The following diagram illustrates the Management Policy components:
User scope defines user groups from specified AD LDS instances that can access the Self-Service site and use the corresponding workflows. To a single user scope you can add multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.
Helpdesk scope defines groups of helpdesk operators from specified AD LDS instances that can access the Helpdesk site and manage users from the user scope using the helpdesk workflows. To a single helpdesk scope you can multiple AD LDS connections, you can also use the same connection in the user and helpdesk scopes.
Self-Service and helpdesk workflows define the tasks that are available to users and helpdesk operators on the Self-Service and Helpdesk sites. For example, Forgot My Password, Assign Passcode, Unlock Account, etc.
Questions and Answers policy comprises a list of secret questions (in the default and additional languages) that users must answer to authenticate themselves and Q&A profile settings that specify various settings for questions and answers such as a minimum length of an answer or a question, a number of required user-defined questions, etc.
User enforcement rules define how users should be enforced to register with Password Manager and reminded to change password. For each enforcement rule a corresponding scheduled task exists. For example, the Invitation to Create/Update Profile scheduled task corresponds to the Invite Users to Create/Update Profiles enforcement rule. By default, the enforcement rules are not configured. To start notifying users to create/update their Q&A profiles and change password, you need to configure the rules after Password Manager installation.
In a single Password Manager instance you can create multiple Management Policies. Different Management Policies may use the same AD LDS connections (specified in the user and helpdesk scopes). If a user is included in the user scopes of both Management Policies, the settings from the first Management Policy in which scope the user is found will be applied to the user.
Settings from each Management Policy use the same scheduled tasks and password policies.
The Invitation to Create/Update Profile, Reminder to Create/Update Profiles, Reminder to Change Password scheduled tasks allow notifying users from scopes of user enforcement rules configured in Management Policies. For more information, see Scheduled Tasks and User Enforcement Rules.
To set password policies for users from user scopes of Management Policies, you need to configure password policies and include corresponding users to the password policy scope. For more information about password policies, see Creating a Password Policy.
The following diagram shows available password policies and their structure:
By default, AD LDS enforces the local or domain policy applied to the computer on which an AD LDS instance runs. You can also configure password policies. Note, that the password policy applied to the computer on which the AD LDS instance runs cannot be automatically displayed on the Self-Service site when users change or reset passwords. To display such policy, use the Custom rule available in password policies. In this rule, enter the settings of the password policy applied to the computer running the AD LDS instance. For more information, see Custom Rule.
To create and manage password policies, you need to add a connection to the AD LDS instance on the Password Policies tab of the Administration site. When adding the connection, you specify the application directory partition to which password policies will be applied and the credentials that will be used to access the partition.
After you have added the connection, you can create password policies for this application directory partition. For each password policy, you can specify a name, a set of policy rules, and a scope.
Note, that password policy rules are applied and displayed on the Self-Service site when users change or reset passwords, only after you have added the connection and created policies for the corresponding application directory partition.
If a user is found in the scopes of several password policies, then the policy with the highest priority is applied to the user. Note, that priority can be changed for policies with the same scope.