ScriptLogic Desktop Authority Password Self-Service version 4.7 Administrator Guide

68 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

ScriptLogic

®

Desktop Authority

Password Self-Service

version 4.7

Administrator Guide

(2)

© 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Licensed to ScriptLogic Corporation

This guide contains proprietary information protected by copyright. The software

described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

Trademarks

Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory,

DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change

Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are

trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners.

D

ISCLAIMER

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF

INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any

(3)

D

OCUMENTATION

C

ONVENTIONS

In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references.

ement nvention

ded text Interface elements that appear in ScriptLogic products, such

as menus and commands.

c text Used for comments.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

C

ONTACTING

S

CRIPT

L

OGIC

Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation

6000 Broken Sound Parkway NW Boca Raton, Florida 33487-2742

561.886.2400 Sales and General Inquiries 561.886.2450 Technical Support

561.886.2499 Fax www.scriptlogic.com

S

CRIPT

L

OGIC ON THE

W

EB

ScriptLogic can be found on the web at www.scriptlogic.com. Our web site offers customers a variety of information:

ƒ

Download product updates, patches and/or evaluation products.

ƒ

Locate product information and technical details.

ƒ

Find out about Product Pricing.

ƒ

Search the Knowledge Base for Technical Notes containing an extensive

collection of technical articles, troubleshooting tips and white papers.

ƒ

Search Frequently Asked Questions, for the answers to the most common

non-technical issues.

ƒ

Participate in Discussion Forums to discuss problems or ideas with other

(4)

Contents

WELCOME TO SCRIPTLOGIC PASSWORD SELF-SERVICE ...1

SCRIPTLOGIC PASSWORD SELF-SERVICE OVERVIEW...1

DIFFERENT SITES FOR DIFFERENT ROLES...2

ADMINISTRATION SITE...3

CHECKLIST: CONFIGURING PASSWORD SELF-SERVICE...3

SPECIFYING GLOBAL SETTINGS...4

Enabling HTTPS...4

Configuring Self-Service Site Settings ...4

CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN...14

Introducing Secure Password Extension ...14

Deploying and Configuring Secure Password Extension ...15

Uninstalling Secure Password Extension ...24

Troubleshooting Secure Password Extension...25

MANAGING DOMAINS...26

Configuring Permissions to Access a ManagedDomain ...26

Adding a Managed Domain...27

Managing Questions and Answers Profiles...28

Configuring Password Policies ...31

Configuring Logon Security Options...43

Configuring Registration Notification and Enforcement...44

Delegating Help Desk and Administrative Tasks ...48

Configuring Access to Self-Service Site...49

REPORTING...51

Setting Up Reporting Environment...51

Using Reports ...52

DIAGNOSTIC LOGGING...56

BEST PRACTICES FOR CONFIGURING REPORTING SERVICES...56

Reporting Services default configuration ...57

Reporting Services firewall issues ...59

THE PASSWORD SELF-SERVICE DATABASE IN SQL SERVER...59

THE SCHEDULED TASKS IN PASSWORD SELF-SERVICE...60

(5)

Welcome to ScriptLogic

Password Self-Service

S

CRIPT

L

OGIC

P

ASSWORD

S

ELF

-S

ERVICE

O

VERVIEW

ScriptLogic Password Self-Service is a Web-based application that provides an easy-to-implement and use, yet highly secure, password management

solution. Users can connect to Password Self-Service by using their favorite browser and perform password self-management tasks, thus eliminating the need for assistance from high-level administrators and reducing help desk workload. The solution offers a powerful and flexible password policy control mechanism that allows the Password Self-Service administrator to ensure that all passwords in the organization comply with the established policies.

Password Self-Service works with Windows domains, including domains operating in mixed mode.

The key features and benefits of ScriptLogic Password Self-Service include:

ƒ

Global access. ScriptLogic Password Self-Service provides 24x7x365

access to the Self-Service site from intranet computers as well as via Internet from any most common browser. The solution supports flexible access modes and logon options.

ƒ

Strong data encryption and secure communication. The solution relies on industry-leading technologies for enhanced communication security and data encryption.

ƒ

Web interface for help desk service. Password Self-Service features Help Desk site which allows administrators to delegate help desk tasks to dedicated operators. These tasks include resetting user passwords,

managing users' Questions and Answers profiles, and assigning temporary passcodes to users.

ƒ

x64 version of Password Policy Manager. An x64 version of Password Policy Manager module has been designed for use on domain controllers running an x64 Microsoft Windows Server operating system.

ƒ

E-mail event notifications. Administrators can configure event notifications which are sent by e-mail to designated personnel when specified events occur.

ƒ

Seamless OS integration. ScriptLogic Password Self-Service relies on intrinsic security databases only and is capable of managing domains across trust boundaries (no trust relationship required).

(6)

ƒ

Powerful password policies. ScriptLogic Password Self-Service ensures that only passwords that meet administrator-defined policies are

accepted. Unsuccessful authentication attempts are logged and the corresponding accounts are locked if necessary.

ƒ

Granular policy enforcement. Password policies are applied on a per-group or per OU basis.

ƒ

Questions and Answers authentication mechanism. To reset passwords or unlock accounts, users are prompted to answer a series of questions for which users provide their secret answers when registering with ScriptLogic Password Self-Service.

ƒ

Enhanced user name search options. Users can be allowed to view their account attributes, such as user logon name, first name, display name, and SMTP address, when searching for their forgotten user names. A more specific search query returns the most relevant search results.

ƒ

Fault tolerance and scalability. ScriptLogic Password Self-Service is

designed to work with network load balancing clusters and in a Web farm environment.

D

IFFERENT

S

ITES FOR

D

IFFERENT

R

OLES

The Web Interface allows multiple Web sites to be installed with individual, customizable configurations. The following is a list of configuration templates that are available out-of-the box.

ƒ

Administration Site is for individuals who are responsible for implementing password self-management through performing administrative tasks, such as configuring site-specific settings and enforcing password policies, to suit the specific needs of their organization.

ƒ

Help Desk Site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning

temporary passcodes, and managing users' Questions and Answers profiles.

ƒ

Self-Service Site provides users with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators and reducing helpdesk workload.

(7)

Administration Site

C

HECKLIST

:

C

ONFIGURING

P

ASSWORD

S

ELF

-S

ERVICE

When you have installed Password Self-Service, follow this checklist to configure the solution to implement automated and secure password management in an Active Directory domain.

Step Reference

1. It is strongly recommended that you enable HTTPS on the server where Password Self-Service is installed.

See Enabling HTTPS

2. Prepare the account under which Password Self-Service will access the managed domain.

See Configuring Permissions to Access a ManagedDomain

3. Register the managed domain with Password Self-Service.

See Adding a Managed Domain

4. Create language-specific question lists, and configure the Questions and Answers Policy if required.

See Managing Questions and Answers Profiles

5. If you want to provide access to the Self-Service site from the Windows logon screen, install the Secure Password Extension.

See Configuring Access to Self-Service Site

6. Configure settings that apply to all domains managed with Password Self-Service (such as site-specific defaults, notification settings, and profile update policy).

See Specifying Global Settings

7. Grant the access permissions for the Help Desk site to help desk operators. You can also delegate access for the Administrative site to trusted Password Self-Service administrators.

See Delegating Help Desk and Administrative Tasks

8. Ensure that the screen resolution on client-side computers used to access the Web sites of Password Self-Service is set to a minimum of 800x600 pixels. The recommended screen resolution is 1024x768 pixels.

9. Ensure that all Password Self-Service users have JavaScript enabled in Microsoft Internet Explorer settings.

10. Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks.

See Configuring Access to Self-Service Site

11. If required, configure options for user registration notification and enforcement by specifying a registration schedule and enabling registration notification.

See Configuring Registration Notification and Enforcement

(8)

Step Reference

12. To allow users access the Self-Service site, explicitly specify the groups which are granted access to the Self-Service site. By default, no managed domain user can access the Self-Service site.

13. If you want to use Password Self-Service to enforce password policies, you first install Password Policy Manager (PPM) on all domain controllers in the domain. Then, create

password policies and configure password policy rules.

See Installing Password Policy Manager See Creating and Configuring a Password Policy

See Configuring Password Policy Rules

S

PECIFYING

G

LOBAL

S

ETTINGS

This section outlines the procedures required to configure site-specific settings that affect users and helpdesk operators in all domains registered with Password Self-Service.

Enabling HTTPS

We strongly recommend that you use HTTPS with ScriptLogic Password Self-Service. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web.

To enable HTTPS for your Web server you may need to obtain a Server

Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support HTTPS connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at

http://msdn2.microsoft.com/en-us/library/aa302411.aspx . Configuring Self-Service Site Settings

You can customize the behavior of the Self-Service site by specifying what password management tasks are allowed to users and configuring user notification.

Configuring Security Settings

By configuring the security settings, you define whether you want to let users do the following:

ƒ

Hide their security answers on the screen.

ƒ

See the domain name on the Self-Service site pages.

ƒ

See which of the personal questions users have answered incorrectly

(9)

To configure security settings for the Self-Service site

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then click the Self-Service Site

tab.

3. Under Security settings, configure the following options as required:

Option Description

Hide users’ answers by default

Select this check box to have Password Self-Service display users' security answers as asterisks while they are typing in their answers.

Allow users to hide their answers

Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks.

Prevent users from seeing whether questions are answered correctly

Select this check box to prevent users from seeing to which of their private questions they have provided incorrect answers when performing password self-management tasks using the Self-Service site.

Hide tools not available for user

Select this check box to prevent users from seeing the tools which are not available for them.

Use a security CAPTCHA image to prevent bot attacks

Select this check box to have the Self-Service site display a picture with characters and require the user to enter the characters on the picture. This feature provides enhanced protection against automated attacks.

Domain display options Use this section to specify whether Self-Service Site should show the managed domain name to the user. If you select the Show domain list option, the Self-Service site user will be able to see the list of the managed domains registered with Password Self-Service. Select the Hide domain list

option to prevent users from seeing the list of domains. Users must agree that

Password Self-Service will store their personal information

Depending on the legislation requirements, organizations may be required to explicitly obtain users’ consent to store their personal information which is available in Question and Answers profile.

Select this check box to have the Self-Service site ask users to agree that Password Self-Service will store their personal information.

4. Click Save.

Configuring Allowed Self-Service Site Tasks

You can granularly configure the set of the tasks available for the Password Self-Service end-users on the Self-Service site.

To configure the tasks available for the Self-Service site users:

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

(10)

3. Click Allowed self-service tasks to expand this section, and then configure the following options as required:

Option Description

Allow users to register with Password Self-Service

Select this check box to allow users to register with Password Self-Service by using the Self-Service site. Allow users to unlock their

accounts

Select this check box to allow users to unlock their domain accounts by using the Self-Service site.

Allow users to reset their passwords

Select this check box to allow users to reset passwords for their domain accounts by using the Self-Service site. Allow users to change their

passwords

Select this check box to allow users to manage passwords for their accounts in managed domains, and in connected data sources, by using the Self-Service site.

Allow users to change Q&A profile

Select this check box to allow users to manage Questions and Answers profiles for their accounts in managed domains by using the Self-Service site.

Allow users to change their alert settings

Select this check box to allow users to specify events upon which they want to receive alerts.

Allow users to use passcode Select this check box to allow users to use passcode for creating Questions and Answers profile.

4. Click Save.

Configuring Account Search Options

To configure account search options:

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then click the Self-Service Site tab.

3. Click Account search options to expand this section, and then configure

the following options as required:

Event Description

Allow users to locate their accounts

Select the checkbox to allow users to perform account search by using the Locate Account functionality of the Self-Service site. By selecting this option, you can specify the number of user accounts that are displayed in search results. To do this, specify the required number in the "Number of users to display in search results in the Locate Account page" field.

User properties to display in search results

Select check boxes next to the user account attributes that you want users to view in search results. You can select any of the following attributes: • First name • Initials • Last name • Display name • Name • Full name

• User logon name

• E-mail

(11)

Configuring User Notification

You can configure a list of events upon which you want all registered users to receive notifications. For each of the events below, you can specify whether users may decide for themselves if they want to receive a specific notification of not.

ƒ

User's Q&A profile is updated

ƒ

User's Alert settings are updated

ƒ

User's account is unlocked

ƒ

User's password is reset

ƒ

User's password is changed

ƒ

User's Q&A profile requires update

ƒ

User's Q&A profile is locked

ƒ

User's password is expired

To configure user notification

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. Ensure that you have configured the outgoing mail server settings.

To specify the SMTP server settings, use the procedure outlined in Configuring Outgoing Mail Servers Settings.

3. On the menu bar, click Settings, and then click the Self-Service Site

tab.

4. Click User notification settings to expand this area.

5. Specify events upon which you want users to receive notifications, and

whether you want users to be able to change your settings for each of the events, by doing the following:

a. Click the link next to a notification event, and then select one of the

following options:

Option Description

Disabled. Users can change this setting.

Select this option to disable user notification for the relevant event while allowing users to override this setting on a per-user basis.

Enabled. Users can change this setting.

Select this option to have users notified about the relevant event, and allow to override this setting on a per-user basis.

Permanently disabled. Select this option to disable user notification for the relevant event, and prevent users from changing this setting.

Permanently enabled. Select this option to enable user notification for the relevant event, and prevent users from changing this setting.

(12)

b. Under Days to notify a user before their password expires, optionally set the number of days during which you want users to

receive password expiration notifications, before their passwords expire.

6. Click Save.

Note: If you enable the password expiration notification, then Password Self-Service will send password expiration notifications only to those users from all managed domains, who have registered with Password Self-Service by creating their personal Questions and Answers profiles.

Configuring Help Desk Site Settings

You can define what password management tasks the help desk operators are allowed or required to perform. The settings described in this section are applied throughout all Active Directory domains managed by Password Self-Service.

To specify settings for the Help Desk site

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then select the Help Desk Site tab.

3. In the Allow helpdesk operators to section, configure the following

options as required:

Option Description

verify user identity Select this option to allow helpdesk operators to verify user identity by using the Help Desk site.

assign passcodes Select Yes to allow helpdesk operators to assign temporary passcodes for users who forgot their passwords while not being registered with Password Self-Service.

Then, below this option you can specify the Passcode lifetime in minutes value, i.e. the period within which the passcode is valid. reset user passwords Select this option to allow helpdesk operators to reset user

passwords by using the Help Desk site.

Select the only after user identity verification option to force helpdesk operators to check user identity before resetting user’s password.

unlock user accounts Select this option to allow helpdesk operators to unlock user accounts by using the Help Desk site.

Select the only after user identity verification option to force helpdesk operators to check user identity before unlocking user account.

require users to update their Q&A profiles

Select this option to allow helpdesk operators to invalidate users' Questions and Answers profiles and to set a deadline for a user to update their Q&A profile.

Passcode lifetime, in minutes

Specify how long a passcode issued by helpdesk operators to users is valid for users to create their Questions and Answers profile.

unlock users' Q&A profiles

Select this option to allow helpdesk operators to unlock users' Question and Answers profiles that are locked as a result of a sequence of failed attempts to provide the correct answers.

(13)

4. Configure the following options as required:

Option Description

Helpdesk operators must verify user identity by

Defines that helpdesk operators must verify a user's identity before resetting the user's password, or unlocking their account.

To configure this option, select how you want operators to authenticate users:

ƒ

Answer to randomly selected mandatory question (user’s answer is hidden). In this mode, the operator will ask a user for their complete answer to one of the mandatory questions specified in the user's Q&A profile.

ƒ

Answer to authentication question (user’s answer is hidden). In this mode, the operator will ask a user for their complete answers to the Help Desk

authentication questions, and enter the answers on the identity verification page.

ƒ

Answer to authentication question (user’s answer is visible). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and then compare them to the answers displayed on the identity verification page.

ƒ

Random characters of an answer to authentication question. In this mode, the operator will ask a user to tell the specified number of characters in the user's answers to the Help Desk authentication questions, and then type in those characters in the appropriate positions on the identity verification page.

Allow helpdesk operators to require users to change their passwords at next logon

Select this option to allow helpdesk operators to force users to change their passwords at next logon.

5. Click Save.

Configuring Outgoing Mail Servers Settings

You can configure one or more outgoing mail servers. If there are several servers, Password Self-Service will first attempt to use the top one in the list. To add outgoing mail servers (SMTP)

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then click the Notifications tab.

3. Select the Enable notifications option.

(14)

5. On the Add SMTP Server page, configure the following options:

Option Description

Server name Type the SMTP server name.

If the SMTP server uses the port which is different from the default SMTP port 25, you may specify the port using the following format: <server name>:<port number>where <server name> is the server name and <port number> is the port number used for SMTP communication.

Sender address Type the sender's user name. This server requires

authentication

Select if the SMTP server requires authentication.

User Name Type the user name under which Password Self-Service will access the SMTP server.

Password Type the password for this account. Confirm password Re-type the password.

The server requires an encrypted connection (SSL)

Select if the SMTP server requires an encrypted connection (SSL).

6. Click Add.

7. Follow steps 4-5 to add any additional SMTP servers.

8. Use the Move Up and Move Down buttons to change the order of the

SMTP servers in the list.

The order of the servers in the list specifies how Password Self-Service uses the servers to send notification mail messages. Password Self-Service will first attempt to use the servers at the top of the list.

To remove a server from the list of outgoing SMTP mail servers

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then click the Notifications tab.

3. In the Mail Servers area select one o more SMTP servers to delete and

click Remove.

Configuring Alerts and Recipients

You can configure Password Self-Service to send alert notifications to the specified administrators when the following actions are completed successfully or fail:

ƒ

Users change their Questions and Answers profiles

ƒ

Users unlock their accounts

ƒ

Users reset their passwords

ƒ

Users change their passwords

ƒ

Users' Questions and Answers profiles are locked

(15)

To specify alerts and recipients

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. Ensure that you have configured the outgoing mail (SMTP) server settings.

3. You can configure the SMTP server settings by using the procedure

outlined in Configuring Outgoing Mail Servers Settings.

4. On the menu bar, click Settings, and then click the Notifications tab.

5. In the Recipients section, click Add and specify the e-mail address of the

administrator you want to receive notifications.

6. Verify the changes you have made by selecting one o more recipients and

sending a test message.

7. In the Events section, configure the following options:

Option Description

Q&A Profile created Select to notify when a user has created and/or failed to create their personal alert settings.

Q&A Profile changed Select to notify when a user has changed and/or failed to change their personal alert settings.

Account unlocked Select to send notifications when a user has unlocked and/or failed to unlock their account.

Password reset Select to send alerts when a user has reset and/or failed to reset their password.

Password changed Select to send alerts when a user has changed and/or failed to change their password.

Q&A profile locked Select to send alerts when a users' Question and Answers profile has become locked and/or has failed to lock. Preferred e-mail

language

Select and then choose your preferred language for e-mail notifications from the drop-down list below.

8. Click Save.

Customizing E-mail Templates for the Notifications Distributed by Password Self-Service

You can customize the e-mail notification messages distributed by Password Self-Service to meet specific requirements in your organization. The

notifications are sent either in plain text or as HTML. If you select the HTML, you can enhance the notifications by using HTML tags to add custom text formatting, hyperlinks, etc.

To modify the e-mail notifications:

1. Connect to the Administration site by typing the Administration site URL in

the address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the menu bar, click Settings, and then select the E-mail Templates

(16)

3. In the Select language drop-down box, select the language for which you want to customize the notification templates.

4. In the Events column, click the event group you want to customize.

5. In the E-mail Template column edit the subject and the body of

notification templates as required.

When editing the notification templates, you can use the following parameters in the notification templates:

Parameter Description

%1 DNS domain name for managed domain. %2 User name (sAMACountName).

%3 Error message. %4 Error code (HResult). %5 Reserved for internal use. %6 User IP address.

%7 Current date in a user readable form. %8 Number of days until the deadline. %9 User display name.

%10 User name of the Help Desk operator in the following format: <domain name>\<user name>.

6. In the Message format box, select the format to use for the notifications.

You can select from two options—either HTML or Plain Text.

If you select HTML as the message format, you can add HTML markup tags to the templates to customize the e-mail notifications.

7. Click Save.

Selecting the Languages for Invitation Notification

You can specify one or more languages to use in the e-mail messages which invite users to register with Password Self-Service. If you select multiple languages, the invitation message will include several copies of the invitation—one copy for each of the selected languages.

To select the language(s) to use in invitation notification:

1. Open the Administration site by typing the Administration site URL in the

address bar of your Web browser. By default, the URL is http://<ComputerName>/DAPSS/Admin/.

2. On the Administration site home page, click Managed Domains, and on

the Managed Domains page, click the domain for which you want to create the language list, and then click the General tab.

3. On the General tab, in the User registration schedule section, click

Specify notification language(s).

4. On the List of Languages for Invitation Notification page click Add.

5. In the Add Language(s) window, select one or more languages to use in

(17)

6. By clicking the Move Up and Move Down buttons specify the order of the languages in the invitation message.

The first language in the list will be used for the message subject.

7. Click Save.

Configuring Profile Update Policy

You can specify when users must update their Q&A profiles. For example, you can require users to update their Q&A profiles, if the question list has been changed. The policy affects all users managed by the Password Self-Service instance.

To configure profile update policy

1. On the menu bar, click Settings, and then click the Profile Update

Policy tab.

2. Configure the following options:

Option Description

Question list or Q&A policy has changed since Q&A profile creation

Select to have users update their Q&A profiles if the question list or the Q&A policy was modified, provided that users had already created or updated their Questions and Answers profile.

The question user answered to register was modified or deleted

Select to have users update their Q&A profiles if one or more questions which users answered to register was modified or deleted.

User's Q&A profile contains fewer questions than required for registration

Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions list longer than it was before users’ profiles were last updated.

User's Q&A profile contains fewer questions than required for password reset

Select to have users update their Q&A profiles if you have added one or more questions required to reset password, thus making the list of such questions longer than it was before the users’ profiles were last updated.

User's Q&A profile contains fewer questions than required for unlocking account

Select to have users update their Q&A profiles if you have added one or more questions required to unlock account, thus making the list of such questions longer than it was before users’ profiles were last updated. User’s answers are shorter than

required

Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require.

User-defined questions are shorter than required

Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require.

User has specified the same answer for several questions

Select to have users update their Q&A profiles if they contain the same answer for different questions if the current settings specify the opposite.

User specified an answer which is a part of the corresponding question

Select to have users update their Q&A profiles if they contain answers that are parts of the corresponding question if the current settings specify the opposite. Enabling this option will affect only those users whose answers are stored using reversible encryption.

(18)

Option Description

User's answers are stored using reversible encryption

Select to have users update their Q&A profiles if users’ answers are stored without reversible encryption if the current settings specify the opposite.

Question list was made unavailable to users since Q&A profile creation

Select to have users update their Q&A profiles if a question list which they used when registering was made unavailable to users.

3. Click Save.

Users, whose Q&A profiles were marked as noncompliant, still can use their profiles to reset passwords and unlock accounts, but they will start receiving alerts saying that Q&A profiles must be updated according to the current password management settings.

C

ONFIGURING

A

CCESS TO

S

ELF

-S

ERVICE

S

ITE FROM

W

INDOWS

L

OGON

S

CREEN

It is very common for business users to forget their password and be unable to log on to the system. Password Self-Service allows users to securely and conveniently reset their forgotten network passwords, or manage their passwords in multiple enterprise systems, before even logging on to the system. To enable user’s access to the Self-Service site from the Windows logon screen, Password Self-Service implements Secure Password Extension. Introducing Secure Password Extension

The ScriptLogic Secure Password Extension is an application that provides one-click access to the complete functionality of the Self-Service site from the Windows logon screen. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service. The Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure the Secure Password Extension on end-user workstations in the managed domain, see Deploying and Configuring Secure Password Extension. The Secure Password Extension supports the authentication model in Windows Vista and Windows 7, and has been tested for compatibility with GINAs

(Graphical Identification and Authentication DLLs) of the following systems:

ƒ

Microsoft Windows 2000

ƒ

Microsoft Windows XP

ƒ

Microsoft Windows 2003

ƒ

Novell Client 4.9 for Windows NT/2000/XP and Windows 95/98

ƒ

Identix BioLogon 3

ƒ

IBM ThinkVantage Access Connections 3.81

ƒ

Citrix MetaFrame Presentation Server 4.0

(19)

In pre-Windows Vista operating systems, such as Microsoft Windows 2000 or XP, the Secure Password Extension uses the GINA-based authentication model, and adds the Forgot My Password and the Manage My Password buttons on the Windows logon screen. On workstations running Microsoft Windows 7, the Secure Password Extension adds the Forgot My Password link to the Windows logon screen. By clicking these buttons and the link, users open the Self-Service site.

When running under Microsoft Windows Vista, the behavior of Secure Password Extension is considerably different as compared to pre-Windows Vista operating systems. The Secure Password Extension functionality is also subject to several limitations:

ƒ

You cannot enforce user registration by using the Secure Password

Extension. For more information, see Configuring Registration Notification

and Enforcement.

ƒ

You can access the Self-Service site only after you click the Switch User

button on the Windows Vista Welcome screen.

When users connect to the Self-Service site from the Windows logon screen, anonymous access is enabled and the functionality of Microsoft Internet Explorer is restricted, thereby preventing the actions that may pose a security threat. Once users open the Self-Service site home page from the Windows logon screen, they cannot access any other Web site, or open a new browser window or a context menu.

Deploying and Configuring Secure Password Extension

This section describes the prerequisites and steps for deploying and

configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service.

The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension for installing on the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies.

Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:

ƒ

ScriptLogic Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre-Windows Vista, Windows Vista, and Windows 7 operating systems.

ƒ

ScriptLogic Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7.

(20)

You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm

Administrative Template's settings, and then applying the template to the target computers through Group Policy. The prm_gina.adm administrative template file is located in the \Password Self-Service\Setup\Administrative Template\ folder of the installation CD. Before using the file, copy it from the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller.

Follow the steps below to configure and deploy the Secure Password Extension on end-user computers.

To deploy and configure the Secure Password Extension

1. Copy the required installation package (Secure Password Extension

x86.msi or Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The MSI packages are located in the \ Password Self-Service\Setup\ folder of the installation CD.

2. Create a GPO and link it to all computers, sites, domains, or organizational

units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension.

3. Open the GPO in the Group Policy Object Editor, and then do the

following:

a. Expand Computer Configuration/Software Settings, right-click

Software installation, and then select New | Package.

b. Browse for the MSI package you have copied in step 2, and then click

Open.

c. In the Deploy Software window, select a deployment method and

click OK.

d. Verify and configure the properties of the installation, if needed.

4. To complete Secure Password Extension installation, you must reboot all

the client computers affected by the Group policy.

Self-Service Site Location and Service Connection Points

To enable users open the Self-Service site by clicking the Forgot My

Password or the Manage My Password links on the Windows logon screen, you do not need to configure the URL path that points to a specific server where the Self-Service site is deployed because Secure Password Extension automatically locates the nearest Self-Service site.

Secure Password Extension locates the Self-Service site using service

connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory.

(21)

When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self-Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance.

Password Self-Service Realm Affinity

In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating Self-Service site. You can force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service realm.

Password Self-Service realm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service realm by installing a new Password Self-Service instance using the A replica of an existing instance option. To force Secure Password Extension to use only Password Self-Service from a specific realm, you must set the Secure Password Extension affinity for that realm.

To set Secure Password Extension affinity for a Password Self-Service realm:

1. Open the Administration site of the Password Self-Service instance that

belongs to the target realm.

2. On the Administration site home page, click Managed Domains, and on

the Managed Domains page, click the domain to which belongs the computer running the Secure Password Extension instance you want to bind.

3. On the General tab, select the contents of the Password Self-Service

Realm Affinity ID box, right-click the selection and select Copy.

4. Open Administrative Tools (located at Start Menu | Settings |

Control Panel).

5. Open Active Directory Users and Computers.

6. Right-click the managed domain name on the left pane and select

Properties.

7. Select the domain policy that is configured to work with Secure Password

Extension on the Group Policy tab and click Edit.

8. Expand Default Domain Policy | Computer Configuration on the

Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add /Remove Templates.

9. Click Add, browse for the prm_gina.adm file, select it, and then click

Open.

10.Click Close to close the Add/Remove Templates dialog box.

11.Select Administrative Templates node, and then double-click the

(22)

12.Click Generic Settings in the left pane.

13.In the right pane, double-click Password Self-Service Realm Affinity.

14.Select the Enabled option on the Settings tab, and then right-click the

Realm Affinity ID text box and select Paste.

15.Click OK.

16.Apply the updated policy to the computers in the managed domain.

Note: Application of the updated policy to the computers in the managed domain may take some time to complete.

Overriding Automatic Self-Site Location

In some instances, you may not want Secure Password Extension to automatically locate the nearest Service site using the Password Self-Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below.

To override automatic Self-Service site location:

1. Open Administrative Tools (located at Start Menu | Settings |

Control Panel).

2. Open Active Directory Users and Computers.

3. Right-click the managed domain name on the left pane and select

Properties.

4. Select the domain policy that is configured to work with Secure Password

Extension on the Group Policy tab and click Edit.

5. Expand Default Domain Policy | Computer Configuration on the

Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates.

6. Click Add, browse for the prm_gina.adm file, select it, and then click

Open.

7. Click Close to close the Add/Remove Templates dialog box.

8. Select Administrative Templates node, then double-click ScriptLogic

Password Self-Service template on the right pane.

9. Double-click Generic Settings.

10.Double-click Specify URL to the Self-Service site.

11.Select the Enabled option on the Settings tab and then enter the URL

path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME/User/, where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during ScriptLogic Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute https:// with http:// if you don’t use HTTPS.

(23)

Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server.

12.Click OK.

13.Double-click Override URL path to Self-Service site.

14.Select the Enabled option on the Settings tab.

15.Click OK.

16.Apply the updated policy to the computers in the managed domain.

Note: Please note that application of the updated policy to the computers in the managed domain may take some time to complete.

Customizing the Logo for Secure Password Extension

For pre-Windows Vista operating systems, you can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. The image must be a 417-by-58-pixel .bmp file.

To deploy a custom logo for Secure Password Extension on end-user computers

1. Create a startup script to deploy your logo image. See a sample script

below this procedure.

2. Create your logo image and place it on a network share accessible to all

network hosts against which the script is run.

3. In the Group Policy Object Editor, open the GPO which includes the

prm_gina.adm Administrative Template.

4. Expand Computer Configuration/Administrative Templates and then

click ScriptLogic Password Self-Service.

5. Under ScriptLogic Password Self-Service, expand Pre-Windows

Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers.

The local path you specify in these policy settings must be the same as in the startup script specified later in this section.

6. Expand Computer configuration/Windows Settings/Scripts

(Startup/Shutdown) and double-click the Startup policy setting in the right pane.

7. In the Startup Properties window, click Add, then browse for the script

file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window.

(24)

The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder:

@echo off

rem "SPE startup script"

rem *Check target directory existence*

if exist "c:\Program Files\ScriptLogic Corporation\ScriptLogic Password Self-Service Extension"

goto :COPY_FILE

md "c:\Program Files\ScriptLogic Corporation\ScriptLogic Secure Password Extension"

rem *Copy BMP image - %1* :COPY_FILE

copy [SharedDir]1 "c:\Program Files\ScriptLogic Corporation\ScriptLogic Secure Password Extension\*.*"

rem pause :out Exit

Note: [SharedDir] is a shared domain directory that must be available during boot.

The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes.

You can modify the sample target path in the script as you need.

Customizing Position of the Secure Password Extension Window

You can specify the position of the Secure Password Extension window on the logon screen of user computers.

To change the position of Secure Password Extension window on end-user computers

1. In the Group Policy Object Editor, open the GPO which includes the

prm_gina.adm Administrative Template.

2. Expand Computer Configuration/Administrative Templates and then

click ScriptLogic Password Self-Service.

3. Under ScriptLogic Password Self-Service, expand Pre-Windows

Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers.

(25)

Managing Secure Password Extension Using Administrative Templates

The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements.

The Administrative Template layout includes the following folders:

ƒ

Generic Settings - includes policy settings that can be applied to

computers running pre-Vista, Windows Vista, and Windows 7 Microsoft operating systems.

ƒ

Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-Vista operating systems.

Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy.

Generic Settings

The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension.

Policy Name Description

Generic Settings

Specify URL path to the Self-Service site

This policy lets you specify the link for access to the Self-Service site from the Windows logon screen. This link is opened when users click the Forgot My Password or Manage My Password buttons on the Windows logon screen in pre-Vista operating systems, and the Forgot My Password command link in Windows Vista and Windows 7 operating systems.

Use the following URL path format:

https://COMPUTER_NAME/VIRTUAL_DIRECTORY/User/ , where COMPUTER_NAME is the name of the server where Password Self-Service resides, and

VIRTUAL_DIRECTORY is a virtual directory name that was configured during ScriptLogic Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute https:// with http:// if you don’t use HTTPS. Override URL path to Self-Service

site

By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the Specify URL path to the Self-service site setting.

Password Self-Service Realm Affinity

This policy setting lets you force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service realm. Maximum number of attempts to

connect to the Self-Service site

This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension.

If this setting is disabled or not configured, the default number of attempts is 5.

Force HTTPS This policy setting lets you enforce HTTPS for

connections with the Self-Service site established using the Secure Password Extension.

(26)

Policy Name Description

Proxy Settings

Enable proxy server access This policy setting determines whether connections to the Self-Service from the Windows logon screen are

established through the specified proxy server. Configure required proxy settings Specifies the settings required to enable proxy server

access to the Self-Service site from the Windows logon screen.

Configure optional proxy settings Specifies optional settings for the proxy server access.

Shortcut Policies

Restore desktop shortcuts for the Self-Service site

This policy setting lets you define whether the desktop shortcut to the Self-Service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut.

Do not create desktop shortcuts for the Self-Service site

This policy setting lets you define whether the desktop shortcuts to the Self-Service site on users' computers should not be created by the Secure Password Extension. Do not create any shortcuts for the

Self-Service site

This policy setting lets you define whether any shortcuts to the Self-Service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension.

Secure Password Extension Title Settings

Display custom names for the Secure Password Extension window title

This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages.

Set custom name for the Secure Password Extension window title in <Language>

This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyph’s width. The URL length must not exceed 256 characters.

Usage Policy Settings

Display the usage policy button (command link)

Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs.

The usage policy button on pre-Windows Vista operating systems, and the usage policy command link on Windows Vista and Windows 7 operating systems, are displayed on the Windows logon screen, and are intended to open an HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users.

Set default URL This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to an HTML file.

(27)

Policy Name Description

Set name and URL for the usage policy button (command link) in <Language>

This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available.

Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyph’s width. The URL length must not exceed 256 characters.

Forgot My Password Settings

Display custom names for the Forgot My Password button (command link)

This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button and command link with the names that you specify for the required logon languages.

The Forgot My Password button (command link) is intended to open the Self-Service site from the Windows logon screen. On pre-Windows Vista operating systems, the Forgot My Password button is displayed if you are already logged on to the system. On Windows Vista and Windows 7 operating systems, the command link is displayed on the Windows logon screen, irrespective of whether the user is logged on to the system or not. Set custom name for the Forgot My

Password button (command link) in <Language>

This group of policy settings allows you to specify names of the Forgot My Password button (command link) individually for each of the required logon languages. Thirty-six language-specific policy settings are available.

Notifications Customization

Notification recurrence interval If the registration notification is turned on, users will be notified of the necessity to register with Password Self-Service through a dialog box displayed on the desktop screen. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running.

Set background image for registration notification dialog box

This policy setting allows you to change the default background by specifying an image that will be used as a new background.

Enable customization of registration

notifications This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialog boxes with your custom

text.

Registration Notifications Customize registration notification

in <Language> This group of policy settings allows you to customize texts in notification dialog boxes individually for each of the required logon languages. 36 language-specific policy settings are available.

Q&A profile update notifications Customize Q&A profile update

notification in <Language> This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available.

(28)

Pre-Windows Vista Settings

The following table outlines Administrative Template policy settings for Secure Password Extension in pre-Windows Vista operating systems.

Policy Name Description

Registration and Q&A profile update enforcement

Enforce registration and Q&A profile update

This policy setting allows you to specify whether to enforce users to register with Password Self-Service or update their invalid Q&A profiles before they log on to their computers. If you enable this policy and select the "Prevent users from logging on after deadline" check box in the Setting tab of the Properties window, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required.

Secure Password Extension Logo

Set dialog background image This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen.

Secure Password Extension Window Settings

Set the Secure Password Extension Window Position

This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers.

Manage My Password Settings

Display custom names for the Manage My Password button

This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button with the names that you specify for the required logon languages.

The Manage My Password button is intended to open the Self-Service site on pre-Windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are logged on to the system.

Set custom name of the Manage My Password button in <Language>

This group of policy settings allows you to specify the name of the Manage My Password button individually for each of the required logon languages. Thirty-six language-specific policy settings are available.

Uninstalling Secure Password Extension

You uninstall the Secure Password Extension from end-user computers by removing the appropriate installation packages assigned through Group Policy. Uninstalling the Secure Password Extension makes the Self-Service site no longer available from the Windows logon screen.

To remove an assigned .MSI package

1. Start the Group Policy Management snap-in. To do this, click Start, point

to Programs, point to Administrative Tools, and then click Group Policy Management.

2. In the console tree, click the group policy object with which you deployed

the package, and then click Edit.

3. Expand the Software Settings container that contains the Software

(29)

4. Click the Software installation container that contains the package.

5. In the right pane of the Group Policy window, right-click the package

name, point to All Tasks, and then click Remove.

6. Click Immediately uninstall the software from users and

computers, and then click OK.

7. Quit the Group Policy Object Editor snap-in, and then quit the Group Policy

Management snap-in.

Troubleshooting Secure Password Extension

If the user logon interface DLL prm_gina.dll fails to load at system startup, users will encounter the following system message: "The logon user interface DLL 'prm_gina.dll' failed to load. Contact your system administrator to replace the DLL, or restore the original DLL." This problem may occur when the

prm_gina.dll file on the local computer is corrupt or missing. To resolve this behavior, follow these steps:

1. Run Windows in safe mode.

2. In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon registry key, replace the GinaDLL value data with the Original value data from the

HKEY_LOCAL_MACHINE\SOFTWARE\ScriptLogic Corporation\PRM key, if the latter exists.

– OR –

If the HKEY_LOCAL_MACHINE\SOFTWARE\ScriptLogic Corporation\PRM key does not exist, then delete the GinaDLL value from the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

3. Restart the computer in normal mode.

4. Uninstall Secure Password Extension, and then install it by running the

(30)

M

ANAGING

D

OMAINS

This section describes how to configure Password Self-Service managed domains. A managed domain is a domain managed by Password Self-Service. To start using Password Self-Service, you must add one or more managed domains.

Configuring Permissions to Access a ManagedDomain

When adding a managed domain, you must specify an account under which Password Self-Service will access the domain. Before adding a managed

domain, ensure that this account has the following minimum set of permissions required to successfully perform password management tasks in the domain:

ƒ

Membership in the Domain Users group

ƒ

The Read permission for all attributes of user objects

ƒ

The Write permission for the following attributes of user objects:

pwdLastSet, comment, and userAccountControl

ƒ

The right to reset user passwords

ƒ

The Write permission to create user accounts in the Users container

ƒ

The Read permission for attributes of the organizationalUnit object and

domain objects

ƒ

The Write permission for the gpLink attribute of the organizationalUnit

objects and domain objects

ƒ

The Read permission for attributes of the groupPolicyContainer objects

ƒ

The Write permission to create and delete the groupPolicyContainer

objects in the System Policies container

ƒ

The Read permission for the nTSecurityDecriptor attribute of the

groupPolicyContainer objects

ƒ

The permission to create and delete container and the

serviceConnectionPoint objects in Group Policy containers

ƒ

The Read permission for the attributes of the container and

serviceConnectionPoint objects in Group Policy containers

ƒ

Thee Write permission for the serviceBindingInformation and displayName

attributes of the serviceConnectionPoint objects in Group Policy containers

ƒ

The permission to create container objects in the System container

ƒ

The permission to create the serviceConnectionPoint objects in the System

container

ƒ

The permission to delete the serviceConnectionPoint objects in the System

container

ƒ

The Write permission for the keywords attribute of the

Figure

Updating...

Related subjects :