Chat now with support
Chat with Support

Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Management Policy and Other Password Manager Settings

Management Policy and Other Password Manager Settings

The following diagram illustrates how several Management Policies interact with other Password Manager settings:

In a single Password Manager instance you can create multiple Management Policies. Different Management Policies may use the same AD LDS connections (specified in the user and helpdesk scopes). If a user is included in the user scopes of both Management Policies, the settings from the first Management Policy in which scope the user is found will be applied to the user.

Settings from each Management Policy use the same scheduled tasks and password policies.

The Invitation to Create/Update Profile, Reminder to Create/Update Profiles, Reminder to Change Password scheduled tasks allow notifying users from scopes of user enforcement rules configured in Management Policies. For more information, see Scheduled Tasks and User Enforcement Rules.

To set password policies for users from user scopes of Management Policies, you need to configure password policies and include corresponding users to the password policy scope. For more information about password policies, see Creating a Password Policy.

Password Policy Overview

Password Manager provides the opportunity to granularly apply and manage password policies.

The following diagram shows available password policies and their structure:

By default, AD LDS enforces the local or domain policy applied to the computer on which an AD LDS instance runs. You can also configure password policies. Note, that the password policy applied to the computer on which the AD LDS instance runs cannot be automatically displayed on the Self-Service site when users change or reset passwords. To display such policy, use the Custom rule available in password policies. In this rule, enter the settings of the password policy applied to the computer running the AD LDS instance. For more information, see Custom Rule.

To create and manage password policies, you need to add a connection to the AD LDS instance on the Password Policies tab of the Administration site. When adding the connection, you specify the application directory partition to which password policies will be applied and the credentials that will be used to access the partition.

After you have added the connection, you can create password policies for this application directory partition. For each password policy, you can specify a name, a set of policy rules, and a scope.

Note, that password policy rules are applied and displayed on the Self-Service site when users change or reset passwords, only after you have added the connection and created policies for the corresponding application directory partition.

If a user is found in the scopes of several password policies, then the policy with the highest priority is applied to the user. Note, that priority can be changed for policies with the same scope.

reCAPTCHA Overview

This section provides an overview of the reCAPTCHA service, system requirements for using it and references.

How It Works

reCAPTCHA is a free CAPTCHA service provided by Google. You can use it to protect the Self-Service site from bots attempting to access restricted areas.

As reCAPTCHA uses images that optical character recognition software has been unable to read, it provides a secure protection for Web sites.


  1. A user opens the Self-Service site.
  2. The user’s browser sends the public key obtained during registration on the reCAPTCHA site to the Google reCAPTCHA API server and receives a reCAPTCHA image with a token to identify the image.
  3. The user deciphers the image (distorted text) and submits a response in a Web page form. The response and the token are transferred to the Password Manager server.
  4. The response, the token and the private key (obtained during registration on the reCAPTCHA site) are then transferred to the Google reCAPTCHA Verify server to be checked. After checking the response, the reCAPTCHA server sends a reply back to the Password Manager server.
  5. If the response is correct, the user is granted access to further steps on the Password Manager site.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating