立即与支持人员聊天
与支持团队交流

Password Manager 5.13.2 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Configuring Access to the Administration Site

By default, the access to the Administration Site is granted only to the domain user from the AD, who is a member of the local Administrators group and to the PMAdminADLDS group which is created during Password Manager for AD LDS installation.

NOTE: The account that you specified as Application Pool Identity when installing Password Manager is automatically added to the PMAdminADLDS group.

IMPORTANT: Make sure to grant access to the Administration Site only to the most trustworthy people, since managing the Password Manager configuration may require dealing with user-sensitive information.

Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service Site

The Password Manager Self-Service Site has all functionality similar to the Legacy Self-Service Site with a new and improved user interface. The Password Manager Self-Service Site can co-exist along with the already existing Legacy Self-Service Site and it is possible to revert at any time to the Legacy Self-Service Site.

To configure access to the Legacy Self-Service Site, you need to configure a user scope for the Management Policy you want to use. The workflows and secret questions that you configure for the Management Policy will apply only to the user scope of this Management Policy. You can add connections to several AD LDS instances to a single user scope.

Configuring Access to the Helpdesk Site

In Password Manager you can easily delegate administrative tasks to dedicated helpdesk operators. By configuring the helpdesk scope you select groups of helpdesk operators who will have access to the Helpdesk Site. The Helpdesk Site handles typical tasks performed by helpdesk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and others.

Members of the helpdesk scope are allowed to access the Helpdesk Site and manage users from the user scope of the same Management Policy only.

You can also restrict groups of helpdesk operators from accessing the Helpdesk Site.

To configure a helpdesk scope, you need to add a connection to an AD LDS instance to the scope at first, and then specify groups that will be allowed or denied access to the Helpdesk Site.

To manage all connections from a single place, click General Settings > AD LDS Instance Connections on the Administration Site. For more information, view AD LDS Instance Connections.

To connect to AD LDS instance

  1. Open the Administration Site by entering the Administration Site URL in the address bar of your browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed.

  2. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  3. On the Helpdesk Scope page, click Connect to AD LDS instance.

  4. If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.

  5. If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:

    • In Server name on which AD LDS instance is installed, type the name of the server to which you want to connect.

    • In Port number (LDAP or SSL), enter the port number that you specified when installing the AD LDS instance. If you select Use SSL, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.

    • In Application directory partition, enter the name of the application directory partition from the AD LDS instance to which you want to connect.

    • In Application directory partition alias, type the alias for the application directory partition which will be used to address the partition on the Self-Service Site.

    • In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account and enter the required user name and password.

    For information on how to prepare the access account, see Configuring Permissions for Access Account.

  6. Click Save.

To specify groups or OUs that are allowed to access the Helpdesk Site

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups allowed access to the Helpdesk Site.

    • To specify the OUs, click Add under Organizational Units allowed access to the Helpdesk Site.

  4. Click Save.

To specify groups that are denied access to the Helpdesk Site

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the connection for which you want to specify groups or OUs and click Edit.

  3. Do the following:

    • To specify the groups, click Add under Groups denied access to the Helpdesk Site.

    • To specify the OUs, click Add under Organizational Units denied access to the Helpdesk Site.

  4. Click Save.

Changing Access Account

To access a managed AD LDS instance, you can use the Password Manager Service account, an Active Directory account or an AD LDS account. For more information on how to configure the access account, see Configuring Permissions for Access Account. Password Manager Service account is the account that was configured during Password Manager installation. Password Manager Service account may be used as the access account only when the Service account has all required permissions.

To modify account used to access an AD LDS instance

  1. On the Administration Site, select the Management Policy you want to configure and click the Helpdesk Scope link.

  2. On the Helpdesk Scope page, select the connection for which you want to change access account and click Edit.

  3. On the Helpdesk Scope Settings for #Application Directory Partition# page, click Edit.

  4. In the Access account section of the Edit AD LDS Instance Connection dialog, select Password Manager Service account to have Password Manager access the managed instance using the Password Manager Service account. Otherwise, select The following Active Directory account or The following AD LDS account and then enter the required user name and password.

  5. Click Save and select how you want to apply the updated settings. You can either apply the new settings for this helpdesk scope only, or everywhere where this connection is used.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级