When you use Password Manager to reset your password, Active Directory does not automatically check the new password against the password history. As a result, the Enforce password history policy setting may have no effect. To ensure that this password policy setting is applied in Active Directory when your password is reset by using Password Manager, the Enforce password history option must be selected in the Reset password in Active Directory and Reset password in Active Directory and connected systems activities.
Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains.
When the password history is enforced for resetting passwords, Password Manager resets users' old password to an automatically generated password that complies with password policies. It is required for the user to go through the Quick Connect workflow once again where the Reset password in Active Directory and connected systems activity is configured. This time the password is changed to the one provided by the user. Note that, if an error occurs when changing the password, users may end up with the automatically generated password they do not know.
For more information, see Reset Password in Active Directory.
You can manage how password-related changes are replicated in your environment. If you want to force password changes and resets in the required Active Directory sites, select the corresponding sites on the Advanced settings tab of the Edit Domain Connection dialog, and select the Replicate password-related changes check box.
This section provides information on how Password Manager stores and replicates data.
There are two types of data stored by Password Manager: Password Manager configuration data, and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.
Q&A profiles are stored in the attribute of a user account in Active Directory that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance. For more information, see Instance Reinitialization.
Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.
-
Shared.storage: This file contains configuration data that is shared among all instances of a realm: management policies, general settings, domain connections, custom activities and workflows, instance settings, and so on.
-
Local.storage: This file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.
-
LocalizationStorage: This folder contains the user interface texts localized in several languages.