ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

Transcription

1 ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

2 Password Self-Service 4 ii 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Licensed to ScriptLogic Corporation This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. TRADEMARKS Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. DISCLAIMER The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Updated 24 May 2010 ii

3 Password Self-Service 4 iii DOCUMENTATION CONVENTIONS In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references. Element Bolded text Italic text Convention Interface elements that appear in ScriptLogic products, such as menus and commands. Used for comments. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. CONTACTING SCRIPTLOGIC Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida Sales and General Inquiries Technical Support Fax SCRIPTLOGIC ON THE WEB ScriptLogic can be found on the web at Our web site offers customers a variety of information: Download product updates, patches and/or evaluation products. Locate product information and technical details. Find out about Product Pricing. Search the Knowledge Base for Technical Notes containing an extensive collection of technical articles, troubleshooting tips and white papers. Search Frequently Asked Questions, for the answers to the most common non-technical issues. Participate in Discussion Forums to discuss problems or ideas with other users and ScriptLogic representatives. Updated 24 May 2010 iii

4 Password Self-Service 4 iv Contents PRODUCT OVERVIEW...1 LICENSING...1 Installing the License...2 Updating the License...2 PASSWORD SELF-SERVICE COMPONENTS...2 INSTALLING PASSWORD SELF-SERVICE...4 CONFIGURING THE PASSWORD SELF-SERVICE APPLICATION ACCOUNT...4 STEPS TO INSTALL PASSWORD SELF-SERVICE...4 INSTALLING MULTIPLE INSTANCES OF PASSWORD SELF-SERVICE...7 Understanding Farms...7 SELECTING CRYPTOGRAPHIC AND HASHING ALGORITHMS...8 INSTALLING PASSWORD POLICY MANAGER...9 DEPLOYING AND CONFIGURING SECURE PASSWORD EXTENSION...10 Self-Service Site Location and Service Connection Points...11 Password Manager Farm Affinity...12 Overriding Automatic Self-Site Location...13 Customizing the Logo for Secure Password Extension...14 Customizing Position of the Secure Password Extension Window...15 Managing Secure Password Extension Using Administrative Templates...16 Generic Settings...16 Pre-Windows Vista Settings...19 Windows Vista Settings...19 ENABLING HTTPS...20 UPGRADING PASSWORD SELF-SERVICE...21 UPGRADE RECOMMENDATIONS...21 UPGRADE REQUIREMENTS...22 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 3.X...23 Single Server Upgrade...23 Multiple Server Upgrade...24 Upgrading Password Policy Manager...25 UPGRADING SECURE PASSWORD EXTENSION...26 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 4.X...28 Single Server Upgrade...28 Multiple Server Upgrade...29 UPGRADING PASSWORD POLICY MANAGER...31 UPGRADING GINA EXTENSION TO SECURE PASSWORD EXTENSION...31 MANAGING DOMAINS...33 CONFIGURING PERMISSIONS TO ACCESS A DOMAIN...33 ADDING A MANAGED DOMAIN...34 CONFIGURING PASSWORD POLICIES...35 About Password Policies...35 Installing Password Policy Manager...36 Creating and Configuring a Password Policy...37 Configuring Password Policy Rules...38 Password Age Rule Updated 24 May 2010 iv

5 Password Self-Service 4 v Complexity Rule Required Characters Rule Disallowed Characters Rule Sequence Rule User Properties Rule Dictionary Rule Symmetry Rule Managing Password Policy Links...45 Deleting a Password Policy...46 MANAGING QUESTIONS AND ANSWERS PROFILES...47 Creating and Configuring Question Lists...47 Configuring Questions and Answers Policy Performing Bulk Profile Updates...50 Changing the Attribute Used for Storing Questions and Answers Profiles Bulk Creation of Questions and Answers Profiles CONFIGURING REGISTRATION NOTIFICATION AND ENFORCEMENT...51 DELEGATING HELP DESK AND ADMINISTRATIVE TASKS...55 Delegating Help Desk Tasks...55 Delegating Administrative Tasks...55 CONFIGURING ACCESS TO SELF-SERVICE SITE...56 GLOSSARY...57 Updated 24 May 2010 v

6 Password Self-Service 4 1 Product Overview ScriptLogic Desktop Authority Password Self-Service provides users and help desk support personnel with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators, and reducing help desk workload. This solution offers a powerful and flexible password policy control mechanism that allows the administrator to ensure that all passwords in the organization comply with the established policies. ScriptLogic Desktop Authority Password Self-Service works with Windows 2000, and 2003, and Windows 2008 domains, including domains operating in mixed mode. LICENSING The Password Self-Service license specifies the maximum number of enabled user accounts in all managed domains. When launching the Administration site, Password Self-Service counts the actual number of enabled user accounts, and compares it with the maximum number specified by the license. If the actual number exceeds the maximum licensed number, a license violation occurs. A warning message is displayed on every connection to the Administration site of Password Self-Service. In the event of a license violation, you have the following options: Exclude a number of user accounts from the user accounts managed by Password Self-Service to bring your license count in line with the licensed value and reconnect to the Administration site to recalculate the license number. Remove one or more managed domain to decrease the number of managed user accounts. Purchase a new license with a greater number of user accounts, and then update your license using the instructions provided later in this section. Note: The following items are not limited by the license: The number of computers connected to the Administration, Self-Service, and Help Desk sites of Password Self-Service. The number of Password Self-Service instances in a large enterprise, Password Self-Service can be installed on multiple computers for enhanced performance and fault tolerance. Updated 24 May

7 Password Self-Service 4 2 Installing the License The license is initially installed when you install the Password Self-Service: 1. In the Installation Wizard, click Licenses to display the License status dialog box. 2. Click Browse License, locate and open your license key file using the Select License File dialog box, and then click Close. Updating the License If you have purchased a new license, you need to update the license by installing the new license key file. You can use the About section of the Administration site to install the file. To update the license 1. On the menu bar, select About, and then select Update License. 2. On the Update License page, click Browse, and then use the Choose file dialog box to locate and open your license key file. PASSWORD SELF-SERVICE COMPONENTS Password Self-Service includes the following components: Component Description Importance Password Self- Service x86 Password Self- Service x64 Password Policy Manager x86 Password Policy Manager x64 Secure Password Extension x86 The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 32-bit machine. The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 64-bit machine. Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 32-bit Microsoft Windows Server operating system. Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 64-bit Microsoft Windows Server operating system. Secure Password Extension x86 facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x86 is intended to be deployed on computers running 32-bit versions of Microsoft Windows operating systems. Required Required Optional Optional Optional Updated 24 May

8 Password Self-Service 4 3 Component Description Importance Secure Password Extension x64 The Secure Password Extension facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x64 is intended to be deployed on computers running 64-bit versions of Microsoft Windows Vista. Optional Updated 24 May

9 Password Self-Service 4 4 Installing Password Self-Service This section describes how to install ScriptLogic Desktop Authority Password Self-Service. You will learn how to configure an account to use it as Password Self-Service Application Account. A separate section will guide you through the steps required to install Password Self-Service. CONFIGURING THE PASSWORD SELF-SERVICE APPLICATION ACCOUNT When installing Password Self-Service, you are prompted for the name and password of the Password Self-Service application account. For Password Self-Service to run successfully, the Password Self-Service application account must meet the following requirements: You need to add the Password Self-Service application account to the Administrators group on the Web server where Password Self-Service is installed. Password Self-Service application account must be a member of the IIS_WPG local group on the Web server. Before you install Password Self-Service, make sure that the Password Self- Service application account has the rights listed above. STEPS TO INSTALL PASSWORD SELF-SERVICE When installing a new Password Self-Service instance, you can either upgrade in place the existing instance, install a new instance, or add a new instance to a Password Self-Service farm. In place upgrade allows you to upgrade an existing instance of Password Self-Service provided it supports in-place upgrade. New instance of Password Self-Service you normally install to enable the Password Self-Service functionality in a new environment or to create a new Password Self-Service farm managing the same environment. Password Self-Service farm is a group of Password Self-Service instances sharing common configuration and collectively serving client requests to ensure high availability and load balancing. To add a new member to a a Password Self-Service farm, you use the "A replica of an existing instance" option. Normally, you install Password Self-Service using the Password Self-Service installation wizard. Before starting the wizard, ensure that the account you use to install Password Self-Service is the member of the following groups and roles: Updated 24 May

10 Password Self-Service 4 5 The local Administrators group on the computer where you plan to install Password Self-Service. The database creators (db_creator) fixed role on the SQL Server used to store the Password Self-Service configuration database. To install Password Self-Service 1. Remove any previous versions of Password Self-Service by using Add or Remove Programs in Control Panel. 2. Run the autorun.exe file located in the root folder of the installation CD. 3. Install the redistributable packages required by Password Self-Service. The installation CD includes all the required redistributable packages; they are listed below Application.NET Framework 3.5 How to Install 1. Select Redistributables from the menu bar. 2. Click.NET Framework When the installation completes, restart the computer. 4..On the Password Self-Service tab, click Password Self-Service (x86) (for 32-bit system) or Password Self-Service (x64) (for 64-bit system) to start the ScriptLogic Desktop Authority Password Self-Service installation wizard. 5. Click Next. 6. Specify the following options, and then click Next: Option Full name Organization Licenses Action Type your name Type the name of your organization Click this button, and then specify the path to the license file. Note: A license file is the file with the.asc extension that you have obtained from your ScriptLogic representative. You can define whether to install the application only for the current user or for all users on the computer. 7. Read the license agreement, select I accept the license agreement, and then click Next. 8. On the Select Features page, select the features that you want to install and the installation path, and then click Next. Updated 24 May

11 Password Self-Service Select the type of instance you want to install and click Next. You can choose from the following options: Option A unique instance A replica of an existing instance Upgrade the existing instance Description This option automatically creates a new instance of Password Self-Service. Installer will generate encryption keys to encrypt the configuration data. If you select this option, you will be prompted to specify the file name and location to store the encryption keys. This option creates a new instance of Password Self-Service that uses the configuration of an existing instance. The Password Self-Service instances sharing the same configuration are collectively referred to as Password Self-Service farm. If you select this option, you will be prompted to specify the path to the encryption keys generated when installing the existing instance of Password Self-Service. This option is available only if you are upgrading from a previous version of Password Self-Service. 10. On the Password Self-Service Account Information page, specify the name and password for the Password Self-Service application account, and then click Next. Use the following user name format: DOMAIN\Username. 11. On the Specify Web Site Root Directory page, enter the Web site name and the virtual directory name, and then click Next. 12. Click Install. 13. When installation is complete, click Finish, and then restart the computer when prompted. Important: During installation, Setup creates the 'Desktop Authority Password Self-Service' and Desktop Authority Password Self-Service Publisher scheduled tasks on the local computer. Do not delete these scheduled tasks, otherwise Password Self-Service may not operate properly. Updated 24 May

12 Password Self-Service 4 7 INSTALLING MULTIPLE INSTANCES OF PASSWORD SELF-SERVICE Normally, you install multiple instances of Password Self-Service to provide for: enhanced availability and fault tolerance by installing additional replicas of the Password Self-Service instance which is already available in a domain. You do this by using the "A replica of an existing instance" option in Password Self-Service Install Wizard. Several Password Self- Service instances sharing common configuration are referred to as farm. For more information on farms, see the next section. maintaining more than one Password Manager configuration in a single domain. This may be required when a domain in an organization spans several locations which requiring different Password Self-Service configurations, for instance different Q&A policies. You do this by using the "A unique instance" option in Password Manager Install Wizard. Understanding Farms For the ease of management, you can group several Password Self-Service instances into a farm. A farm is a group of Password Self-Service instances using common configuration settings, including but not limited to Questions and Answers profiles, Self-Service and Help-Desk sites settings. The members of a Password Self-Service farm do not necessarily manage the same set of domains, i.e., individual farm members may manage different domains. Although, if several members of a Password Self-Service farm manage the same server, they use the same settings and any updates to the settings made on one member are effectively propagated to other members of the farm managing that domain. Also, several members of a Password Self-Service farm managing the same domain can be used interchangeably for serving user requests. By using Group Policy, you can bind users from a domain managed by several Password Self-Service farms to specific. You can use this feature to implement different Password Self-Service policies in a single domain. For instance, if a domain in your organization spans two offices located in New York (USA) and Paris (France) and you want Password Self-Service to use different Q&A policies in the offices, you can implement two Password Self- Service farms and bind users of the NY office to one of the farms and the users from the French office bind to the other farm. You bind users to specific farms by using the Password Self-Service affinity feature. For more information about Password Self-Service affinity, see Password Manager Farm Affinity. Updated 24 May

13 Password Self-Service 4 8 SELECTING CRYPTOGRAPHIC AND HASHING ALGORITHMS By default, Password Self-Service uses 192-bit TripleDES algorithm to encrypt configuration data such as Questions and Answers profiles, and the MD5 algorithm for hashing users' authentication answers. Alternatively, you can select the combination of the AES-256 data encryption algorithm and the SHA-256 hashing algorithm, both being NSA-approved cryptographic algorithms intended to protect both classified and unclassified national security systems and information. To enable Password Self-Service to use the AES-256 and the SHA-256 algorithms, you can use one of the following methods: If Password Self-Service is being installed for the first time on a server, install the solution from the command line using Msiexec.exe and specifying the AES_SHA_256="yes" as a command-line parameter. If you have already installed Password Self-Service on a server, manually modify the local.spr file to specify the encryption algorithms. To install Password Self-Service from the command line using Msiexec.exe 1. Launch the Setup program from the command line by adding the AES_SHA_256="yes" as a command-line parameter. For example: msiexec /i "C:\ScriptLogic Desktop Authority Password Self- Service.msi" AES_SHA_256="yes" /l*v "%TEMP%PRMSetup.log" 2. Follow the instructions in the Installation Wizard. To manually modify the local.spr file 1. Open the local.spr file with Notepad (or any text editor) at the following location: '<install location>\prmdll\'. If the file does not exist, create it with Notepad. 2. Under '[Options]', type the following strings on separate lines: csp=aes klen=256 calg=aes256 halg=sha256 The strings are case sensitive. 3. Save the file. The existing Password Self-Service configuration data is then re-encrypted with the specified algorithms. Note: Once you have enabled Password Self-Service to use the stronger encryption algorithms (the combination of AES-256 and SHA-256), you cannot change back to the default algorithms (the combination of 192-bit TripleDES and MD5). To have Password Self-Service use the default encryption and hashing algorithms (the combination of 192-bit TripleDES and MD5), install the solution by following the procedure outlined in Installing Password Self-Service. Updated 24 May

14 Password Self-Service 4 9 INSTALLING PASSWORD POLICY MANAGER Password Policy Manager is an independently deployed component of Password Self-Service intended to enforce the Password Self-Service policies. Password Policy Manager must be installed on all domain controllers in a managed domain This section describes how to deploy Password Policy Manager in a managed domain. Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you apply either of the following installation packages included on the installation CD: Desktop Authority Password Policy Manager x86.msi - Installs the Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system. Desktop Authority Password Policy Manager x64.msi - Installs the Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system. The installation packages are located in the \Setup\program files\scriptlogic\desktop Authority Password Self-Service\Deployment\PPM folder on the installation CD. Note: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. To install Password Policy Manager on a single domain controller 1. Run the appropriate Password Policy Manager.MSI package located in the \Setup\program files\scriptlogic\desktop Authority Password Self- Service\Deployment\PPM folder on the installation CD. 2. Restart the computer once the installation completes. To deploy Password Policy Manager on multiple domain controllers 1. Copy the appropriate Password Policy Manager.MSI package from the installation CD to a network share accessible from all domain controllers in a managed domain. 2. Create a GPO and apply it to all domain controllers in a managed domain. You may also choose an existing GPO to deploy the Password Policy Manager. 3. Open the Computer Configuration folder under the selected GPO, and then open the Software Settings folder. 4. Right-click Software installation, and then select New Package. 5. Select the.msi package you have copied in step Click Open. 7. Select the deployment method and click OK. 8. Verify and configure the installation properties if needed. Updated 24 May

15 Password Self-Service 4 10 DEPLOYING AND CONFIGURING SECURE PASSWORD EXTENSION This section describes the prerequisites and steps for deploying and configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension to the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: Desktop Authority Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre- Windows Vista, Windows Vista, and Windows 7 operating systems. Desktop Authority Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7. You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. Follow the steps below to configure and deploy the Secure Password Extension on end-user computers. To deploy and configure the Secure Password Extension 1. Copy the prm_gina.adm administrative template file from the \Setup\program files\scriptlogic\desktop Authority Password Self- Service\Deployment\SPE\Administrative Template\ folder of the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller. 2. Copy the required installation package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The.MSI packages are located in the \Setup\program files\scriptlogic\desktop Authority Password Self-Service\Deployment\SPE\ folder of the installation CD. 3. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension. 4. Open the GPO in the Group Policy Object Editor, and then do the following: Under the Computer Configuration node, right-click Administrative Templates, and then click Add/Remove Templates. Click Add, and then browse for the prm_gina.adm file that you have copied in step 1. Updated 24 May

16 Password Self-Service 4 11 Expand Computer Configuration/Administrative Templates and then click the ScriptLogic Desktop Authority Password Self- Service node. Configure the prm_gina.adm Administrative Template settings, as required. For the complete reference to the policy settings included in this administrative template, including their brief descriptions, see Managing Secure Password Extension Using Administrative Templates. Expand Computer Configuration/Software Settings, right-click Software installation, and then select New Package. Browse for the.msi package you have copied in step 2, and then click Open. In the Deploy Software window, select a deployment method and click OK. Verify and configure the properties of the installation, if needed. 5. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Self-Service Site Location and Service Connection Points To enable users to open the Self-Service site by clicking the Forgot My Password or the Manage My Password buttons on the Windows logon screen, you no longer need to configure the URL path that points to a specific server where the Self-Service site is deployed because Password Self-Service automatically locates the nearest Self-Service site. Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory. When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self- Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance. Updated 24 May

17 Password Self-Service 4 12 Password Manager Farm Affinity In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating a Self-Service site. You can force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service farm. Password Self-Service farm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service farm by installing a new Password Self-Service instance using the "A replica of an existing instance" option. To force Secure Password Extension to use only Password Self-Service from a specific farm, you must set the Secure Password Extension affinity for that farm. To set Secure Password Extension affinity for a Password Self-Service farm: 1. Open the Administration site of the Password Self-Service instance that belongs to the target farm. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain, to which belongs the computer running the Secure Password Extension instance you want to bind. 3. On the General tab, select the contents of the Password Self-Service Farm Affinity ID box, right-click the selection and select Copy. 4. Open Administrative Tools (located at Start Menu Settings Control Panel). 5. Open Active Directory Users and Computers. 6. Right-click the managed domain name on the left pane and select Properties. 7. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 8. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add/Remove Templates. 9. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 10. Click Close to close the Add/Remove Templates dialog box. 11. Select Administrative Templates node, and then double-click the ScriptLogic Password Self-Service template on the right pane. 12. Click Generic Settings in the left pane. 13. In the right pane, double-click Password Self-Service Farm Affinity. 14. Select the Enabled option on the Settings tab, and then right-click the Farm Affinity ID text box and select Paste. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Application of the updated policy to the computers in the managed domain may take some time to complete. Updated 24 May

18 Password Self-Service 4 13 Overriding Automatic Self-Site Location In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Self- Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below. To override automatic Self-Service site location: 1. Open Administrative Tools (located at Start Menu Settings Control Panel). 2. Open Active Directory Users and Computers. 3. Right-click the managed domain name on the left pane and select Properties. 4. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 5. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 6. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 7. Click Close to close Add / Remove Templates dialog box. 8. Select Administrative Templates node, then double-click Desktop Authority Password Self-Service template on the right pane. 9. Double-click Generic Settings. 10. Double-click Specify URL to the Self-service site. 11. Click the Enabled radio button on the Settings tab and then enter the URL path to the Self-service site into the entry field using the following format: where COMPUTER_NAME is the name of the server where Password Self- Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Desktop Authority Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS. Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server. 12. Click OK. 13. Double-click Override URL path to Self-Service site. 14. Select the Enabled option on the Settings tab. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: The application of the updated policy to the computers in the managed domain may take some time to complete. Updated 24 May

19 Password Self-Service 4 14 Customizing the Logo for Secure Password Extension You can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. Depending on the operating system, running on the target computers, the image must meet the following requirements: For pre-windows Vista operating systems, the logo must be a 417-by-58- pixel.bmp file. For Windows Vista and Windows 7, you can use the following image types:.bmp,.gif,.jpg, or.png. The logo image may have any size suitable for your requirements. The recommended size is 128 by 128 pixels. To deploy a custom logo for Secure Password Extension to end-user computers 1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run. 3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 4. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Desktop Authority Password Self-Service. 5. Under ScriptLogic Desktop Authority Password Self-Service, do the following: Expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers. Expand Windows Vista Settings/Secure Password Extension Logo, and enable the Set tile image policy setting by specifying a local path to the logo image file on end-user computers. The local path you specify in these policy settings must be the same as in the startup script specified later in this section. 6. Expand Computer configuration/windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane. 7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window. 8. Click OK. The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder: Updated 24 May

20 Password Self-Service 4 off rem "SPE startup script" rem *Check target directory existence* if exist "c:\program Files\ScriptLogic\Desktop Authority Secure Password Extension" goto :COPY_FILE md "c:\program Files\ScriptLogic\Desktop Authority Secure Password Extension" rem *Copy BMP image - %1* :COPY_FILE copy %LOGONSERVER%\share\logos\%1 "c:\program Files\ScriptLogic\ Desktop Authority Secure Password Extension\*.*" rem pause :out Exit Note: The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes. You can modify the sample target path in the script as you need. Customizing Position of the Secure Password Extension Window You can specify the position of the Secure Password Extension window on the logon screen of user computers. To change the position of Secure Password Extension window on enduser computers 1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 2. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Desktop Authority Password Self-Service. 3. Under ScriptLogic Desktop Authority Password Self-Service, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers. 4. Click OK. Updated 24 May

21 Password Self-Service 4 16 Managing Secure Password Extension Using Administrative Templates The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of the Secure Password Extension according to your requirements. The Administrative Template layout includes the following folders: Generic Settings - includes policy settings that can be applied to computers running both pre- and Windows Vista Microsoft operating systems. Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-windows Vista operating systems. Windows Vista Settings - includes policy settings that can be applied to computers running only Windows Vista operating systems and later. Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy. Generic Settings The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension. Policy Name Specify URL path to the Self-service site Override URL path to Self-Service site Maximum number of attempts to connect to the Self-Service site Description This policy lets you specify the link for the access to the Self-service site from the Windows logon screen. This link is opened when users click the Forgot My Password or the Manage My Password buttons on the Windows logon screen in pre-vista operating systems, and the Manage My Password command link in Windows Vista. Use the following URL path format: User/, where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY is a virtual directory name that was configured during Desktop Authority Password Self- Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS. By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the Specify URL path to the Self-service site setting. This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension. If this setting is disabled or not configured, the default number of attempts is 5. Updated 24 May

22 Password Self-Service 4 17 Policy Name Force HTTPS Password Self-Service Farm Affinity Enable proxy server access Configure required proxy settings Configure optional proxy settings Restore desktop shortcuts for the Selfservice site Do not create desktop shortcuts for the Selfservice site Do not create any shortcuts for the Selfservice site Display custom names for the Secure Password Extension window title Set custom name for the Secure Password Extension window title in <Language> Description This policy setting lets you enforce HTTPS for connections with the Self-service site established using the Secure Password Extension. This policy setting lets you force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service farm. This policy setting determines whether connections to the Self-service from the Windows logon screen are established through the specified proxy server. Specifies the settings required to enable proxy server access to the Self-service site from the Windows logon screen. Specifies optional settings for the proxy server access. This policy setting lets you define whether the desktop shortcut to the Self-service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut. This policy setting lets you define whether the desktop shortcuts to the Self-service site on users' computers should not be created by the Secure Password Extension. This policy setting lets you define whether any shortcuts to the Self-service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension. This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages. This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyphs width. The URL length must not exceed 256 characters. Display the usage policy button (command link) Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs. The usage policy button on pre-windows Vista operating systems, and the usage policy command link on Windows Vista operating systems, are displayed on the Windows logon screen, and are intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to endusers. Updated 24 May

23 Password Self-Service 4 18 Policy Name Set default URL Set name and URL for the usage policy button (command link) in <Language> Display custom names for the Manage My Password button (command link) Set custom name for the Manage My Password button (command link) in <Language> Balloon notification period Enable customization of notification texts Specify notification texts in <Language> Description This policy lets you specify an URL to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to an HTML file. This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and an URL for each of the required logon languages. 36 language-specific policy settings are available. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyphs width. The URL length must not exceed 256 characters. This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button and command link with the names that you specify for the required logon languages. The Manage My Password button (command link) is intended to open the Self-service site from the Windows logon screen. On pre-windows Vista operating systems, the Manage My Password button is displayed if you are already logged on to the system. On Windows Vista operating systems, the Manage My Password command link is displayed under the ScriptLogic Secure Password Extension tile on the Windows logon screen, irrespective of whether you are logged on to the system or not. This group of policy settings allows you to specify names of the Manage My Password button and command link individually for each of the required logon languages. 36 language-specific policy settings are available. If the registration notification is turned on, users will be notified of the necessity to register with Password Self- Service through a balloon briefly displayed in the notification are of the Windows taskbar. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running. This policy setting allows you to define whether you want to replace the default text on language-specific registration notifications and message boxes with your custom text. This group of policy settings allows you to specify notification texts individually for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Updated 24 May

24 Password Self-Service 4 19 Pre-Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in pre-windows Vista operating systems. Policy Name Set dialog background image Set the Secure Password Extension Window Position Display custom names of the Forgot My Password button Set custom name of the Forgot My Password button in <Language> Description This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen. This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers. This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button with the names that you specify for the required logon languages. The Forgot My Password button is intended to open the Self-service site on pre-windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are not logged on to the system. This group of policy settings allows you to specify the name of the Forgot My Password button individually for each of the required logon languages. 36 language-specific policy settings are available. Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in Windows Vista operating system. Policy Name Set tile image Display custom names of the tile Set custom tile name in <Language> Description This policy setting lets you choose a picture that will be associated with the ScriptLogic Secure Password Extension tile on the Windows Vista logon screen. This policy specifies whether the custom names of the Secure Password Extension tile will be displayed on the Windows logon screen. This group of policy settings allows you to modify the name of the Manage My Password credential tile on the Windows Vista logon screen individually for each of the required logon languages. 36 languagespecific policy settings are available. Updated 24 May

25 Password Self-Service 4 20 ENABLING HTTPS We strongly recommend that you use HTTPS with ScriptLogic Desktop Authority Password Self-Service Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web. To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support https connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at Updated 24 May

26 Password Self-Service 4 21 Upgrading Password Self-Service This section provides instructions on how to upgrade Password Self-Service and its components. The following topics are covered: Upgrade recommendations and requirements. Single server upgrade from Password Self-Service version 3.x. Multiple server upgrade from Password Self-Service version 3.x Password Self-Service components (PPM version 3.x and GINA Extension version 3.x [later on renamed to SPE]) upgrade. Single server upgrade from Password Self-Service version 4.x. Multiple server upgrade from Password Self-Service version 4.x Password Self-Service components (PPM version 4.x and GINA Extension version 4.x [later on renamed to SPE]) upgrade. UPGRADE RECOMMENDATIONS It is recommended to perform preliminary test upgrade using a test environment before upgrading Password Self-Service in the production environment of your enterprise. The recommended Password Self-Service upgrade sequence is the following: 1. Upgrade of Password Self-Service. 2. Upgrade of Password Policy Manager (PPM). 3. Upgrade of GINA Extension to Secure Password Extension (SPE). The detailed steps that implement the above sequence are provided later in this document. Updated 24 May

27 Password Self-Service 4 22 UPGRADE REQUIREMENTS Before you start the upgrade process, follow this checklist to ensure you have made the necessary preparations and met the essential upgrade requirements. Step Ensure that you installed or upgraded the third-party redistributable packages required for the latest version of Password Self- Service. Ensure that you know Password Self-Service application account credentials (user name and password) for each domain managed by Password Self-Service. Ensure that Password Self-Service application account is a member of the Administrators group on the Web server where Password Self-Service is installed. Ensure that Password Self-Service application account is a member of the IIS_WPG local group on the Web server. Ensure that you know SQL database account credentials (user name and password). Ensure that the account, that is used to upgrade Password Self-Service, is a member of the local Administrators group on the server where you upgrade the product. Ensure that the account, that is used to upgrade Password Self-Service, is a member of the database creators (db_creator) fixed role on the SQL server hosting the Password Self-Service configuration database. COMMENT For more information on what permissions are required for an account under which Password Self- Service will access the domain refer to the User Guide. That is needed only if Password Self- Service is configured to use special SQL account (different from Password Self-Service application account) to work with the SQL database. Depending on the Password Self-Service version you are upgrading from, refer to one of the sections below: Upgrade from Password Self-Service version 3.x or Upgrade from Password Self-Service version 4.x Updated 24 May

28 Password Self-Service 4 23 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 3.X Please note that Password Self-Service features and settings listed below are not transferred from Password Self-Service version 3.x to version 4.x. Feature Password Self-Service license file Password Self-Service log Domain password policies Issue Password Self-Service version 3.x license file is not compatible with Password Self-Service version 4.x. You will not be able to upgrade Password Self- Service without a valid license file that matches your product version. Starting from Desktop Authority Password Self- Service version 4.0.1, the application Log feature has been replaced with the Reports feature. Please note that Password Self-Service version supports neither the Log feature nor the Reports feature. The domain password policies created in Password Self-Service version 3.x are no longer available in version 4.x. You cannot transfer the password policies from version 3.x to version 4.x because of incompatible policies format. Single Server Upgrade Single server upgrade is applied in the following environments: One Password Self-Service instance manages one domain. One Password Self-Service instance manages several domains. Proceed to the Multiple Server Upgrade section below if you have several instances of Password Self-Service to manage for the same managed domain(s). To upgrade from Password Self-Service version 3.x on a single server: 1. Write down the details of domain password polices assigned in Password Self-Service version 3.x for all managed domains. 2. Uninstall Password Self-Service version 3.x. 3. Install or upgrade the required third-party redistributables. 4. Install the new version of Password Self-Service with the A unique instance option selected. 5. Export the encryption keys to a.bin file when prompted. 6. Manually re-assign password policies settings for all managed domains. 7. Make a backup copy of the encryption keys file. Important: After you have upgraded from Password Self-Service version 3.x with the A unique instance option selected, the encrypted data will no longer be available for use with Password Self-Service version 3.x. Updated 24 May

29 Password Self-Service 4 24 Multiple Server Upgrade Multiple server upgrade should be used in environments where several instances of Password Self-Service manage the same managed domain(s). Multiple server upgrade is applied in the following environments: Several Password Self-Service instances simultaneously manage one domain. Several Password Self-Service instances simultaneously manage several domains. All the Password Self-Service 3.x instances for the specific domain become unusable once you upgrade the first server in that domain to the latest version of Password Self-Service. Do not use the previous version instances during the upgrade. Upgrading multiple version 3.x instances breaks down into two distinctively different steps and upgrade procedures: 1. Upgrading the first Password Self-Service instance. 2. Upgrading each of the rest of the Password Self-Service instances. The following steps should be performed to upgrade the first Password Self- Service instance. To upgrade from Password Self-Service version 3.x on the first server: 1. Write down the details of domain password polices assigned in Password Self-Service version 3.x for all managed domains. 2. Stop the PRMAppPool Application Pool in the IIS Manager on all Password Self-Service version 3.x servers. This step makes Password Self-Service service temporary unavailable for users. 3. Uninstall Password Self-Service version 3.x from the first server. 4. Install or upgrade the required third-party redistributable packages on that server. 5. Install the new version of Password Self-Service on that server with the A unique instance option selected. 6. Export the encryption keys to a.bin file when prompted. 7. Ensure that the PRMAppPool Application Pool is running in the IIS Manager on the server you have upgraded. If it is not running start it manually. This step makes Password Self-Service service available. 8. Manually re-assign password policies settings for all managed domains. 9. Make a backup copy of the encryption keys file. Important: After you have upgraded from Password Self-Service version 3.x with the A unique instance option selected, the encrypted data will no longer be available for use with Password Self-Service version 3.x. Updated 24 May

30 Password Self-Service 4 25 The following steps should be performed to upgrade each of the rest of the Password Self-Service instances. The steps should be performed only after you have upgraded the first Password Self-Service instance as described above. To upgrade from Password Self-Service version 3.x on the other servers: 1. Uninstall Password Self-Service version 3.x from a server. 2. Install or upgrade the required third-party redistributable packages on that server. 3. Install the new version of Password Self-Service on that server with the A replica of an existing instance option selected. When prompted, specify the path to the encryption keys.bin file saved during the first server upgrade. 4. Once the server is upgraded, ensure that the PRMAppPool Application Pool is running in the IIS Manager on that server. If it is not running start it manually. 5. Repeat the steps 1 through 4 for each Password Self-Service version 3.x. Important: Do not select A unique instance option when upgrading the other instances of Password Self-Service, otherwise it will cause the encrypted data loss. Upgrading Password Policy Manager Password Policy Manager ensures, that all the passwords in the organization comply with the password policies established by Password Self-Service administrator. Skip this section if you do not use domain password policies assigned in Password Self-Service. Domain password policies assigned in Password Self-Service version 3.x are valid until Password Policy Manager (PPM) version 3.x is removed from the last domain controller (DC). During upgrade period the previous and the new versions of PPM can run simultaneously on different DCs within the same domain. Therefore it is very important to have the password polices settings synchronized for both the previous and the new versions of PPM. To achieve this, ensure you have re-assigned password policies for all managed domains after the first single-server upgrade from Password Self-Service version 3.x. as described in the previous section. Both removal and installation of Password Policy Manager requires computer restart. Upgrade PPM on all domain controllers in sequential order. Perform the upgrade during off-peak hours to cause minimal impact to your organization s operations. To upgrade from Password Policy Manager version 3.x: 1. Make sure you have upgraded Password Self-Service and re-assigned password policies settings for all managed domains as described in the previous section. Updated 24 May

31 Password Self-Service Remove the previous version of Password Policy Manager from a domain controller and restart the computer when prompted. 3. Install the new version of Password Policy Manager on that domain controller and restart the computer when prompted. 4. Repeat the steps 2 and 3 for each domain controller in the managed domain. If the previous version of Password Policy Manager has been deployed through Group Policy, it should be uninstalled by removing the previously assigned.msi package from the Software installation list. After the previous version is removed from the domain controllers, the new version may be deployed to those DCs through Group Policy. To guarantee that all the passwords in your organization comply with the defined policies, Password Policy Manager must be deployed on all domain controllers in the managed domain. UPGRADING SECURE PASSWORD EXTENSION Secure Password Extension (previously GINA Extension) is an application that provides access to the complete functionality of the Self-service site from the Windows logon screen. Note: Starting from Desktop Authority Password Self-Service version GINA Extension was renamed to Secure Password Extension (SPE). We do our best to provide the compatibility between different versions of SPE and Password Self-Service. Nevertheless, it is strongly recommended that you use SPE and Password Self-Service of the same version. SPE may be deployed on different workstations by applying different GPOs. This allows you to not upgrade GINA Extension to Secure Password Extension on all the workstations at one time, but do it in several steps depending on your needs and preferences. You can centrally upgrade workstations to the latest version of the Secure Password Extension by assigning the software for deployment using Group Policy. Depending on your environment, you can remove the existing.msi package from the Software installation list, and then assign the latest-version package, or you can add the latest-version package, and then specify it as an upgrade for the existing one. To remove the existing and assign a latest-version package: 1. Remove the assigned package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the list of software to be installed. 2. Add the latest-version.msi packages to the list of software to be installed. 3. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Updated 24 May

32 Password Self-Service 4 27 To specify an upgrade for the Secure Password Extension package: 1. Add the required latest-version package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension), or both) to the list of software to be installed. 2. Open the installation properties and select the Upgrade tab. 3. Click Add. 4. Select the previously assigned package. 5. Click Uninstall the existing package, then install the upgrade package, and then click OK. 6. Click OK. 7. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Starting with version 4.6.0, Secure Password Extension by default automatically discovers the Self-Service site. If you upgrade from the earlier versions, this functionality may be overridden by the policy that explicitly specify the URL for the Self-Service site. To enable Secure Password Extension to automatically discover the nearest Self-Service site, you must disable the Specify URL to the Self-Service site setting in Group Policy. To enable Secure Password Extension to automatically discover Self- Service site: 1. Open Active Directory Users and Computers. 2. Right-click the managed domain name on the left pane and select Properties. 3. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 4. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right-click Administrative Templates node, and select Add / Remove Templates. 5. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 6. Click Close to close Add / Remove Templates dialog box. 7. Select Administrative Templates node, then double-click Quest Password Manager template on the right pane. 8. Double-click Generic Settings. 9. Double-click Specify URL to the Self-Service site. 10. Select the Disabled option on the Settings tab, and then click OK. When upgrading GINA Extension to Secure Password Extension, do not forget to upgrade the prm_gina.adm administrative template with the one located in the \ScriptLogic Desktop Authority Password Self-Service\Setup\ Administrative Template\ folder of the installation CD. During upgrade of prm_gina.adm administrative template, the previously made template settings are preserved and picked up by newer versions. For more information on how to upgrade Secure Password Extension and the administrative template please refer to the User Guide. Updated 24 May

33 Password Self-Service 4 28 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 4.X This section describes how to upgrade Password Manager, if you are using a 4.x version. Password Manager 4.6 comes with Reports feature which is incompatible with the Report feature in previous 4.x versions. The new Password Self-Service version creates a new reporting database and a new set of reports. Any new reports are installed on SQL Server side by side of the old database and the reports and they are neither deleted nor overwritten. When upgrading Password Self-Service, you cannot upgrade the reports or append the usage data to the existing database. You cannot see the old reports using Password Self-Service, although you can always access the reports using native Report Server tools. When upgrading Password Self-Service 4.x, you can face either or both of the two scenarios: a single Password Self-Service manages one domain or a single Password Self-Service manages several domains. Depending on the scenario, the upgrade procedure differs. This also applies to Password Manager farms managing a single or multiple domains. If Password Self-Service manages in your environment only one domain, proceed to the next section. If you use several instances of Password Service to manage the same domain(s), proceed to Multiple Server Upgrade. Single Server Upgrade Single Server Upgrade may be used in the following environments: One Password Self-Service instance (or a farm) manages one domain. One Password Self-Service instance (or a farm) manages several domains. Follow the instructions below to upgrade a single instance of Password Self- Service or a Password Self-Service farm. Important: If you have previously changed the name of the default Password Self-Service service account ( PRM_svc_user001 ), before adding managed domains to Password Self-Service, you must rename it back to PRM_svc_user001 as described below. To upgrade Password Self-Service version 4.x on a single server: 1. Write down the list of the Managed Domains managed by the Password Self-Service instance you are going to upgrade. Important: When upgrading to the new version of Password Self-Service, all the existing settings are migrated except for the list of the Managed Domains. All the Managed Domains will be disconnected from Password Self-Service, though the configuration for the Managed Domains will be preserved. 2. Delete all Password Self-Service scheduled tasks from the server. 3. Uninstall the previous version of Password Self-Service. 4. Install or upgrade the required third-party redistributables. Updated 24 May

34 Password Self-Service Install the new version of Password Self-Service with the Upgrade the existing instance option selected. Important: Do not select A unique instance option when upgrading from Password Self-Service version 4.x, otherwise new encryption keys will be generated and that will cause the existing encrypted data loss. 6. Ensure that the QPM Application Pool is running in the IIS Manager on the server. If it is not running start it manually. 7. Stop the ScriptLogic Password Self-Service scheduled task on the server. 8. If you have previously changed the name of the default Password Self- Service account ( PRM_svc_user001 ), using the Active Directory Users and Computers console, rename the Password Self-Service account back to PRM_svc_user001 in each domain managed by the Password Self-Service instance you are upgrading. 9. Add Managed Domains following the list you made in step When upgrading a Password Self-Service farm, complete the steps 1 through 9 for each member server of the farm. 11. Optionally, you can rename the Password Self-Service account back to any name that complies with the regulations in your environment. 12. Configure the user access to Self-Service site. For more details on how to configure access to Self-Service site, see the Administrator Guide. Note: Previously, all users of a Managed Domain were able to access the Self-Service site immediately after adding the Managed Domain. Starting version 4.6, after installing Password Self-Service, no users are granted access to the Self-Service site you must configure the user access to Self-Service Site manually. 13. Start the ScriptLogic Password Self-Service scheduled task on the server. Multiple Server Upgrade Multiple Server Upgrade is applied to the following environments: Several Password Self-Service instances simultaneously manage one domain. Several Password Self-Service instances simultaneously manage several domains. The Password Self-Service 4.x instances for specific domain stay available during the upgrade period and thus may be used simultaneously with the previous version instances. Note: If you have previously changed the name of the default Password Self- Service account ( PRM_svc_user001 ), before adding managed domains to Password Self-Service, you must rename it back to PRM_svc_user001 as described below. Updated 24 May

35 Password Self-Service 4 30 To upgrade from Password Self-Service version 4.x: 1. Write down the list of the Managed Domains managed by the Password Self- Service instance you are going to upgrade. When upgrading to the new version of Password Self-Service, all the existing settings are migrated except for the list of the Managed Domains. All the Managed Domains will be disconnected from Password Self- Service, though the configuration for the Managed Domains will be preserved. 2. Stop the PRMAppPool Application Pool in the IIS Manager on the first Password Self-Service version 4.x server. 3. Delete all Password Self-Service scheduled tasks from that server. 4. Install or upgrade the required third-party redistributable packages on that server. 5. Install the new version of Password Self-Service on that server with the Upgrade the existing instance option selected. Important: Do not select A unique instance option when upgrading from Password Manager version 4.x, otherwise new encryption keys will be generated and that will cause the existing encrypted data loss. 6. Ensure that the PRMAppPool Application Pool is running in the IIS Manager on that server. If it is not running start it manually. 7. Stop the ScriptLogic Password Self-Service scheduled task on the server. 8. If you have previously changed the name of the default Password Self- Service account ( PRM_svc_user001 ), using the Active Directory Users and Computers console, rename the Password Self-Service account back to PRM_svc_user001 in each domain managed by the Password Self-Service instance you are upgrading. 9. Add Managed Domains following the list you made in step When upgrading a Password Self-Service farm, complete the steps 1 through 9 for each member server of the farm. 11. Optionally, you can rename the Password Manager service account to any name that complies with the regulations in your environment. 12. Configure the user access to Self-Service Site. For more details on how to configure access to Self-Service site, see Administrator Guide. Previously, all users of a Managed Domain were able to access the Self- Service site immediately after adding the Managed Domain. Starting version 4.6.0, after installing Password Self-Service no users are granted access to the Self-Service site you must configure the user access to Self-Service Site manually. 13. Repeat the steps 1 through 11 for each Password Self-Service version 4.x server with the Upgrade the existing instance option selected. 14. Start the ScriptLogic Password Self-Service scheduled task on each the server in your environment. Updated 24 May

36 Password Self-Service 4 31 UPGRADING PASSWORD POLICY MANAGER Password Policy Manager ensures, that all the passwords in the organization comply with the password policies established by Password Self-Service administrator. Skip this section if you do not use domain password policies assigned in Password Self-Service. Both removal and installation of Password Policy Manager (PPM) requires computer restart. Upgrade PPM on all domain controllers in sequential order. Perform the upgrade during off-peak hours to cause minimal impact to your organization s operations. To upgrade from Password Policy Manager version 4.x: 1. Make sure you have upgraded Password Self-Service as described in the previous section. 2. Remove the previous version of Password Policy Manager from a domain controller and restart the computer when prompted. 3. Install the new version of Password Policy Manager on that domain controller and restart the computer when prompted. 4. Repeat the steps 2 and 3 for each domain controller in the managed domain. If the previous version of Password Policy Manager has been deployed through Group Policy, it should be uninstalled by removing the previously assigned.msi package from the Software installation list. After the previous version is removed from the domain controllers, the new version may be deployed to those DCs through Group Policy. Password policy settings are not deleted when you uninstall Password Policy Manager version 4.x and picked up by newer versions of PPM. To guarantee that all the passwords in your organization comply with the established policies, Password Policy Manager must be deployed on all domain controllers in the managed domain. For more information on how to install and upgrade Password Policy Manager refer to the Quick Start Guide. UPGRADING GINA EXTENSION TO SECURE PASSWORD EXTENSION Secure Password Extension (ex-gina Extension) is an application that provides access to the complete functionality of the Self-service site from the Windows logon screen. Note: Starting from ScriptLogic Desktop Authority Password Self-Service version GINA Extension was renamed to Secure Password Extension (SPE). We do our best to provide the compatibility between different versions of SPE (ex-gina Extension) and Password Self-Service. Nevertheless it is strongly recommended to use SPE and Password Self-Service of the same version number. Updated 24 May

37 Password Self-Service 4 32 SPE may be deployed on different workstations by applying different GPOs. This allows you to not upgrade GINA Extension to Secure Password Extension on all the workstations simultaneously but do it in several steps depending on your needs and preferences. You can centrally upgrade workstations to the latest version of the Secure Password Extension by assigning the software installation in the Group Policy object settings. Depending on your preferences, you can remove the existing.msi package from the Software installation list, and then assign the latestversion package, or you can add the latest-version package, and then specify it as an upgrade for the existing one. To remove the existing and assign a latest-version package: 1. Remove the assigned package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the list of software to be installed. 2. Add the latest-version.msi packages to the list of software to be installed. To specify an upgrade for the Secure Password Extension package: 1. Add the required latest-version package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension, or both) to the list of software to be installed. 2. Open the installation properties and select the Upgrade tab. 3. Click Add. 4. Select the previously assigned package. 5. Click Uninstall the existing package, then install the upgrade package, and then click OK. 6. Click OK. When upgrading GINA Extension to Secure Password Extension, do not forget to upgrade the prm_gina.adm administrative template with the one located in the \ScriptLogic Desktop Authority Password Self-Service\Setup\Secure Password Extension\Administrative Template\ folder of the installation CD. During upgrade of prm_gina.adm administrative template, the previously made template settings are preserved and picked up by newer versions. For more information on how to upgrade Secure Password Extension and the administrative template please refer to the Administrator Guide. Updated 24 May

38 Password Self-Service 4 33 Managing Domains This section describes how to configure Password Self-Service managed domains. A managed domain is a domain managed by Password Self-Service. To start using Password Service, you must add one or more managed domains. CONFIGURING PERMISSIONS TO ACCESS A DOMAIN When adding a managed domain, you must specify an account under which Password Self-Service will access the domain. Before adding a managed domain, ensure that this account has the following minimum set of permissions required to successfully perform password management tasks in the domain: Membership in the Domain Users group The Read permission for all attributes of user objects The Write permission for the following attributes of user objects: pwdlastset, comment, and useraccountcontrol The right to reset user passwords The Write permission to create user accounts in the Users container The Read permission for attributes of the organizationalunit object and domain objects The Write permission for the gplink attribute of the organizationalunit objects and domain objects The Read permission for attributes of the grouppolicycontainer objects The Write permission to create and delete the grouppolicycontainer objects in the System Policies container The Read permission for the ntsecuritydecriptor attribute of the grouppolicycontainer objects The permission to create and delete container and the serviceconnectionpoint objects in Group Policy containers The Read permission for the attributes of the container and serviceconnectionpoint objects in Group Policy containers The Write permission for the servicebindinginformation and displayname attributes of the serviceconnectionpoint objects in Group Policy containers The permission to create container objects in the System container Updated 24 May

39 Password Self-Service 4 34 The permission to create the serviceconnectionpoint objects in the System container The permission to delete the serviceconnectionpoint objects in the System container The Write permission for the keywords attribute of the serviceconnectionpoint objects in the System container Note: It is advisable to use the Password Self-Service application account to add managed domains and manage domain-specific data. When you add a managed domain by using the Administration site, Password Manager creates a user account with the name '_QPM_svc_usr1' in the 'Users' container of the managed domain. Password Self-Service uses this account to store its configuration data and to perform all its operations in the domain. If you configure other Password Self-Service instances to manage the same domain, those instances will create the user accounts with names '_QPM_svc_usr2', '_QPM_svc_usr3', and so on, and use the corresponding accounts to store their configuration data. ADDING A MANAGED DOMAIN To add a managed domain 1. On the home page of the Administration site, click Managed Domains. 2. On the Configure Managed Domains page, click Add. 3. On the Domain Name and User Account Details page, configure access to the domain by doing the following: In the Domain name text box, type in the name of the domain that you want to register with Password Self-Service. In the Domain alias for the Self-Service Site text box, type in the alias for the domain which will be used to address the domain on the Self-Service Site. To have Password Self-Service access the managed domain using the Password Self-Service application account, click Password Self- Service Application account. Otherwise, click Specific SQL Server account, and then enter user name and password of the SQL Server user account you want Password Self-Service to use when accessing the domain. For information on how to prepare an account for accessing a managed domain, see Configuring Permissions to Access a Domain. 4. Click OK. Note: After you have added a managed domain, you must create a question list for users' Q&A profiles, and configure password management settings for this domain, so that users can create their personal profiles by using the Selfservice site. For more information, see "Managing Questions and Answers Profiles" and "Configuring Password Policies" sections. Updated 24 May

40 Password Self-Service 4 35 CONFIGURING PASSWORD POLICIES About Password Policies You can use Desktop Authority Password Self-Service to create password policies that define which passwords to reject or accept. Password policy settings are stored in Group Policy objects (GPOs). A GPO is applied by linking the GPOs to a target container defined in Active Directory, such an organizational unit or a group. Group Policy objects from parent containers are inherited by default. When multiple Group Policy objects are applied, the policy settings are aggregated. For information on how to apply a password policy and change policy link order, see Managing Password Policy Links. Password Policy Manager The Password Policy Manager is an independently deployed component of Password Self-Service. To enforce password policies that you define with Password Self-Service, you must deploy the Password Policy Manager on all domain controllers in a managed domain. Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. The procedure for installing PPM is outlined in Installing Password Policy Manager. Password Policy Rules Password Self-Service uses a set of powerful and flexible rules to define requirements for domain passwords. Each password policy has rules that are configured independently of the rules in other policies. The following rules duplicate and extend system password policy rules: Password Age Rule, Length Rule, Complexity Rule, Explicitly Allowed Characters Rule, Mixed Case Rule, and User properties rule. For information on how to create and configure a password policy, see Installing Password Policy Manager. To display the properties of a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. Updated 24 May

41 Password Self-Service 4 36 Installing Password Policy Manager This section describes the steps for deploying the Password Policy Manager in a managed domain. The Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO), or use an existing one, to assign the installation package with the Password Policy Manager to the destination computers. The Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: Desktop Authority Password Policy Manager x86.msi - Installs the Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system. Desktop Authority Password Policy Manager x64.msi - Installs the Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system. The installation packages are located in the \Desktop Authority Password Self-Service\Setup\Password Policy Manager\ folder on the installation CD. Note: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. To install Password Policy Manager on a single domain controller 1. Run the appropriate Password Policy Manager.MSI package located in the \Setup\program files\scriptlogic\desktop Authority Password Self- Service\Deployment\PPM\ folder on the installation CD. 2. Restart the computer once the installation completes. To deploy Password Policy Manager on multiple domain controllers 1. Copy the appropriate Password Policy Manager.MSI package from the installation CD to a network share accessible from all domain controllers in a managed domain. 2. Create a GPO and link it to all domain controllers in a managed domain. You may also choose an existing GPO to deploy the Password Policy Manager. 3. Open the Computer Configuration folder under the selected GPO, and then open the Software Settings folder. 4. Right-click Software installation, and then select New Package. 5. Select the.msi package you have copied in step Click Open. 7. Select the deployment method and click OK. 8. Verify and configure the installation properties if needed. Updated 24 May

42 Password Self-Service 4 37 Creating and Configuring a Password Policy When you have created a password policy, you can modify its default properties. To create a domain password policy 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password Policies, click the link next to a domain for which you want to add a policy. 3. On the Password Policies for the <DomainName> Domain page, click the New Policy button. 4. On the Enter Policy Name page, type a name for the new policy. 5. Click OK, and then do one of the following: Click the Configure the password policy link to modify the default policy settings, and then follow steps 2-4 of the procedure outlined later in this topic. Click the View the list of domain password policies link to display the list of password policies for the managed domain. Click the Create a new password policy link to create a new password policy in the managed domain. To configure settings for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. 4. On the General tab of the Settings for Password Policy page, view or modify the following options, and then click Save Option Description Disable this policy Select his check box to temporarily turn off the policy. Policy name View of modify the name of the password policy. Domain name View the name of the managed domain to which this policy is linked. 5. Click the Policy Rules tab to configure the password policy rules by using the procedure outlined in Configuring Password Policy Rules, and then click Save. 6. Click the Policy Scope tab to manage the password policy links by using the procedure outlined in Managing Password Policy Links, and then click Save. Note: The password policies do not override domain security settings; both the Password Self-Service password policies and the domain security settings are applied. Updated 24 May

43 Password Self-Service 4 38 In case you are running Microsoft Windows Server 2008, Password Self- Service allows configuring and using not only ScriptLogic password policies but Native Windows 2008 password policies as well. For Native Windows 2008 password policies, among other options, you can configure policy precedence that defines Native Windows 2008 password policies application order. Configuring Password Policy Rules For each of the domain password policies, you can configure a set of policy rules that define what passwords to reject or accept in the domain to which a particular policy is applied. For each password policy, you can set up the following rules: Password Age Rule. Ensures that users cannot use expired passwords or change their passwords too frequently. Length Rule. Ensures that passwords contain the required number of characters. Complexity Rule. Ensures that passwords meet minimum complexity requirements. Required Characters Rule. Ensures that passwords contain certain character categories. Disallowed Characters Rule. Rejects passwords that contain certain character categories. Sequence Rule. Rejects passwords that contain more repeated characters than it is allowed. User Properties Rule. Rejects passwords that contain part of a user account property value. Dictionary Rule. Rejects passwords that match dictionary words or their parts. Symmetry Rule. Ensures that password or its part does not read the same in both directions. The following is a general procedure for configuring the password policy rules: To configure rules for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the Domain page, click a policy, and then click the Policy rules tab. 4. On the Policy Rules tab, click the rule that you want to configure, and, under the rule's name, modify the appropriate rule settings. 5. Repeat step 4 for each of the rules that you want to configure for this password policy, and then click Save. Updated 24 May

44 Password Self-Service 4 39 For information about how to configure each of the policy rules, see the following topics in this section. Password Age Rule The Password Age rule ensures that users cannot use expired passwords or change their passwords too frequently. To configure the Password Age rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Password Age Rule to expand the rule settings. 3. Under Password Age Rule, select the Specify password age check box, and then specify the following options as required: Option Minimum password age Maximum password age Description Specifies many days users must keep new passwords before they can change them. Specifies how many days a password can be used before the user is required to change it. Complexity Rule The Complexity rule ensures that passwords meet the following minimum complexity requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example,!, $, #, %) The Complexity rule imposes the same requirements as the standard Windows policy "Password must meet complexity requirements." To configure the Complexity rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Complexity Rule to expand the rule settings. 3. Under Complexity Rule, select the Password must meet complexity requirements check box, and then specify the options as required. Length Rule The Length rule ensures that passwords contain the required number of characters. Updated 24 May

45 Password Self-Service 4 40 To configure the Length rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Length Rule to expand the rule settings. 3. Under Length Rule, select the Password must contain check box, and then specify the following options as required: Option Minimum characters Maximum characters Description Set the minimum number of characters that passwords must contain. Set the maximum number of characters allowed in a password. Required Characters Rule The Required Characters rule ensures that passwords contain certain character categories. To configure the Required Characters rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Required Characters Rule to expand the rule settings. 3. Under Required Characters Rule, select the Password must contain at least check box, and then specify the following options as required Option Description Alphabetic characters Set the minimum number of alphabetic characters (Az) that must appear in a password. Lowercase characters Set the minimum number of lowercase characters that must appear in a password. Uppercase characters Set the minimum number of uppercase characters that must appear in a password. Unique characters Set the number of characters that must be unique within a password. To require case sensitivity for this setting, select the Case sensitive check box. Digits (0-9) Specify whether passwords must contain digits: Set the minimum number of digits that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where digits must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many digitals there must be in the end of a password. Updated 24 May

46 Password Self-Service 4 41 Option Special characters Description Specify whether passwords must contain special characters: Set the minimum number of digits that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where digits must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many digitals there must be in the end of a password. Special characters include the following characters:!"#$%&'()*+,-./:;<=>?@[\\]^_`{}~ Note: By default, the table of lowercase, uppercase, and special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start Settings Control Panel Regional Options and click the General tab. Disallowed Characters Rule The Disallowed Characters rule rejects passwords that contain certain character categories. To configure the Disallowed Characters rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Disallowed Characters Rule to expand the rule settings. 3. Under Disallowed Characters Rule, select the Password must not contain check box, and then specify the following options as required Option Description Digits (0-9) Specify whether the rule will reject passwords containing digits. First, select this check box, and then do any of the following: Select the In positions text box, and then type the numbers of positions within a password where digits must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many digits there must be in the end of a password. Updated 24 May

47 Password Self-Service 4 42 Option Special characters Description Specify whether the rule will reject passwords containing special characters. First, select this check box, and then do any of the following: Select the In positions text box, and then type the numbers of positions within a password where special characters must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many special characters there must be in the end of a password. Special characters include the following characters:!"#$%&'()*+,-./:;<=>?@[\\]^_`{}~ Note: By default, the table of special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start Settings Control Panel Regional Options and click the General tab. Sequence Rule The Sequence rule rejects passwords that contain more repeated characters than it is allowed. To configure the Sequence rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Sequence Rule to expand the rule settings. 3. Under Sequence Rule, select the Password must not contain more than check box, and then specify the following options Option Description Number of characters repeated in succession (AAAB) Number of identical characters (ABCA) Number of characters in direct or inverse numerical or alphabetical order (ABC_321) Case sensitive Set the maximum number of same characters in a row that the policy will tolerate before rejecting a password. Set the maximum number of same characters typed in different positions of password that the policy will tolerate before rejecting a password. Set the maximum number of characters typed in direct or inverse numerical or alphabetical order that the policy will tolerate before rejecting a password. Select this check box to require case sensitivity for this rule. Updated 24 May

48 Password Self-Service 4 43 User Properties Rule The User Properties rule rejects passwords that contain part of a user account property value. To configure the User Properties rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click User Properties Rule to expand the rule settings. 3. Under User Properties Rule, select the Prevent users from using account properties as part of passwords check box, and then specify the following options Option Description Beginning characters of a user property value The entire value of a user property Case sensitive Enable bi-directional analysis Set the maximum number of beginning characters from a user property value that users are allowed to use as part of their passwords. For example, if a user's full name is "Anna Fairweather", and the option value is set to 3, then the user is allowed to type the strings "Ann" and "Fai" as part of her password. The password will be rejected if it contains "Anna" or "Fair". You can select from the following user account properties: displaynameprintable mailnickname userprincipalname displayname title sn samaccountname personaltitle middlename mail givenname employeeid cn Select to reject passwords containing the entire value of a user property. You can select any of the user account properties listed in the description of the for the Beginning characters of a user property value option above. Select this check box to require case sensitivity for this rule. Select to reject passwords containing the entire value of a user property or its part (depending on which of the two previous options you have selected), if read backwards. Updated 24 May

49 Password Self-Service 4 44 Dictionary Rule The Dictionary rule rejects passwords that match dictionary words or their parts. The Dictionary rule compares user passwords against a list of words stored in the QPMDictionary.txt text file (in the Unicode format). Depending on how you configure the rule settings, user passwords that partially or fully match dictionary words are rejected by Password Self-Service. The QPMDictionary.txt dictionary file is located on the Password Self-Service server, in the following folder: '<install location>\password Policy Manager\', and is automatically deployed together with Password Policy Manager (PPM). To ensure consistency of the dictionary, make sure that QPMDictionary.txt is up-to-date on all servers where it is deployed. The dictionary file is never cached. During each password validity check, the dictionary file is read from the Password Self-Service server, or from the user's domain controller. To modify the QPMDictionary.txt file, such as by adding new words to the word list, you can use Notepad (or any text editor). When modifying the dictionary file, ensure that you begin every new word on a new line. We recommend that you maintain alphabetical order. The Dictionary rule is not case-sensitive which means that, on the one side, you can use either uppercase or lowercase when adding or modifying dictionary entries; and, on the other side, user input will undergo validity check irrespective of whether users use capitals or small letters in their passwords. To configure the Dictionary rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Dictionary Rule to expand the rule settings. 3. Under Dictionary Rule, select the Enable dictionary lookup to reject passwords that contain check box, and then specify the following options Option Description Beginning characters of a dictionary word A complete word from the dictionary Detect inclusion of non-alpha characters (pas7swo%rd) Enable bi-directional analysis Specify to reject passwords starting with this number of beginning characters of a dictionary word. Select this check box to reject passwords that represent an entire word from the dictionary. Select this check box to remove non-alphabetic characters during analysis. Select to reject passwords containing an entire dictionary word or its part (depending on which of the other three options you have selected), if read backwards. Updated 24 May

50 Password Self-Service 4 45 Symmetry Rule The Symmetry rule ensures that password or its part does not read the same in both directions. To configure the Symmetry rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Symmetry Rule to expand the rule settings. 3. Under Symmetry Rule, select the Password must comply with symmetry criteria check box, and then specify the following options Option Description Reject passwords that read the same in both directions (pass8ssap) Maximum number of beginning characters that match ending characters of password if read backwards (pas47sap) Maximum number of consecutive characters within a password, that read the same in both directions (pass4554word) Case sensitive Select to reject passwords that are palindromes. Specify the number of beginning characters matching the ending characters of password, if read backwards, which the policy will tolerate before rejecting a password. Specify the number of password characters in a row that read the same in both directions, which the policy will tolerate before rejecting a password. Select to define this rule as case sensitive. Managing Password Policy Links Applying Password Policies A newly created password policy is linked to the managed domain for which it was created and applies to all authenticated users group by default. You can define granular password policies by linking them to certain Organizational Units and groups in a managed domain. To link a Password Policy to Organizational Units and Groups 1. Display properties of a password policy by using the procedure outlined in About Password Policies. 2. Click the Policy Scope tab. 3. Click the Add button under The following domains and OUs are linked to this policy, and then browse for an organizational unit. 4. Click the Add button under The settings in this policy can only apply to the following groups, and then browse for a group in the organizational unit that you have specified in step Click Save. Updated 24 May

51 Password Self-Service 4 46 Changing policy link order When multiple password policies affect an OU or a group, they are processed sequentially in order of precedence. Policies with the highest precedence are processed last. A newly created password policy is enabled by default, and applies to authenticated users in the managed domain for which it was created. To change policy link order 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password policies, click the link next to a domain for which you want to change the policy link order. 3. On the Password Policies for the <DomainName> Domain page, click Link order. 4. In the table below Change link order, move policies up or down in the list by clicking the Up or Down arrows next to the policies. Note: To have a password policy affect users from only certain groups, remove the Authenticated Users group from the policy scope and specify the organizational units and the groups in those organizational units that you want the policy to affect. Deleting a Password Policy To delete a password policy from a domain 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Domain Password Policies page, click the Delete button next to the policy that you want to delete. Note: When you delete a password policy from a managed domain, the deleted policy becomes no longer valid for this domain. To restore a deleted password policy, create a new policy and manually configure its settings as required. Updated 24 May

52 Password Self-Service 4 47 MANAGING QUESTIONS AND ANSWERS PROFILES Personal Question and Answers profiles is an authentication mechanism used by Password Self-Service to allow users and helpdesk operators to manage their passwords in Active Directory domains and in different connected systems. A Questions and Answers profile is a set of questions, pre-designed by the Password Self-Service administrator, to which a user has provided their secret answers, and, thus has created his personal profile. You can also require users to specify their own questions in their personal profiles. Then, users can securely reset their passwords or unlock their accounts by answering a series of questions from their personal profiles. Before users can register with Password Self-Service by creating their personal Questions and Answers profiles, you must configure a question list containing the questions that will be presented to users. You can create question lists in a specific language, so that users can select a preferred language of questions and answers. You can set requirements for answers that users specify in their Questions and Answers profiles. For example, you can prevent users from specifying the same answer for different questions, or set a minimum answer length. Password Self-Service allows you to specify criteria for recognizing users' Questions and Answers profiles as not compliant with the current password management settings. This is essential if you want users to update their profiles each time when password management settings are changed. You can have noncompliant user Q&A profiles manually invalidated by help desk operators, thus preventing users with invalidated profiles from resetting passwords and unlocking accounts. Such users are then required to update their Questions and Answers profiles. For information on how to configure Q&A profile compliance rules, see Configuring Profile Update Policy. Creating and Configuring Question Lists A question list is a template containing a pre-defined series of questions to which a user provides their own answers, thus creating a personal Questions and Answers profile. Later, the user has to answer the specified number of questions from the question list to be allowed to perform password selfmanagement tasks, such as resetting password or unlocking account. You can create question lists in different languages. Then, users can select a preferred language for questions and answers in their personal profile. Every question list can contain the following types of questions Question Type Mandatory Description Questions of this type are an integral part of a user's Q&A profile. Users must provide an answer to each of these questions. You must specify at least one mandatory question if you want Help Desk operators to be able to unlock user accounts and reset user passwords. Thus, a user must answer a randomly selected mandatory question before help desk operator can reset the user's password or unlock the user's account. Updated 24 May

53 Password Self-Service 4 48 Question Type Optional User-defined Help Desk authentication Description Users can decide for themselves whether they want to use any questions of this type in their Q&A profile. A question that must be composed by the user. Security question used by Help Desk to verify a user's identity when resetting the user's password or unlocking the user's account. This question is not configurable, and is included in users' Q&A profiles if you select the Operators must verify user identity option on the Help Desk site settings page. For more information about this option, see Configuring Help Desk Site Settings. User's answers to this type of questions are always stored using reversible encryption. For information about changing cryptographic and hashing algorithms for configuration date storage, see Selecting Cryptographic and Hashing Algorithms. For users to be able to create their personal Questions and Answers profiles, you must specify at least one question in a question list. To create and configure a question list 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create a question list, and then click the Questions tab. 3. On the Questions tab, make the list of languages for which you want to create question lists by selecting one language at time in the Add a language into the list and clicking Add. 4. On the Questions tab under Language, click the language for which you want to create a question list. 5. On the Configure Question List page, specify the following options as required Option Description Make questions in this language unavailable to users Mandatory questions Optional questions Select this check box to temporarily prevent users from creating or updating their Q&A profiles using the question list language Click the Add button under the Mandatory questions list box, and then type a question and press ENTER. Click the Add button under the Optional questions list box, and then type a question and press ENTER. To add more optional questions, repeat this step. Under Users must answer this number of optional questions to register, set the number of optional questions that a user must answer to register. Updated 24 May

54 Password Self-Service 4 49 Option Users must answer this number of optional questions to register Users must configure this number of userdefined questions Number of questions that users must answer to register Number of questions from user s Q&A profile that a user must answer to reset his password or unlock his account Questions required for user verification by Help Desk 6. Click Save. Description Set the required number of optional questions that a user must answer to create his Questions and Answers profile. Set the required number of user-defined questions that a user must specify to create their Questions and Answers profile. Set the required number of optional questions that a user must answer to create their Questions and Answers profile. Set the number of questions that are presented to users when they reset their password or unlock their account, by doing one of the following: Click All questions from user s Q&A profile to have users answer all the questions from their profiles. Click Specified number of randomly selected questions, and then set the number of questions required to reset password and to unlock account. Set the number of Q&A profile questions that helpdesk operators must ask a user to verify a user's identity before resetting user password, or unlocking user account. You can configure this setting for the following types of security questions: Mandatory questions Optional questions User-defined questions 7. Repeat steps 4 6 for each language in the language list. Note: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the settings that require users to update Q&A profiles when the question list is modified. Configuring Questions and Answers Policy To configure Questions and Answers policy 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Click Manage Domains. 3. On the Managed Domains page, click a domain, and then click the Q&A Policy tab. Updated 24 May

55 Password Self-Service On the Q&A Policy tab, specify the following options: Option Minimum length of answer Minimum length of user-defined questions Reject the same answers for different questions Reject answers that are parts of the corresponding questions Store answers using reversible encryption 5. Click Save. Description Set the least number of characters that users' answers can contain. Set the maximum number of characters that users' answers can contain. Select to prevent users from specifying same answers for different questions. Select to prevent users from specifying answers that are parts of the corresponding questions. Select to store users' answers using reversible encryption. Performing Bulk Profile Updates Password Self-Service stores a user's Questions and Answers profile data in an attribute of the user's account. You can perform a bulk update of Questions and Answers profiles by updating the proper attribute of each of the registered user's accounts. Upon request, ScriptLogic Software Support will provide you with the solutions that allow to perform the following tasks: Change the attribute to store Questions and Answers profiles Bulk creation of Questions and Answers profiles Changing the Attribute Used for Storing Questions and Answers Profiles By default, Desktop Authority Password Self-Service stores Questions and Answers Profile data in the comment attribute of each user's account. You can configure Desktop Authority Password Self-Service to use another attribute instead. You can change the Active Directory attribute in which the Questions and Answers Profiles are stored and move existing profiles to the newly specified attribute. For more information on how to change the default attribute please visit the ScriptLogic Knowledge Base and Solution Center at or contact ScriptLogic Technical support. Bulk Creation of Questions and Answers Profiles Desktop Authority Password Self-Service stores users' Questions and Answers Profile data in an attribute of each user's account. You can pre-populate or create Questions and Answers profiles in bulk by writing new data to these attributes. Upon request, ScriptLogic Technical Support will provide you with a solution that performs the bulk updating and automatic enrollment of users from an external data source. Updated 24 May

56 Password Self-Service 4 51 For more information on how to pre-populate or create Questions and Answers profiles in bulk please visit the ScriptLogic Knowledge Base and Solution Center at or contact ScriptLogic Technical support. CONFIGURING REGISTRATION NOTIFICATION AND ENFORCEMENT You can configure Password Self-Service to notify users in the managed Active Directory domain that they must register with Password Self-Service or have to update their invalid Questions and Answers profiles. You can also specify whether unregistered users must complete the registration procedure before being able to log on to the network. Password Self-Service provides the following mechanisms to implement registration notification and enforcement: Registration Notification. Configure a notification schedule to send e- mail notifications to those users who have not yet registered with Password Self-Service. To configure a notification schedule, see the procedure outlined later in this section. Users also will be notified to register with Password Self-Service through a balloon briefly displayed from an icon in the notification area at specified intervals. You can configure the scope of users you want to be notified. This method also defines whether users may receive notifications, provided that registration notification is enabled. Registration Enforcement. Define whether users who have not registered with Password Self-Service, or have invalid Questions and Answers profiles, must create or update their Q&A profiles before they can log on to the network. Note: Registration enforcement can be configured only for pre-windows Vista operating systems, and is enabled through Group Policy by properly configuring Secure Password Extension. To enable registration notification, you must configure notification schedule. The step-by-step instruction on how to configure notification schedule is outlined later in this section. Once you configure a notification schedule, all users in the managed domain start to receive notifications that require the users to register with Password Self-Service. You can also configure a notification message to be displayed on users' computers through a balloon briefly displayed from an icon in the notification area. This notification is turned on through Group Policy by properly configuring Secure Password Extension. By default, when you enable registration notification, all users in a managed domain will receive registration notifications through notification balloons and messages. However, you can define a list of users you do not want to be prompted to register with Password Manager, or specify an explicit list of notification recipients. Updated 24 May

57 Password Self-Service 4 52 To configure notification schedule Specify an outgoing mail server (SMTP). For more information, see Configuring Outgoing Mail Server Settings. 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the General tab, click User registration schedule. 4. Under User registration schedule, specify the following options, and then click Save option description Force users to register with Password Self-Service Apply immediately Schedule enforcement Once forced to register, user must register within <%> days Start notifying users <%> days before registration term Notify users by Schedule to force to register the following number of users: Select this check box to configure the registration enforcement options. Forces all users to immediately register with Password Self-Service. Use this option with caution when the number of users managed by Password Self-Service is large. Immediate enforcement of a large number of users may drastically decrease the performance of your production environment. Requires users to register within specific number of days after they are scheduled to register. Specify the deadline within which user must register with Password Self-Service after the first registration notification. If users do not register within the deadline, they cannot log on to the system. Select this check box to remind those users who already received the first registration notification but have not registered with Password Self-Service of the necessity to complete the registration procedure. Such users will receive a notification every day during the specified number of days before the registration term. Select this option, if you want to have uses notified using . By clicking Specify notification language(s) you can specify the language to use for sending notifications. Set the daily number of new users who will be first notified to register. The total number of daily notified users will be incremented by the value that you set. Use this option to reduce server load and enhance performance. Updated 24 May

58 Password Self-Service 4 53 option Notify users using Secure Password Extension Prevent non-registered users from logging on after deadline (for Windows XP clients only) description If you select this check box, when attempting to log on to the system using Windows logon screen, users will see a dialog box offering to register with Password Self-Service. After the registration deadline, users will not be able to log on, unless they complete the registration procedure. Select this option to prevent from logging on to the system the users who have not registered with Password Self-Service after the registration deadline specified in the Once forced to register, user must register within <%> days option or have invalid Questions and Answers profiles. To specify an explicit list of groups to receive registration notifications 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 2. On the Groups tab, click Groups Allowed to Receive Registration Notifications. 2. Click Add. 2. In the object selection window, select the groups whose members you want to receive registration notifications and click OK. Only members of the groups in this list will be prompted to register. To exclude a group from registration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Registration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive registration notifications and click OK. Members of the groups in this list will never be prompted to register with Password Self-Service. If you add a group in both the Groups Allowed to Receive Registration Notifications and Groups Denied Receiving Registration Notifications lists, the members of this group will never be prompted to register with Password Self-Service. Updated 24 May

59 Password Self-Service 4 54 Note: To specify criteria that define whether users must update their Questions and Answers profiles, you can configure profile update policies. For more information, see the Configuring Profile Update Policy. You can configure which groups will receive password expiration notifications and which will not. To specify an explicit list of groups to receive password expiration notifications 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Receive Password Expiration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to receive password expiration notifications and click OK. Only members of the groups in this list will receive password expiration notifications. To exclude a group from password expiration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Password Expiration Notification. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive password expiration registration notifications and click OK. Members of the groups in this list will never receive password expiration notifications. If you add a group in both the Groups Allowed to Receive Password Expiration Notifications and the Groups Denied Receiving Password Expiration Notification groups, the members of this group will never receive password expiration notifications. Updated 24 May

60 Password Self-Service 4 55 DELEGATING HELP DESK AND ADMINISTRATIVE TASKS You can assign help desk tasks to dedicated help desk operators, and delegate Password Self-Service configuration management to lower-level administrators by simply adding the trusted individuals' accounts to precreated security groups. Delegating Help Desk Tasks The Help Desk site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles. By default, only members of the local Administrators group on the Password Self-Service server can access the Help Desk site Web interface. To delegate help desk tasks to dedicated personnel, add the operators' accounts to the QPMHelpDesk group. This group is created during setup, on the computer where you install Password Self-Service, and has the Read and Execute permission on the \HelpDesk folder at the following default location: C:\Program Files\ScriptLogic\Desktop Authority Password Self- Service\web\QPM\. Members of the QPMHelpDesk group have access to the complete functionality of the Help Desk site, and can perform help desk tasks. Delegating Administrative Tasks Delegation of access to the Administration site provides the ability to distribute Password Self-Service configuration management tasks among trusted persons. By default, access to the Administration site is granted to the local Administrators group and to the account under which you have installed Password Self-Service. To provide access to the Administration site, add the delegated administrators' accounts to the pre-created QPMAdmin group, on the computer where Password Self-Service is installed. Members of the QPMAdmin group have access to the complete functionality of the Administration site. Note: Make sure you add only most highly trustworthy persons to the QPMAdmin group, since changing Password Self-Service configuration involves dealing with user-sensitive information. Updated 24 May

61 Password Self-Service 4 56 CONFIGURING ACCESS TO SELF-SERVICE SITE By default, no Managed Domain user can access the Self-Service site. To allow users access the Self-Service site, you must explicitly specify the groups which can use the Self-Service site. You can also explicitly deny specific groups the access to the Self-Service site. To specify a list of groups which are explicitly allowed to access the Self-Service site 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Access to the Password Manager Self-Service Site. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never be able to access Self-Service site and click OK. Members of the groups in this list will be denied access the Self-Service site. If you add a group in both the Groups Allowed to Access the Password Manager Self-Service Site and the Groups Denied Access to the Password Manager Self-Service Site lists, the members of the group will be denied access to the self-service site. Updated 24 May

62 Password Self-Service 4 57 A Glossary account application log attribute C credentials D display name domain A record that consists of all the information that defines a user to Microsoft Active Directory. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. The log that lists all actions performed by Desktop Authority Password Self- Service. A piece of data that stores information that is specific to an object. A set of attributes stores the data that defines an object. Data used by a principal to establish the identity of the principal, such as a password or user name. The name of an object as it appears in the address book. A logical collection of resources that consists of computers, printers, computer accounts, user accounts, and other related objects. domain controller For a Windows Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources. I invalid Questions and Answers Profile A Questions and Answers Profile can become invalid as a result of the following: The domain's Questions and Answers Profile Template changes, the domain's question policies change, or an administrator makes a Questions and Answers profile invalid manually. Once a Questions and Answers Profile becomes invalid, its owner can use it only once to reset a password or unlock an account. Then they must re-create their Questions and Answers Profile. Updated 24 May

63 Password Self-Service 4 58 L locked Questions and Answers Profile M A Questions and Answers Profile that temporarily cannot be used. A Questions and Answers Profile can become locked after a number of unsuccessful attempts to answer the questions. mailbox The delivery location for all incoming mail messages addressed to a designated owner. Information in a user's mailbox is stored in the private information store on a Microsoft Exchange server computer. A mailbox can contain received messages, message attachments, folders, folder hierarchy, and more. Server applications for Microsoft Exchange server are often designed with a mailbox for communication. mandatory question A question, the same for all users in a domain, that a person must answer in order to authenticate themselves using Desktop Authority Password Self- Service. managed domain A domain registered with Desktop Authority Password Self-Service. You can manage multiple domains by using Desktop Authority Password Self-Service. mixed mode N native mode O The default mode setting for domains on Windows 2000/2003/2008 domain controllers. Mixed mode allows Windows 2000/2003/2008 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000/2003/2008. A Windows 2000/2003/2008 Domain is in native mode when: All domain controllers in the domain have been upgraded to Windows 2000/2003/2008. An administrator has enabled the native mode operation using the domain property page in the Active Directory Users and Computers snap-in. optional question A question from the pre-defined list that a person must answer in order to authenticate themselves using Desktop Authority Password Self-Service. organizational unit An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. Updated 24 May

64 Password Self-Service 4 59 Password Self-Service Farm A set of Password Self-Service instances sharing common configuration to ensure enhanced availability and load balancing. A single domain may be managed by several different Password Self-Service farms. Password Self-Service Farm Affinity An association between Secure Password Extension and Password Self-Service. If you enforce an affinity to specific Password Self-Service farm using Group Policy, all the clients running Secure Password Extension and affected by this policy will use only the Password Self-Service instances that belong to the specified farm. Q Questions and Answers Profile (Q&A Profile) A set of questions selected by a user from the Questions and Answers Profile template, and that user's answers to them. A Questions and Answers Profile is used to authenticate a person using Desktop Authority Password Self-Service. Question list S site A set of questions used in creating users' Questions and Answers profiles. The list is defined by the administrator and contains a series of questions in a certain language that users from a specific domain must answer in order to create or update their personal Questions and Answers profiles. A question list defines the number of questions of each type and the wording of mandatory and selectable questions. One or more Microsoft Exchange servers that provide services to a set of users. Sites can be centrally managed and can span physical locations. special character A character that is neither alphabetic nor numeric. U user-defined question A question that a person must provide along with the answer in order to authenticate themselves using Desktop Authority Password Self-Service. Updated 24 May