forgot my password link on the logon screen to the tile of the selected credential provider. If you enable this policy setting, the Forgot my password link will be added to the tile of the selected credential provider on the logon screen. If you disable or do not configure this policy setting, the Forgot my password link will be added to the default Microsoft Password provider tile. You can select a credential provider from the list or specify the GUID of another credential provider. GUID should be specified in the following format: {00000000-0000-0000-0000-000000000000}

Create a separate tile for Secure Password Extension

This policy setting allows creating a separate tile for Secure Password Extension on the Windows logon screen. You can enable this setting when there is a compatibility issue with other credential providers.

If you disable or do not configure this policy setting, the Forgot My Password link will be added to a default Microsoft Password provider tile or tiles of the credential provider selected in the “Add the Forgot my password link to credential provider tile” policy.

Refresh interval

This policy setting allows you to change the default settings refresh interval. This policy setting determines how often domain settings are refreshed for Secure Password Extension. The default value is five minutes. If you want to reduce network load, you can increase the refresh interval. If you disable or do not configure this policy setting, the default refresh interval will be used.

Proxy Settings

Enable proxy server access

This policy setting determines whether connections to the Self-Service from the Windows logon screen are established through the specified proxy server.

Configure required proxy settings

Specifies the settings required to enable proxy server access to the Self-Service site from the Windows logon screen.

Configure optional proxy settings

Specifies optional settings for the proxy server access.

Shortcut Policies

Restore desktop shortcuts for the Self-Service site

This policy setting lets you define whether the desktop shortcut to the Self-Service site on a user's computer should be re-created by Secure Password Extension if the user deletes the desktop shortcut.

Do not create desktop shortcuts for the Self-Service site

This policy setting lets you define whether the desktop shortcuts to the Self-Service site on users' computers should not be created by Secure Password Extension.

Do not create any shortcuts for the Self-Service site

This policy setting lets you define whether any shortcuts to the Self-Service site on users' computers (on the desktop and in the Start menu) should not be created by Secure Password Extension.

Secure Password Extension Title Settings

Display custom names for the Secure Password Extension window title

This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages.

Set custom name for the Secure Password Extension window title in <Language>

This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters.

Usage Policy Settings

Display the usage policy button (command link)

Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs.

The usage policy command link on Windows 7 operating system is displayed on the Windows logon screen, and is intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users.

Set default URL

This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to a HTML file.

Set name and URL for the usage policy button (command link) in <Language>

This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available.

The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters.

Forgot My Password Settings

Display custom names for the Forgot My Password button (command link)

This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button and command link with the names that you specify for the required logon languages.

The Forgot My Password button (command link) is intended to open the Self-Service site from the Windows logon screen. On Windows 7 operating system, the command link is displayed on the Windows logon screen irrespective of whether the user is logged on to the system or not.

Set custom name for the Forgot My Password button (command link) in <Language>

This group of policy settings allows you to specify names of the Forgot My Password button (command link) individually for each of the required logon languages. 36 language-specific policy settings are available.

Notification Customization

Set background image for registration notification dialog box

This policy setting allows you to change the default background by specifying an image that will be used as a new background.

Customize registration notifications

This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialog boxes with your custom text.

Registration Notification

Customize registration notification in <Language>

This group of policy settings allows you to customize texts in notification dialog boxes individually for each of the required logon languages. 36 language-specific policy settings are available.

Q&A Profile Update Notification

Customize Q&A profile update notification in <Language>

This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available.

Upgrade Settings

Force connection to Self-Service site 4.x

This policy setting allows you force Secure Password Extension to connect to Self-Service sites 4.x. You can use this setting during migration from Password Manager 4.x to Password Manager 5.x - after you upgrade SPE 4.x to 5.x, but before converting users' Q&A profiles. If you enable this setting, SPE will connect to Self-Service sites 4.x. You should apply the setting to users whose Q&A profiles have not been converted yet, thus enabling them to use Self-service sites. If you disable or do not configure the setting, SPE will connect to Self-Service sites 5.x.

