立即与支持人员聊天
与支持团队交流

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Realm Instances

On the Administration Site you can view a list of installed Password Manager instances belonging to one realm. This information is available on the Realm Instances page.

To open the Password Manager Service Instances page, on the Administration Site click General Settings. On the General Settings page, click the Realm Instances tab.

For each Service instance the Self-Service Site URL is specified. If necessary, you can edit the URL by clicking Edit under the corresponding Service instance. In Realm instances, the Primary instance is in red for easy identification.

All Password Manager Service instances belonging to one realm share the following settings: certificate name, port number, encryption algorithm, encryption key length, hashing algorithm, attribute for storing Q&A profile data, and realm affinity ID. These options are configured when initializing a Password Manager Service instance. To change any of these settings, see Instance reinitialization.

A Redistributable Secret Management Service (rSMS) user must be created in all the Password Manager realm instances. An rSMS user is automatically created if the imported configuration file has the rSMS account details.

Domain Connections

This section provides information on creating, modifying, and using domain connections.

Using domain connections

On the General Settings > Domain Connectionstab of the Administration Site, you can view a list of available domain connections.

To register a domain with Password Manager you need to create a connection to the required domain. When adding a domain connection you can select an existing connection or create a new one. It is possible to use the same domain connection in different sections: user and helpdesk scopes, and password policies.

The same domain connection can also be used in different Management Policies.

You can add a domain connection either on the Domain Connections tab or from the User scope, Helpdesk scope, and Password Policies pages.

Note, that when you modify the domain connection on the User scope, Helpdesk scope or Password Policies pages, you can select how you want to apply the updated connection settings: either for the specified section only or everywhere where this domain connection is used. If you choose to update settings for the specified section only, a copy of the domain connection will be created with these settings and will be added to the list of available domain connections.

But when you modify the domain connection on the Domain Connections tab, the updated settings will be automatically applied everywhere where this connection is used.

If you want to remove the domain connection from the list on the Domain Connections tab, you should first remove it from all sections where it is used, and only then remove the domain connection from the list.

Specifying access account for domain connections

Before adding the domain connection, make sure the account you want to use to access the domain has the required permissions.

The following permissions must be granted to the account in case you want to add the domain to the user or helpdesk scopes:

  • Membership in the Domain Users group.

  • The Read permission for all attributes of user objects.

  • The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime.

  • The right to reset user passwords.

  • The permission to create user accounts and containers in the Users container.

  • The Read permission for attributes of the organizationalUnit object and domain objects.

  • The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects.

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.

  • The permission to create container objects in the System container.

  • The permission to create the serviceConnectionPoint objects in the System container.

  • The permission to delete the serviceConnectionPoint objects in the System container.

  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container.

If you want to use the domain connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.

  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.

  • The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.

  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.

  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

  • The Write permission for the following attributes of the msDS-PasswordSettings object:

    • msDS-LockoutDuration

    • msDS-LockoutThreshold

    • msDS-MaximumPasswordAge

    • msDS-MinimumPasswordAge

    • msDS-MinimumPasswordLength

    • msDS-PasswordComplexityEnabled

    • msDS-PasswordHistoryLength

    • msDS-PasswordReversibleEncryption

    • msDS-PasswordSettingsPrecedence

    • msDS-PSOApplied

    • msDS-PSOAppliesTo

    • name

To add domain connection

  1. On the home page of the Administration Site, click the General Settings > Domain Connections tab.

  2. Click Add domain connection to add a domain connection.

  3. If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.

  4. In the Add New Domain Connection dialog, configure the following options:

    • In the Domain name text box, enter the name of the domain that you want to add.

    • In the Domain alias text box, enter the alias for the domain which will be used to address the domain on the Self-Service Site. This field is required because you can use the domain connection in the user scope.

    • To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password and then enter user name and password in the corresponding text boxes. Note, that the selected account should have the required permissions.

  5. Click Save.

    IMPORTANT: After you create a domain connection on the General Settings > Domain Connections tab, you can use it in the user scope, helpdesk scope and password policies by selecting the connection in the Add Domain Connection dialog on the corresponding page of the Administration Site. For example, to use the domain connection in the user scope of your Management Policy, open the user scope of this Management Policy, click Add domain connection, and select the corresponding connection from the list.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级