4.7. Administrator Guide

95 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

4.7

(2)

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.

If you have any questions regarding your potential use of this material, please contact: Quest Software World Headquarters

LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com e-mail: legal@quest.com

Refer to our Web site for regional and international office information.

TRADEMARKS

Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invertus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,

MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vAnalyzer, vAutomator, vControl, vConverter, vEssentials, vFoglight, vMigrator, vOptimizer Pro, vPackager, vRanger, vRanger Pro, vReplicator, vSpotlight, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

Disclaimer

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Quest Password Manager - Administrator Guide Updated - October, 22 2010

(3)

C

ONTENTS

ABOUT THIS GUIDE. . . 5

INTENDED AUDIENCE. . . 6

CONVENTIONS. . . 6

ABOUT QUEST SOFTWARE. . . 7

CONTACTING QUEST SOFTWARE . . . 7

CONTACTING QUEST SUPPORT . . . 7

CHAPTER 1 WELCOME TO QUEST PASSWORD MANAGER. . . 9

QUEST PASSWORD MANAGER OVERVIEW. . . 10

DIFFERENT SITES FOR DIFFERENT ROLES. . . 11

CHAPTER 2 ADMINISTRATION SITE . . . 13

CHECKLIST: CONFIGURING PASSWORD MANAGER. . . 14

SPECIFYING GLOBAL SETTINGS. . . 15

ENABLING HTTPS . . . 16

CONFIGURING SELF-SERVICE SITE SETTINGS. . . 17

CONFIGURING ACCESSTO SELF-SERVICE SITEFROM WINDOWS LOGON SCREEN. . . . 28

INTRODUCING SECURE PASSWORD EXTENSION . . . 28

DEPLOYINGAND CONFIGURING SECURE PASSWORD EXTENSION. . . 29

UNINSTALLING SECURE PASSWORD EXTENSION. . . 38

TROUBLESHOOTING SECURE PASSWORD EXTENSION. . . 38

MANAGING DOMAINS. . . 39

CONFIGURING PERMISSIONS TO ACCESSA MANAGED DOMAIN. . . 39

ADDINGA MANAGED DOMAIN . . . 40

MANAGING QUESTIONSAND ANSWERS PROFILES. . . 41

CONFIGURING PASSWORD POLICIES. . . 45

CONFIGURING LOGON SECURITY OPTIONS. . . 57

CONFIGURING REGISTRATION NOTIFICATION AND ENFORCEMENT . . . 59

DELEGATING HELP DESKAND ADMINISTRATIVE TASKS . . . 62

CONFIGURING ACCESSTO SELF-SERVICE SITE . . . 64

CHANGING ACCOUNT TO ACCESSA MANAGED DOMAIN . . . 65

REPORTING. . . 66

DIAGNOSTIC LOGGING. . . 72

BEST PRACTICES FOR CONFIGURING REPORTING SERVICES. . . 73

REPORTING SERVICESDEFAULT CONFIGURATION . . . 73

REPORTING SERVICESFIREWALL ISSUES . . . 75

THE PASSWORD MANAGER DATABASE IN SQL SERVER . . . 76

(4)

CHAPTER 3

QUEST PASSWORD MANAGER INTEGRATION. . . 79

ACTIVEROLES QUICK CONNECT . . . 80

CONFIGURING CROSS-PLATFORM PASSWORD SYNCHRONIZATIONUSING ACTIVEROLES QUICK CONNECT . . . 80

MICROSOFT IDENTITY INTEGRATION SERVER. . . 82

CONFIGURING CROSS-PLATFORM PASSWORD SYNCHRONIZATIONUSING MIIS . 82 QUEST ACTIVEROLES SERVER WEB INTERFACE . . . 85

BASIC INTEGRATION REQUIREMENTS . . . 85

CUSTOMIZING ACTIVEROLES SERVER HOME PAGE . . . 85

PASSWORD MANAGER SELF-SERVICE SITE INTEGRATION . . . 85

PASSWORD MANAGER HELP DESK SITE INTEGRATION. . . 86

QUEST DEFENDER. . . 88

QUEST ENTERPRISE SINGLE SIGN-ON (QESSO). . . 89

HP PROTECTTOOLS AUTHENTICATION SERVICES . . . 90

USING HP PROTECTTOOLS AUTHENTICATION SERVICES TO GENERATE PASSWORDS90 GLOSSARY . . . 93

(5)

About This Guide

• Intended Audience

• Conventions

• About Quest Software

• Contacting Quest Software

• Contacting Quest Support

(6)

Intended Audience

This document has been prepared to assist you in becoming familiar with Quest Password Manager. Administrator Guide contains the information required to install and use Quest Password Manager. It is intended for network administrators, consultants, analysts, and any other professionals using the product.

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest Software products, such as menus and commands.

Italic text Used for comments. Bold Italic text Used for emphasis.

Blue text Indicates a cross-reference. When viewed in Adobe® Reader®, this format can be

used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

(7)

About Quest Software

Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com.

Contacting Quest Software

E-mail info@quest.com

Mail Quest Software, Inc. World Headquarters 5 Polaris Way

Aliso Viejo, CA 92656 USA

Web site www.quest.com

Refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs

• "Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at http://support.quest.com/.

(8)
(9)

Welcome to Quest Password

Manager

• Quest Password Manager Overview

• Different Sites for Different Roles

(10)

Quest Password Manager Overview

Quest Password Manager is a Web-based application that provides an easy-to-implement and use, yet highly secure, password management solution. Users can connect to Password Manager by using their favorite browser and perform password self-management tasks, thus eliminating the need for assistance from high-level administrators and reducing help desk workload. The solution offers a powerful and flexible password policy control mechanism that allows the Password Manager administrator to ensure that all passwords in the organization comply with the established policies.

Password Manager works with Windows domains, including domains operating in mixed mode. Integration with Microsoft Identity Integration Server facilitates cross-platform password

synchronization that enables Password Manager to change user passwords across multiple connected data sources.

The key features and benefits of Quest Password Manager include:

Global access.Quest Password Manager provides 24x7x365 access to the Self-Service site from intranet computers as well as via Internet from any most common browser. The solution supports flexible access modes and logon options.

Strong data encryption and secure communication.The solution relies on

industry-leading technologies for enhanced communication security and data encryption. • Cross-platform password synchronization.Quest Password Manager has been designed

for use with Microsoft Identity Integration Server and Quest Quick Connect, which makes it possible to automatically synchronize users' passwords across multiple connected data sources.

Web interface for help desk service.Password Manager features Help Desk site which allows administrators to delegate help desk tasks to dedicated operators. These tasks include resetting user passwords, managing users' Questions and Answers profiles, and assigning temporary passcodes to users.

x64 version of Password Policy Manager.An x64 version of Password Policy Manager module has been designed for use on domain controllers running an x64 Microsoft Windows Server operating system.

E-mail event notifications.Administrators can configure event notifications which are sent by e-mail to designated personnel when specified events occur.

Seamless OS integration.Quest Password Manager relies on intrinsic security databases only and is capable of managing domains across trust boundaries (no trust relationship required).

Powerful password policies.Quest Password Manager ensures that only passwords that meet administrator-defined policies are accepted. Unsuccessful authentication attempts are logged and the corresponding accounts are locked if necessary.

Granular policy enforcement.Password policies are applied on a per-group or per OU basis. • Questions and Answers authentication mechanism.To reset passwords or unlock

accounts, users are prompted to answer a series of questions for which users provide their secret answers when registering with Quest Password Manager.

Enhanced user name search options.Users can be allowed to view their account attributes, such as user logon name, first name, display name, and SMTP address, when searching for their forgotten user names. A more specific search query returns the most relevant search results.

Fault tolerance and scalability.Quest Password Manager is designed to work with network load balancing clusters and in a Web farm environment.

(11)

Different Sites for Different Roles

The Web Interface allows multiple Web sites to be installed with individual, customizable configurations. The following is a list of configuration templates that are available out-of-the box.

Administration Site is for individuals who are responsible for implementing password self-management through performing administrative tasks, such as configuring site-specific settings and enforcing password policies, to suit the specific needs of their organization. • Help Desk Site handles typical tasks performed by Help Desk operators, such as resetting

passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles.

Self-Service Site provides users with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators and reducing helpdesk workload.

(12)
(13)

Administration Site

• Checklist: Configuring Password Manager

• Changing User Interface Language

• Specifying Global Settings

• Configuring Access to Self-Service Site from Windows

Logon Screen

• Managing Domains

• Reporting

(14)

Checklist: Configuring Password Manager

When you have installed Password Manager, follow this checklist to configure the solution to implement automated and secure password management in an Active Directory domain

STEP REFERENCE

It is strongly recommended that you enable HTTPS on

the server where Password Manager is installed. “Enabling HTTPS” on page 16 Prepare the account under which Password Manager will

access the managed domain. “Configuring Permissions to Access a Managed Domain” on page 39 Register the managed domain with Password Manager. “Adding a Managed Domain” on page 40 Create language-specific question lists, and configure

the Questions and Answers Policy if required. “Managing Questions and Answers Profiles” on page 41 If you want to provide the access to the Self-Service

site from the Windows logon screen, install the Secure Password Extension.

“Configuring Access to Self-Service Site from Windows Logon Screen” on page 28

Configure settings that apply to all domains managed with Password Manager (such as site-specific defaults, notification settings, and profile update policy).

“Specifying Global Settings” on page 15

Grant the access permissions for the Help Desk site to help desk operators. You can also delegate access for the Administrative site to trusted Password Manager administrators.

“Delegating Help Desk and Administrative Tasks” on page 62

Ensure that the screen resolution on client-side computers used to access the Web sites of Password Manager is set to a minimum of 800x600 pixels. The recommended screen resolution is 1024x768 pixels. Ensure that all Password Manager users have JavaScript enabled in Microsoft Internet Explorer settings.

Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks.

If required, configure options for user registration notification and enforcement by specifying a registration schedule and enabling registration notification.

“Configuring Registration Notification and Enforcement” on page 59

To allow users access the Self-Service site, explicitly specify the groups which are granted access to the Self-Service site. By default, no managed domain user can access the Self-Service site.

“Configuring Access to Self-Service Site” on page 64

If you want to use Password Manager to enforce password policies, you first install Password Policy Manager (PPM) on all domain controllers in the domain. Then, create password policies and configure password policy rules.

“Installing Password Policy Manager” on page 45 “Creating and Configuring a Password Policy” on page 46

“Configuring Password Policy Rules” on page 47 If you want to use Password Manager for cross-platform

password synchronization, install Quest Quick Connect and configure the product to integrate with Password Manager.

“Configuring Cross-Platform Password

Synchronization using ActiveRoles Quick Connect” on page 80

(15)

Specifying Global Settings

This section outlines the procedures required to configure site-specific settings that affect users and helpdesk operators in all domains registered with Password Manager.

(16)

Enabling HTTPS

We strongly recommend that you use HTTPS with Quest Password Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web.

To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support HTTPS connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at

(17)

Configuring Self-Service Site Settings

You can customize the behavior of the Self-Service site by specifying what password management tasks are allowed to users and configuring user notification.

Configuring Security Settings

By configuring the security settings, you define whether you want to let users do the following: • Hide their security answers on the screen.

• See the domain name on the Self-Service site pages.

• See which of the personal questions users have answered incorrectly when authenticating.

To configure security settings for the Self-Service site

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Under Security settings, configure the following options as required:

OPTION DESCRIPTION

Hide users’ answers by default Select this check box to have Password Manager display users' security answers as asterisks while they are typing in their answers.

Allow users to hide their answers Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks.

Prevent users from seeing whether questions

are answered correctly Select this check box to prevent users from seeing to which of their private questions they have provided incorrect answers when performing password self-management tasks using the Self-Service site.

Hide tools not available for user Select this check box to prevent users from seeing the tools which are not available for them. Use a security CAPTCHA image to prevent bot

attacks

Select this check box to have the Self-Service site display a picture with characters and require the user to enter the characters on the picture. This feature provides enhanced protection against automated attacks.

Domain display options Use this section to specify whether Self-Service Site should show the managed domain name to the user. If you select the "Show domain list" option, the Self-Service site user will be able to see the list of the managed domains registered with Password Manager. By selecting the "Hide domain list" option you will prevent users from seeing the list of domains.

(18)

4. Click Save.

Configuring Allowed Self-Service Site Tasks

You can granularly configure the set of the tasks available for the Password Manager end-users on the Self-Service site.

To configure the tasks available for the Self-Service site users:

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then click the Self-Service Site tab.

3. Click Allowed self-service tasks to expand this section, and then configure the following options as required:

4. Click Save.

Users must agree that Password Manager will

store their personal information Depending on the legislation requirements, organizations may be required to explicitly obtain users’ consent to store their personal information which is available in Question and Answers profile. Select this check box to have the Self-Service site ask users to agree that Password Manager will store their personal information.

OPTION DESCRIPTION

Allow users to register with Password Manager Select this check box to allow users to register with Password Manager by using the Self-Service site.

Allow users to unlock their accounts Select this check box to allow users to unlock their domain accounts by using the Self-Service site. Allow users to reset their passwords Select this check box to allow users to reset

passwords for their domain accounts by using the Self-Service site.

Allow users to change their passwords Select this check box to allow users to manage passwords for their accounts in managed domains, and in connected data sources, by using the Self-Service site.

Allow users to change Q&A profile Select this check box to allow users to manage Questions and Answers profiles for their accounts in managed domains by using the Self-Service site.

Allow users to change their alert settings Select this check box to allow users to specify events upon which they want to receive alerts. Allow users to use passcode Select this check box to allow users to use

passcode for creating Questions and Answers profile.

(19)

Configuring Account Search Options

To configure account search options:

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then click the Self-Service Site tab.

3. Click Account search options to expand this section, and then configure the following options as required:

4. Click Save.

Configuring User Notification

You can configure a list of events upon which you want all registered users to receive notifications. For each of the events below, you can specify whether users may decide for themselves if they want to receive a specific notification of not.

• User's Q&A profile is updated • User's Alert settings are updated • User's account is unlocked • User's password is reset • User's password is changed • User's Q&A profile requires update • User's Q&A profile is locked • User's password is expired

EVENT DESCRIPTION

Allow users to locate their accounts Select the checkbox to allow users to perform account search by using the Locate Account functionality of the Self-Service site.

By selecting this option, you can specify the number of user accounts that are displayed in search results. To do this, specify the required number in the "Number of users to display in search results in the Locate Account page" field.

User properties to display in search results Select check boxes next to the user account attributes that you want users to view in search results. You can select any of the following attributes: • First name • Initials • Last name • Display name • Name • Full name • User logon name • E-mail

(20)

To configure user notification

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. Ensure that you have configured the outgoing mail server settings.

To specify the SMTP server settings, use the procedure outlined in “Configuring Outgoing Mail Servers Settings” on page 22.

3. On the menu bar, click Settings, and then click the Self-Service Site tab. 4. Click User notification settings to expand this area.

5. Specify events upon which you want users to receive notifications, and whether you want users to be able to change your settings for each of the events, by doing the following:

• Click the link next to a notification event, and then select one of the following options:

• Under Days to notify a user before their password expires, optionally set the number of days during which you want users to receive password expiration notifications, before their passwords expire.

6. Click Save.

Configuring Help Desk Site Settings

You can define what password management tasks the help desk operators are allowed or required to perform. The settings described in this section are applied throughout all Active Directory domains managed by Password Manager.

To specify settings for the Help Desk site

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then select the Help Desk Site tab.

OPTION DESCRIPTION

Disabled. Users can change this setting. Select this option to disable user notification for the relevant event while allowing users to override this setting on a per-user basis.

Enabled. Users can change this setting. Select this option to have users notified about the relevant event, and allow to override this setting on a per-user basis.

Permanently disabled. Select this option to disable user notification for the relevant event, and prevent users from changing this setting.

Permanently enabled. Select this option to enable user notification for the relevant event, and prevent users from changing this setting.

If you enable the password expiration notification, then Password Manager will send password expiration notifications only to those users from all managed domains, who have registered with Password Manager by creating their personal Questions and Answers profiles.

(21)

3. In the Allow helpdesk operators to section, configure the following options as required:

OPTION DESCRIPTION

verify user identity Select this option to allow helpdesk operators to verify user identity by using the Help Desk site. assign passcodes Select Yes to allow helpdesk operators to assign

temporary passcodes for users who forgot their passwords while not being registered with Password Manager.

Then, below this option you can specify the Passcode lifetime in minutes value, i.e. the period within which the passcode is valid.

reset user passwords Select this option to allow helpdesk operators to reset user passwords by using the Help Desk site. Select the "only after user identity verification" option to force helpdesk operators to check user identity before resetting user’s password. unlock user accounts Select this option to allow helpdesk operators to

unlock user accounts by using the Help Desk site. Select the "only after user identity verification" option to force helpdesk operators to check user identity before unlocking user account.

require users to update their Q&A profiles Select this option to allow helpdesk operators to invalidate users' Questions and Answers profiles and to set a deadline for a user to update their Q&A profile.

Passcode lifetime, in minutes Specify how long a passcode issued by helpdesk operators to users is valid for users to create their Questions and Answers profile.

unlock users' Q&A profiles Select this option to allow helpdesk operators to unlock users' Question and Answers profiles that are locked as a result of a sequence of failed attempts to provide the correct answers.

(22)

4. Configure the following options as required:

5. Click Save.

Configuring Outgoing Mail Servers Settings

You can configure one or more outgoing mail servers. If there are several servers, Password Manager will first attempt to use the top one in the list.

To add outgoing mail servers (SMTP)

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then click the Notifications tab. 3. Select the Enable notifications option.

4. In the Mail Servers area, click Add.

OPTION DESCRIPTION

Helpdesk operators must verify user identity by Defines that helpdesk operators must verify a user's identity before resetting the user's password, or unlocking their account.

To configure this option, select how you want operators to authenticate users:

Answer to randomly selected mandatory question (user’s answer is hidden). In this mode, the operator will ask a user for their complete answer to one of the mandatory questions specified in the user's Q&A profile. • Answer to authentication question

(user’s answer is hidden). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and enter the answers on the identity verification page.

Answer to authentication question (user’s answer is visible). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and then compare them to the answers displayed on the identity verification page.

Random characters of an answer to authentication question. In this mode, the operator will ask a user to tell the specified number of characters in the user's answers to the Help Desk authentication questions, and then type in those characters in the

appropriate positions on the identity verification page.

Allow helpdesk operators to require users to

change their passwords at next logon Select this option to allow helpdesk operators to force users to change their passwords at next logon.

(23)

5. On the Add SMTP Server page, configure the following options:

6. Click Add.

7. Follow steps 4-5 to add any additional SMTP servers.

8. Use the Move Up and Move Down buttons to change the order of the SMTP servers in the list.

The order of the servers in the list specifies how Password Manager uses the servers to send notification mail messages. Password Manager will first attempt to use the servers at the top of the list.

To remove a server from the list of outgoing SMTP mail servers

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then click the Notifications tab.

3. In the Mail Servers area select one o more SMTP servers to delete and click Remove.

Configuring Alerts and Recipients

You can configure Password Manager to send alert notifications to the specified administrators when the following actions are completed successfully or fail:

• Users change their Questions and Answers profiles • Users unlock their accounts

• Users reset their passwords • Users change their passwords

• Users' Questions and Answers profiles are locked • Users change their personal alert settings

OPTION DESCRIPTION

Server name Type the SMTP server name.

If the SMTP server uses the port which is different from the default SMTP port 25, you may specify the port using the following format: <server name>:<port number>

where <server name> is the server name and <port number> is the port number used for SMTP communication.

Sender address Type the sender's user name. This server requires

authentication Select if the SMTP server requires authentication.

User Name Type the user name under which Password Manager will access the SMTP server.

Password Type the password for this account. Confirm password Re-type the password.

The server requires an

(24)

To specify alerts and recipients

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. Ensure that you have configured the outgoing mail (SMTP) server settings.

3. You can configure the SMTP server settings by using the procedure outlined in “Configuring Outgoing Mail Servers Settings” on page 22.

4. On the menu bar, click Settings, and then click the Notifications tab.

5. In the Recipients section, click Add and specify the e-mail address of the administrator you want to receive notifications.

6. Verify the changes you have made by selecting one o more recipients and sending a test message.

7. In the Events section, configure the following options:

8. Click Save.

Customizing E-mail Templates for the Notifications Distributed by

Password Manager

You can customize the e-mail notification messages distributed by Password Manager to meet specific requirements in your organization. The notifications are sent either in plain text or as HTML. If you select the HTML, you can enhance the notifications by using HTML tags to add custom text formatting, hyperlinks, etc.

To modify the e-mail notifications:

1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the menu bar, click Settings, and then select the E-mail Templates tab. 3. In the Select language drop-down box, select the language for which you want to

customize the notification templates.

4. In the Events column, click the event group you want to customize.

OPTION DESCRIPTION

Q&A Profile created Select to notify when a user has created and/or failed to create their personal alert settings. Q&A Profile changed Select to notify when a user has changed and/or

failed to change their personal alert settings. Account unlocked Select to send notifications when a user has unlocked and/or failed to unlock their account. Password reset Select to send alerts when a user has reset and/or

failed to reset their password.

Password changed Select to send alerts when a user has changed and/or failed to change their password.

Q&A profile locked Select to send alerts when a users' Question and Answers profile has become locked and/or has failed to lock.

Preferred e-mail language Select and then choose your preferred language for e-mail notifications from the drop-down list below.

(25)

5. In the E-mail Template column edit the subject and the body of notification templates as required.

When editing the notification templates, you can use the following parameters in the notification templates:

6. In the Message format box, select the format to use for the notifications. You can select from two options—either HTML or Plain Text.

If you select HTML as the message format, you can add HTML markup tags to the templates to customize the e-mail notifications.

7. Click Save.

Selecting the Languages for Invitation Notification

You can specify one or more languages to use in the e-mail messages which invite users to register with Password Manager. If you select multiple languages, the invitation message will include several copies of the invitation—one copy for each of the selected languages.

To select the language(s) to use in invitation notification:

1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.

2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create the language list, and then click the General tab.

3. On the General tab, in the User registration schedule section, click Specify notification language(s).

4. On the List of Languages for Invitation Notification page click Add.

5. In the Add Language(s) window, select one or more languages to use in the invitation notification message and click Add.

6. By clicking the Move Up and Move Down buttons specify the order of the languages in the invitation message.

Note that the first language in the list will be used for the message subject.

7. Click Save.

PARAMETER DESCRIPTION

%1 DNS domain name for managed domain.

%2 User name (sAMACountName).

%3 Error message.

%4 Error code (HResult).

%5 Reserved for internal use.

%6 User IP address.

%7 Current date in a user readable form.

%8 Number of days until the deadline.

%9 User display name.

%10 User name of the Help Desk operator in the

(26)

Configuring Profile Update Policy

You can specify when users must update their Q&A profiles. For example, you can require users to update their Q&A profiles, if the question list has been changed. The policy affects all users managed by the Password Manager instance.

To configure profile update policy

1. On the menu bar, click Settings, and then click the Profile Update Policy tab. 2. Configure the following options:

OPTION DESCRIPTION

Question list or Q&A policy has changed since

Q&A profile creation Select to have users update their Q&A profiles if the question list or the Q&A policy was modified, provided that users had already created or updated their Questions and Answers profile. The question user answered to register was

modified or deleted Select to have users update their Q&A profiles if one or more questions which users answered to register was modified or deleted.

User's Q&A profile contains fewer questions than

required for registration Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions list longer than it was before users’ profiles were last updated.

User's Q&A profile contains fewer questions than

required for password reset Select to have users update their Q&A profiles if you have added one or more questions required to reset password, thus making the list of such questions longer than it was before users’ profiles were last updated.

User's Q&A profile contains fewer questions than

required for unlocking account Select to have users update their Q&A profiles if you have added one or more questions required to unlock account, thus making the list of such questions longer than it was before users’ profiles were last updated.

User’s answers are shorter than required Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require.

User-defined questions are shorter than required Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require. User has specified the same answer for several

questions Select to have users update their Q&A profiles if they contain the same answer for different questions if the current settings specify the opposite.

User specified an answer which is a part of the

corresponding question Select to have users update their Q&A profiles if they contain answers that are parts of the corresponding question if the current settings specify the opposite.

Enabling this option will affect only those users whose answers are stored using reversible encryption.

(27)

3. Click Save.

User's answers are stored using reversible

encryption Select to have users update their Q&A profiles if users’ answers are stored without reversible encryption if the current settings specify the opposite.

Question list was made unavailable to users

since Q&A profile creation Select to have users update their Q&A profiles if a question list which they used when registering was made unavailable to users.

Users, whose Q&A profiles were marked as noncompliant, still can use their profiles to reset passwords and unlock accounts, but they will start receiving alerts saying that Q&A profiles must be updated according to the current password management settings.

(28)

Configuring Access to Self-Service Site from

Windows Logon Screen

It is very common for business users to forget their password and be unable to log on to the system. Password Manager allows users to securely and conveniently reset their forgotten network passwords, or manage their passwords in multiple enterprise systems, before even logging on to the system. To enable user’s access to the Self-Service site from the Windows logon screen, Password Manager implements Secure Password Extension.

Introducing Secure Password Extension

The Quest Secure Password Extension is an application that provides one-click access to the complete functionality of the Self-Service site from the Windows logon screen. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Manager. The Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure the Secure Password Extension on end-user workstations in the managed domain, see “Deploying and Configuring Secure Password Extension” on page 29.

The Secure Password Extension supports the authentication model in Windows Vista and Windows 7, and has been tested for compatibility with GINAs (Graphical Identification and Authentication DLLs) of the following systems:

• Microsoft Windows 2000 • Microsoft Windows XP • Microsoft Windows 2003

• Novell Client 4.9 for Windows NT/2000/XP and Windows 95/98 • Identix BioLogon 3

• IBM ThinkVantage Access Connections 3.81 • Citrix MetaFrame Presentation Server 4.0 • HP ProtectTools

In pre-Windows Vista operating systems, such as Microsoft Windows 2000 or XP, the Secure Password Extension uses the GINA-based authentication model, and adds the Forgot My Password and the Manage My Password buttons on the Windows logon screen. On workstations running Microsoft Windows 7, the Secure Password Extension adds the Forgot My Password link to the Windows logon screen. By clicking these buttons and the link, users open the Self-Service site.

When users connect to the Self-Service site from the Windows logon screen, anonymous access is enabled and the functionality of Microsoft Internet Explorer is restricted, thereby preventing the actions that may pose a security threat. Once users open the Self-Service site home page from the Windows logon screen, they cannot access any other Web site, or open a new browser window or a context menu.

(29)

Deploying and Configuring Secure Password Extension

This section describes the prerequisites and steps for deploying and configuring Quest Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Manager.

The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension for installing on the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:

Quest Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre-Windows Vista, Windows Vista, and Windows 7 operating systems.

Quest Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7.

You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. The prm_gina.adm administrative template file is located in the \Password Manager\Setup\Administrative Template\ folder of the installation CD. Before using the file, copy it from the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller.

Follow the steps below to configure and deploy the Secure Password Extension on end-user computers.

To deploy and configure the Secure Password Extension

1. Copy the required installation package (Quest Secure Password Extension x86.msi or

Quest Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The MSI packages are located in the \Password Manager\Setup\ folder of the installation CD.

2. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension.

3. Open the GPO in the Group Policy Object Editor, and then do the following:

• Expand Computer Configuration/Software Settings, right-click Software installation, and then select New | Package.

• Browse for the MSI package you have copied in step 1, and then click Open. • In the Deploy Software window, select a deployment method and click OK. • Verify and configure the properties of the installation, if needed.

4. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy.

(30)

Self-Service Site Location and Service Connection Points

To enable users to open the Self-Service site by clicking the Forgot My Password or the Manage My Password links on the Windows logon screen, you do not need to configure the URL path that points to a specific server where the Self-Service site is deployed, because Secure Password Extension

automatically locates the nearest Self-Service site.

Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish

information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Manager Service instances in Active Directory.

When an instance of Password Manager is installed, the Password Manager Service publishes its service connection points in Active Directory. Password Manager regularly updates its service connection points using the Quest Password Manager x86 Publisher or Quest Password Manager x64 Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Manager instance.

Password Manager Realm Affinity

In some instances, you may want Secure Password Extension to contact only specific Password Manager Service instances when locating Self-Service site. You can force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm.

Password Manager realm is one or more Password Manager instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Manager realm by installing a new Password Manager instance using the "A replica of an existing instance" option.

To force Secure Password Extension to use only Password Manager Service from a specific realm, you must set the Secure Password Extension affinity for that realm.

To set Secure Password Extension affinity for a Password Manager realm:

1. Open the Administration site of the Password Manager Service instance that belongs to the target realm.

2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain, to which belongs the computer running the Secure Password Extension instance you want to bind.

3. On the General tab, select the contents of the Password Manager Realm Affinity ID box, right-click the selection and select Copy.

4. Open Administrative Tools (located at Start Menu | Settings | Control Panel). 5. Open Active Directory Users and Computers.

6. Right-click the managed domain name on the left pane and select Properties.

7. Select the domain policy that is configured to work with Secure Password Extension on the

Group Policy tab and click Edit.

8. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane,thenright click Administrative Templates node, and select Add / Remove Templates.

9. Click Add, browse for the prm_gina.adm file, select it, and then click Open.

10. Click Close to close the Add/Remove Templates dialog box.

11. Select Administrative Templates node, and then double-click the Quest Password Manager template on the right pane.

(31)

12. Click Generic Settings in the left pane.

13. In the right pane, double-click Password Manager Realm Affinity.

14. Select the Enabled option on the Settings tab, and then right-click the Realm Affinity ID

text box and select Paste. 15. Click OK.

16. Apply the updated policy to the computers in the managed domain.

Overriding Automatic Self-Site Location

In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Manager Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below.

To override automatic Self-Service site location:

1. Open Administrative Tools (located at Start Menu | Settings | Control Panel). 2. Open Active Directory Users and Computers.

3. Right-click the managed domain name on the left pane and select Properties.

4. Select the domain policy that is configured to work with Secure Password Extension on the

Group Policy tab and click Edit.

5. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane,thenright click Administrative Templates node, and select Add / Remove Templates.

6. Click Add, browse for the prm_gina.adm file, select it, and then click Open.

7. Click Close to close the Add/Remove Templates dialog box.

8. Select Administrative Templates node, and then double-click the Quest Password Manager template on the right pane.

9. Double-click Generic Settings.

10. Double-click Specify URL path to the Self-Service site.

11. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format:

https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME/User/, where COMPUTER_NAME is the name of the server where Password Manager resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM). Substitute https:// with http:// if you don’t use HTTPS.

12. Click OK.

13. Double-click Override URL path to Self-Service site.

14. Select the Enabled option on the Settings tab. 15. Click OK.

Please note that application of the updated policy to the computers in the managed domain may take some time to complete.

(32)

16. Apply the updated policy to the computers in the managed domain.

Customizing the Logo for Secure Password Extension

For pre-Windows Vista operating systems, you can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. The image must be a 417-by-58-pixel .bmp file.

To deploy a custom logo for Secure Password Extension on end-user computers

1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts

against which the script is run.

3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template.

4. Expand Computer Configuration/Administrative Templates and then click Quest Password Manager.

5. Under Quest Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers.

The local path you specify in these policy settings must be the same as in the startup script specified later in this section.

6. Expand Computer configuration/Windows Settings/Scripts (Startup/Shutdown)

and double-click the Startup policy setting in the right pane.

7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window.

8. Click OK.

The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder:

@echo off

rem "SPE startup script"

rem *Check target directory existence*

if exist "c:\Program Files\Quest Software\Quest Secure Password Extension" goto :COPY_FILE

md "c:\Program Files\Quest Software\Quest Secure Password Extension" rem *Copy BMP image - %1*

:COPY_FILE

copy [SharedDir]1 "c:\Program Files\Quest Software\Quest Secure Password Extension\*.*" rem pause

:out Exit

Please note that application of the updated policy to the computers in the managed domain may take some time to complete.

[SharedDir] is a shared domain directory that must be available during boot.

The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes.

(33)

Customizing Position of the Secure Password Extension Window

You can specify the position of the Secure Password Extension window on the logon screen of user computers.

To change the position of Secure Password Extension window on end-user computers

1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template.

2. Expand Computer Configuration/Administrative Templates and then click Quest Password Manager.

3. Under Quest Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers.

4. Click OK.

Managing Secure Password Extension Using Administrative

Templates

The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements. The Administrative Template layout includes the following folders:

Generic Settings - includes policy settings that can be applied to computers running pre-Vista, Windows Vista, and Windows 7 Microsoft operating systems.

Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-Vista operating systems.

Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy.

Generic Settings

The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension.

POLICY NAME DESCRIPTION

(34)

Specify URL path to the Self-Service site This policy lets you specify the link for the access to the Self-Service site from the Windows logon screen. This link is opened when users click the Forgot My Password or Manage My Password buttons on the Windows logon screen in pre-Vista operating systems, and the Forgot My Password command link in Windows Vista and Windows 7 operating systems.

Use the following URL path format:

https://COMPUTER_NAME/VIRTUAL_DIRECTORY/User/ , where COMPUTER_NAME is the name of the server where Password Manager resides, and

VIRTUAL_DIRECTORY is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM). Substitute https:// with http:// if you don’t use HTTPS. Override URL path to Self-Service site By default, Secure Password Extension automatically

locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the "Specify URL path to the Self-service site" setting.

Password Manager Realm Affinity This policy setting lets you force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm.

Maximum number of attempts to connect to the

Self-Service site This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension.

If this setting is disabled or not configured, the default number of attempts is 5.

Force HTTPS This policy setting lets you enforce HTTPS for

connections with the Self-Service site established using the Secure Password Extension.

Proxy Settings

Enable proxy server access This policy setting determines whether connections to the Self-Service from the Windows logon screen are established through the specified proxy server. Configure required proxy settings Specifies the settings required to enable proxy server

access to the Self-Service site from the Windows logon screen.

Configure optional proxy settings Specifies optional settings for the proxy server access. Shortcut Policies

Restore desktop shortcuts for the Self-Service site This policy setting lets you define whether the desktop shortcut to the Self-Service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut.

(35)

Do not create desktop shortcuts for the Self-Service

site This policy setting lets you define whether the desktop shortcuts to the Self-Service site on users' computers should not be created by the Secure Password

Extension.

Do not create any shortcuts for the Self-Service site This policy setting lets you define whether any shortcuts to the Self-Service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension.

Secure Password Extension Title Settings Display custom names for the Secure Password

Extension window title This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages.

Set custom name for the Secure Password Extension

window title in <Language> This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters. Usage Policy Settings

Display the usage policy button (command link) Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs.

The usage policy button on pre-Windows Vista operating systems, and the usage policy command link on Windows Vista and Windows 7 operating systems, are displayed on the Windows logon screen, and are intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users. Set default URL This policy lets you specify an URL referring to the

usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to a HTML file.

Set name and URL for the usage policy button

(command link) in <Language> This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available.

Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters. Forgot My Password Settings

(36)

Display custom names for the Forgot My Password

button (command link) This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button and command link with the names that you specify for the required logon languages. The Forgot My Password button (command link) is intended to open the Self-Service site from the Windows logon screen. On pre-Windows Vista operating systems, the Forgot My Password button is displayed if you are not logged on to the system. On Windows Vista and Windows 7 operating systems, the command link is displayed on the Windows logon screen irrespective of whether the user is logged on to the system or not.

Set custom name for the Forgot My Password button

(command link) in <Language> This group of policy settings allows you to specify names of the Forgot My Password button (command link) individually for each of the required logon languages. 36 language-specific policy settings are available.

Notifications Customization

Notification recurrence interval If the registration notification is turned on, users will be notified of the necessity to register with Password Manager through a dialog box displayed on the desktop screen. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running.

Set background image for registration notification

dialog box This policy setting allows you to change the default background by specifying an image that will be used as a new background.

Enable customization of registration notifications This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialog boxes with your custom text.

Registration Notifications

Customize registration notification in <Language> This group of policy settings allows you to customize texts in notification dialog boxes individually for each of the required logon languages. 36 language-specific policy settings are available.

Q&A profile update notifications

Customize Q&A profile update notification in

<Language> This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available.

(37)

Pre-Windows Vista Settings

The following table outlines Administrative Template policy settings for Secure Password Extension in pre-Windows Vista operating systems.

POLICY NAME DESCRIPTION

Registration and Q&A profile update enforcement

Enforce registration and Q&A profile update This policy setting allows you to specify whether to enforce users to register with Password Manager or update their invalid Q&A profiles before they log on to their computers. If you enable this policy and select the "Prevent users from logging on after deadline" check box in the Setting tab of the Properties window, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required.

Secure Password Extension Logo

Set dialog background image This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen.

Secure Password Extension Window Settings

Set the Secure Password Extension Window Position This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers.

Manage My Password Settings

Display custom names for the Manage My Password

button This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button with the names that you specify for the required logon languages.

The Manage My Password button is intended to open the Self-Service site on pre-Windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are logged on to the system. Set custom name for the Manage My Password button

in <Language> This group of policy settings allows you to specify the name of the Manage My Password button individually for each of the required logon languages. 36

(38)

Uninstalling Secure Password Extension

You uninstall the Secure Password Extension from end-user computers by removing the appropriate installation packages assigned through Group Policy. Uninstalling the Secure Password Extension makes the Self-Service site no longer available from the Windows logon screen.

To remove an assigned .MSI package

1. Start the Group Policy Management snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Group Policy Management.

2. In the console tree, click the group policy object with which you deployed the package, and then click Edit.

3. Expand the Software Settings container that contains the Software installation item with which you deployed the package.

4. Click the Software installation container that contains the package.

5. In the right pane of the Group Policy window, right-click the package name, point to All Tasks, and then click Remove.

6. Click Immediately uninstall the software from users and computers, and then click

OK.

7. Quit the Group Policy Object Editor snap-in, and then quit the Group Policy Management snap-in.

Troubleshooting Secure Password Extension

If the user logon interface DLL prm_gina.dll fails to load at system startup, users will encounter the following system message: "The logon user interface DLL 'prm_gina.dll' failed to load. Contact your system administrator to replace the DLL, or restore the original DLL." This problem may occur when the prm_gina.dll file on the local computer is corrupt or missing.

To resolve this behavior, follow these steps: 1. Run Windows in safe mode.

2. In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, replace the GinaDLL value data with the Original value data from the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\PRM key, if the latter exists. – OR –

If the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\PRM key does not exist, then delete the GinaDLL value from the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. 3. Restart the computer in normal mode.

4. Uninstall Secure Password Extension, and then install it by running the appropriate .MSI package on the local computer.

Figure

Updating...