Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Change Password in AD LDS

Change Password in AD LDS

This is a core activity of the Manage My Passwords workflow. The activity allows users to change passwords in AD LDS instances. If you want to enable users to change passwords in several systems, configure the Change password in AD LDS and connected systems activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Change Password in AD LDS and Connected Systems.

Run this activity only when user must change password at next logon - select this check box when you use this activity in workflows other than Manage My Passwords. By using this option you can force users who are required to change password at next logon to change password while performing other tasks on the Self-Service site.

For example, if you add the Change password in AD LDS activity with this option selected to the My Questions and Answers Profile workflow, you will force users who are required to change password at next logon to change password when creating or updating their Q&A profiles.

Reset Password in AD LDS and Connected Systems

Reset Password in AD LDS and Connected Systems

Using this activity, you can configure Password Manager to use One Identity Quick Connect to reset passwords in connected systems. If used in conjunction with Quick Connect, Password Manager allows you to enable users and helpdesk operators to manage passwords across a wide variety of connected systems. To be able to integrate Password Manager with Quick Connect, you must have a working knowledge of Quick Connect Sync Engine.

To enable Password Manager to set passwords in connected systems through a Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

Before you can configure Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following in Quick Connect:

  • Create a connection to the AD LDS instances managed by Password Manager.
  • Create connections to the systems you want Password Manager to synchronize passwords with.
  • Map users from the managed AD LDS instances to users in the connected systems.

For more information on how to configure Quick Connect to set passwords in connected systems, see One Identity Quick Connect documentation.

To enable Password Manager for cross-platform password synchronization

Include the Reset password in AD LDS and connected systems activity in a workflow and click the activity to edit its settings.

In the Quick Connect server name text box specify the Quick Connect server URL.

Select the account to be used to access the Quick Connect server. You can use either Password Manager Service account or specify another account.

You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the user name.

Specify how you want Password Manager to act when the Quick Connect server is unavailable. To do it, select one of the following and click Next:

Act as if no Quick Connect server was specified. Users can manage their passwords only in the AD LDS instances. No warnings are displayed to users if Quick Connect server is not available.

Alert users and allow them to reset passwords only in AD LDS. Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the AD LDS instances.

Do not allow users to reset passwords. Users cannot perform any password management tasks in AD LDS instances and connected data sources, if the Quick Connect server is not available.

From the list of connected systems, select the systems in which you want to manage user passwords. For each selected system, specify the following options and click Next:

System alias

Reset password in this system independently from AD LDS. Select this option to allow users to reset their passwords in a connected system independently from AD LDS. If you select this option, users will be able to enter different passwords for their accounts in AD LDS and the connected system.

Do not allow resetting password in this system independently from AD LDS. Select this option to prevent users from resetting their passwords in a connected system independently from AD LDS. Note, if you select this option, a user’s password will be reset in the connected system only after the password has been successfully reset in AD LDS. If the user’ password is not reset in AD LDS, it will be not reset in the connected system. Users can specify a different password for the connected system, if you select the Allow users to specify different password for this system option.

To enforce password history in AD LDS instances managed by Password Manager, select the Enforce password history check box. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused.

IMPORTANT: Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:

Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value.

Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.

Click OK to close the wizard.

Change Password in AD LDS and Connected Systems

Change Password in AD LDS and Connected Systems

Using this activity, you can configure Password Manager to use One Identity Quick Connect to reset passwords in connected systems. If used in conjunction with Quick Connect, Password Manager allows you to enable users and helpdesk operators to manage passwords across a wide variety of connected systems. To be able to integrate Password Manager with Quick Connect, you must have a working knowledge of Quick Connect Sync Engine.

To enable Password Manager to set passwords in connected systems through a Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

Before you can configure Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following in Quick Connect:

  • Create a connection to the AD LDS instances managed by Password Manager.
  • Create connections to the systems you want Password Manager to synchronize passwords with.
  • Map users from the managed AD LDS instances to users in the connected systems.

For more information on how to configure Quick Connect to set passwords in connected systems, see One Identity Quick Connect documentation.

To enable Password Manager for cross-platform password synchronization

  1. Include the Change password AD LDS and connected systems activity in a workflow andclick the activity to edit its settings.
  2. In the Quick Connect server name text box specify the Quick Connect server URL.
  3. Select the account to be used to access the Quick Connect server. You can use either Password Manager Service account or specify another account.

You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the user name.

  1. Specify how you want Password Manager to act when the Quick Connect server is unavailable. To do it, select one of the following and click Next:
    • Act as if no Quick Connect server were specified. Users can manage their passwords only in AD LDS instances. No warnings are displayed to users if Quick Connect server is not available.
    • Alert users and allow them to change passwords only in AD LDS. Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in AD LDS instances.
    • Do not allow users to change passwords. Users cannot perform any password management tasks in AD LDS instances and connected data sources, if the Quick Connect server is not available.
  2. From the list of connected systems, select the systems in which you want to manage user passwords. For each selected system, specify the following options and click OK:
    • System alias
    • Change password in this system independently from AD LDS. Select this option to allow users to change their passwords in a connected system independently from AD LDS. If you select this option, users will be able to enter different passwords for their accounts in AD LDS and the connected system.
    • Do not allow changing password in this system independently AD LDS. Select this option to prevent users from changing their passwords in a connected system independently from AD LDS. Note, if you select this option, a user’s password will be changed in the connected system only after the password has been successfully changed in AD LDS. If the user’ password is not changed in AD LDS, it will be not changed in the connected system. Users can specify different password for the connected system, if you select the Allow users to specify different password for this system option.

Unlock Account

Unlock Account

This activity is a core activity of the Unlock My Account workflow. It allows users to unlock their accounts using the Self-Service site.

You do not need to configure any settings for this activity.

Related Documents