Secure Password Extension Separate Tile Settings

Create a separate tile for Secure Password Extension

This policy setting allows creating a separate tile for Secure Password Extension on the Windows logon screen. You can enable this setting when there is a compatibility issue with other credential providers. If you disable or do not configure this policy setting, the Forgot My Password link will be added to a default Microsoft Password provider tile or tiles of the credential provider selected in the “Add the Forgot my password link to credential provider tile” policy.

Set tile image

This policy setting lets you choose a picture that will be associated with the Secure Password Extension tile on the Windows logon screen. If you enable this policy setting, the specified picture will replace the default picture of the Secure Password Extension tile. If you disable or do not configure this policy setting, the default tile picture will be displayed. You can use the following image types: bmp, gif, jpg, or png. The image may have any size suitable for your requirements. The recommended size is 128 by 128 pixels.

Set Custom Names

Display custom names of the tile

This policy specifies whether the custom names of the Secure Password Extension tile will be displayed on the Windows logon screen. If you enable this setting, the specified language-specific names will be displayed under the credential tile on the Windows logon screen. If you disable or do not configure this setting, the default tile name (Secure Password Extension) will be displayed. Note: If the “Create a separate tile for Secure Password Extension” policy is disabled, then this policy has no effect.

Set custom tile name in <language>

This policy setting lets you modify the language-specific name of Secure Password Extension credential tile on the Windows logon screen. If you enable this setting, the specified name will be displayed under the credential tile on the Windows logon screen of the language-specific operating systems in the managed domain. If you disable or do not configure this setting, the default tile name will be displayed. Note: If the “Display custom names of the tile” policy is disabled, then this policy has no effect.

Offline Password Reset Settings

Display the Offline Password Reset button (command link)

This policy setting lets you define whether to display the Offline Password Reset buttons and command links for which you have specified the logon language-specific names.

The Offline Password Reset command link on Windows 7 operating system is displayed on the Windows logon screen and is intended to open the Offline Password Reset wizard. These buttons and command links are be available only if the offline password reset feature is installed on target user computers.

To use this setting, you must specify the button (link) name for each of the required logon languages.

If you enable this policy setting, the Offline Password Reset button (command link) will be displayed on user computers under the specified language-specific names. Clicking the button or the command link will open the Offline Password Reset wizard.

If you disable or do not configure this policy setting, the Offline Password Reset buttons and command links will not appear on user computers.

Shared secret update period (hours)

This policy setting lets you define how often the shared secret used for authentication during the offline password reset should be updated. Set the update period in hours. Lower values provide better security, but setting very low values for the update period may cause replication issues.

It is recommended to make this value greater than the intersite replication period in the Active Directory domain.

Note: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect.

Set custom name for the Offline Password Reset button (command link) in <Language>

This policy setting lets you specify the name of the Offline Password Reset button (command link) in <Language>.

If you enable this policy setting, then the Offline Password Reset button (command link) will be displayed under the specified name on computers that use <Language> as the logon language.

If you disable or do not configure this policy setting, then the default language-specific name will be displayed on the Offline Password Reset button (command link).

The text you specify must not exceed 32 characters.

Note: If the Display the Offline Password Reset button (command link) policy is disabled, then this policy has no effect.

Configure scope for accessing the shared secret in Active Directory

This policy setting, when deployed to the client, lets you define a list of users and groups that will have the permission to read the shared secret’s copy published in Active Directory.

Note, that the domain management account must have this permission for the offline password reset functionality to work.

Note, that the computer account used to store the shared secret’s copy and the domain administrators group always have the permission to read the shared secret’s copy.

Pre-Windows Vista Settings

The following table outlines administrative template policy settings for Secure Password Extension in pre-Windows Vista operating systems.

Table 19:

 

Policy name

Description

Secure Password Extension Logo

Set dialog background image

This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen.

Secure Password Extension Window Settings

Set the Secure Password Extension Window Position

This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers.

Manage My Password Settings

Display custom names for the Manage My Password button

This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button with the names that you specify for the required logon languages.

The Manage My Password button is intended to open the Self-Service site on pre-Windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are logged on to the system.

Set custom name for the Manage My Password button in <Language>

This group of policy settings allows you to specify the name of the Manage My Password button individually for each of the required logon languages. 36 language-specific policy settings are available.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating