Chat now with support
Chat with Support

Password Manager 5.7.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Secure Password Extension Password Policies Reporting Password Manager Integration Appendixes Glossary About us

Password Manager Service Account

Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.

Application Pool Identity

Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager Web sites.

Application pool identity account must meet the following requirements:

  • This account must be a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
  • This account must have permissions to create files in the <Password Manager installation folder>\App_Data folder.
  • Application pool identity account must the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.

Domain Management Account

Domain management account is an account under which Password Manager accesses a managed domain. Domain management account must meet the following minimum requirements to successfully perform password management tasks in the managed domain:

  • Membership in the Domain Users group
  • The Read permission for all attributes of user objects
  • The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
  • The right to reset user passwords
  • The permission to create user accounts and containers in the Users container
  • The Read permission for attributes of the organizationalUnit object and domain objects
  • The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
  • The permission to create container objects in the System container
  • The permission to create the serviceConnectionPoint objects in the System container
  • The permission to delete the serviceConnectionPoint objects in the System container
  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

Password Policy Account

You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy account is an account that you specify when you add a domain for configuring password policies.

Password policy account must meet the following minimum requirements:

  • The Read permission for attributes of the groupPolicyContainer objects.
  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
  • The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the following attributes of the msDS-PasswordSettings object:
    • msDS-LockoutDuration
    • msDS-LockoutThreshold
    • msDS-MaximumPasswordAge
    • msDS-MinimumPasswordAge
    • msDS-MinimumPasswordLength
    • msDS-PasswordComplexityEnabled
    • msDS-PasswordHistoryLength
    • msDS-PasswordReversibleEncryption
    • msDS-PasswordSettingsPrecedence
    • msDS-PSOApplied
    • msDS-PSOAppliesTo
    • name

For more information on password policies that can be configured in Password Manager, see Creating and Configuring a Password Policy.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating