About Password Manager
Getting Started
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow Overview
Custom Workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
My Questions and Answers Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Q&A Profile
Enforce Update of Q&A Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Q&A Profile Task
Reminder to Create/Update Q&A Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
User Status Statistics Task
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Dictionary Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of URLs to Self-Service Site from OtherApplications
Customization of Password Policies List
Customization of Password Strength Meter
Glossary
About us
Removing Connection to AD LDS Instance
Password Manager Architecture > Configuring Management Policy > Removing Connection to AD LDS Instance
To remove a connection to AD LDS instance
- On the Administration site, select the Management Policy you want to configure and click the User Scope link.
- On the User Scope page, select the connection you want to delete and click Remove. Note, that the connection will be removed from this user scope only. If you want to permanently remove the connection, remove it everywhere where it is used, and then on the General Settings| AD LDS Instance Connections tab, click Remove under the required connection.
Adding Secret Questions
Secret questions are the main part of the Questions and Answers policy that allows authenticating users on the Self-Service site before users can perform any self-service tasks.
For more information on the Questions and Answers policy, see Configuring Questions and Answers Policy.
To create secret questions in the default language
- Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS/.
- On the Administration site home page, click the Add secret questions link under the Management Policy you want to configure.
- On the Configure Questions and Answers Policy page, click Add questions in the default language.
- In the Edit Questions in the Default Language dialog box, specify mandatory, optional and helpdesk questions. To change the default language for secret questions click the Change language link.
- Change questions’ order by clicking the appropriate links.
- Click Save to save the questions and close the dialog box.
IMPORTANT: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the enforcement rules that require users to update Q&A profiles when the question list is modified. For more information on the enforcement rules, see User Enforcement Rules.
Management Policies
Management Policies
- Checklist: Configuring Password Manager
- Understanding Management Policies
- Configuring Access to the Administration Site
- Configuring Access to the Self-Service Site
- Configuring Access to the Helpdesk Site
- Configuring Questions and Answers Policy
- Workflow Overview
- Custom Workflows
- Custom Activities
- Self-Service Workflows
- Helpdesk Workflows
- User Enforcement Rules
Checklist: Configuring Password Manager
Checklist: Configuring Password Manager
When you have installed Password Manager, follow this checklist to configure the solution to implement automated and secure password management in an AD LDS instance.
|
Step |
Reference |
|
Prepare an access account to AD LDS instance. |
|
|
Configure a user scope. |
|
|
Configure the Questions and Answers policy: create language-specific question lists, and configure Q&A profile settings if required. |
|
|
Configure a helpdesk scope to grant access permissions for the Helpdesk site to helpdesk operators and delegate administrative tasks. |
|
|
Configure self-service and helpdesk workflows to define what tasks will be available on the Self-Service and Helpdesk sites. |
|
|
If required, configure rules for enforcing users to register with Password Manager. |
|
|
Configure general settings that apply to all Management Policies (such as account search options, SMTP servers, scheduled tasks, etc.) |
|
|
Create password policies and configure password policy rules. |
|
|
If you want to use Password Manager for cross-platform password synchronization, install One Identity Quick Connect Sync Engine and configure the product to integrate with Password Manager. |
|
|
Ensure that all Password Manager users have Java Script enabled in Microsoft Internet Explorer settings. |
|
|
Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks. |
|