Chat now with support
Chat with Support

Password Manager 5.9.7 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Password Policies One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Q&A Policy and User Enforcement

The Q&A profile settings affects the Invite users to create/update Q&A profiles enforcement rule. This rule has conditions that state when users should be notified to create or update their profiles. These conditions correspond to the Q&A profile settings. For example, the User’s answers are shorter than required condition corresponds to the Minimum length of answers setting. So, when you change any of the Q&A profile settings, you can then select the corresponding condition in the rule and enforce users to create or update their profiles in accordance with the new settings. For more information, see Invite Users to Create/Update Profiles.

Data Replication

This section provides information on how Password Manager stores and replicates data.

Storing Data

There are two types of data stored by Password Manager: Password Manager configuration data and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.

Q&A profiles are stored in the attribute of a user account in AD LDS that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance; for more information, see Instance Reinitialization.

Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager for AD LDS folder. This folder contains two files ( and and the LocalizationStorage folder.

The file contains configuration data that is shared among all instances of a realm: Management Policies, general settings, AD LDS connections, custom activities and workflows, instance settings, etc.

The file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.

The LocalizationStorage folder contains the user interface texts localized in several languages.

Replicating Data

If you install a realm (several Password Manager instances sharing the same configuration), changes in the configuration of one instance are automatically propagated to other instances. To propagate the data, Password Manager replicates the data from the file and the LocalizationStorage folder to AD LDS.

Before being written to AD LDS, the data is split into several segments and archived.

To distribute the configuration data from one instance to another, Password Manager uses a scheduled task and the PMReplication container in a managed application directory partition to which the data is copied. The PMReplication container is an container that is automatically created in the Users container of the managed application directory partition. To this container, containers for each Password Manager realm are added. Names of these containers correspond to the realm affinity id. Each realm container has the containers for every instance belonging to this realm. Names of instance containers correspond to the instance ids.

In the instance container, several user accounts are created. The number of user accounts is one more than the number of data segments. For example, if there are twenty data segments, then the instance container has twenty one user accounts. Note, that the created user accounts are disabled.

The same attribute that you specify for storing users’ Q&A profiles is used to store the configuration data segments.The first user account stores the data replica id, all other accounts store the data segments.

Replication mechanism analyses all data segments from all instances, selects data with the latest changes and propagates it.

Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

Note, that the access account must have the permission to create user accounts and containers in the Users container for configuration data to be replicated. For more information on configuring the access account, see Configuring Permissions for Access Account.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating