ScriptLogic Desktop Authority Password Self-Service version 4.7 Administrator Guide

Transcription

1 ScriptLogic Desktop Authority Password Self-Service version 4.7 Administrator Guide

2 Password Self-Service 4.7 Administrator Guide ii 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Licensed to ScriptLogic Corporation This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. Trademarks Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. DISCLAIMER The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

3 Password Self-Service 4.7 Administrator Guide iii DOCUMENTATION CONVENTIONS In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references. ement nvention ded text Interface elements that appear in ScriptLogic products, such as menus and commands. c text Used for comments. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. CONTACTING SCRIPTLOGIC Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida Sales and General Inquiries Technical Support Fax SCRIPTLOGIC ON THE WEB ScriptLogic can be found on the web at Our web site offers customers a variety of information: Download product updates, patches and/or evaluation products. Locate product information and technical details. Find out about Product Pricing. Search the Knowledge Base for Technical Notes containing an extensive collection of technical articles, troubleshooting tips and white papers. Search Frequently Asked Questions, for the answers to the most common non-technical issues. Participate in Discussion Forums to discuss problems or ideas with other users and ScriptLogic representatives.

4 Password Self-Service 4.7 Administrator Guide iv Contents WELCOME TO SCRIPTLOGIC PASSWORD SELF-SERVICE...1 SCRIPTLOGIC PASSWORD SELF-SERVICE OVERVIEW...1 DIFFERENT SITES FOR DIFFERENT ROLES...2 ADMINISTRATION SITE...3 CHECKLIST: CONFIGURING PASSWORD SELF-SERVICE...3 SPECIFYING GLOBAL SETTINGS...4 Enabling HTTPS...4 Configuring Self-Service Site Settings...4 CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN...14 Introducing Secure Password Extension...14 Deploying and Configuring Secure Password Extension...15 Uninstalling Secure Password Extension...24 Troubleshooting Secure Password Extension...25 MANAGING DOMAINS...26 Configuring Permissions to Access a ManagedDomain...26 Adding a Managed Domain...27 Managing Questions and Answers Profiles...28 Configuring Password Policies...31 Configuring Logon Security Options...43 Configuring Registration Notification and Enforcement...44 Delegating Help Desk and Administrative Tasks...48 Configuring Access to Self-Service Site...49 REPORTING...51 Setting Up Reporting Environment...51 Using Reports...52 DIAGNOSTIC LOGGING...56 BEST PRACTICES FOR CONFIGURING REPORTING SERVICES...56 Reporting Services default configuration...57 Reporting Services firewall issues...59 THE PASSWORD SELF-SERVICE DATABASE IN SQL SERVER...59 THE SCHEDULED TASKS IN PASSWORD SELF-SERVICE...60 GLOSSARY...62

5 Password Self-Service 4.7 Administrator Guide 1 Welcome to ScriptLogic Password Self-Service SCRIPTLOGIC PASSWORD SELF-SERVICE OVERVIEW ScriptLogic Password Self-Service is a Web-based application that provides an easy-to-implement and use, yet highly secure, password management solution. Users can connect to Password Self-Service by using their favorite browser and perform password self-management tasks, thus eliminating the need for assistance from high-level administrators and reducing help desk workload. The solution offers a powerful and flexible password policy control mechanism that allows the Password Self-Service administrator to ensure that all passwords in the organization comply with the established policies. Password Self-Service works with Windows domains, including domains operating in mixed mode. The key features and benefits of ScriptLogic Password Self-Service include: Global access. ScriptLogic Password Self-Service provides 24x7x365 access to the Self-Service site from intranet computers as well as via Internet from any most common browser. The solution supports flexible access modes and logon options. Strong data encryption and secure communication. The solution relies on industry-leading technologies for enhanced communication security and data encryption. Web interface for help desk service. Password Self-Service features Help Desk site which allows administrators to delegate help desk tasks to dedicated operators. These tasks include resetting user passwords, managing users' Questions and Answers profiles, and assigning temporary passcodes to users. x64 version of Password Policy Manager. An x64 version of Password Policy Manager module has been designed for use on domain controllers running an x64 Microsoft Windows Server operating system. event notifications. Administrators can configure event notifications which are sent by to designated personnel when specified events occur. Seamless OS integration. ScriptLogic Password Self-Service relies on intrinsic security databases only and is capable of managing domains across trust boundaries (no trust relationship required).

6 Password Self-Service 4.7 Administrator Guide 2 Powerful password policies. ScriptLogic Password Self-Service ensures that only passwords that meet administrator-defined policies are accepted. Unsuccessful authentication attempts are logged and the corresponding accounts are locked if necessary. Granular policy enforcement. Password policies are applied on a pergroup or per OU basis. Questions and Answers authentication mechanism. To reset passwords or unlock accounts, users are prompted to answer a series of questions for which users provide their secret answers when registering with ScriptLogic Password Self-Service. Enhanced user name search options. Users can be allowed to view their account attributes, such as user logon name, first name, display name, and SMTP address, when searching for their forgotten user names. A more specific search query returns the most relevant search results. Fault tolerance and scalability. ScriptLogic Password Self-Service is designed to work with network load balancing clusters and in a Web farm environment. DIFFERENT SITES FOR DIFFERENT ROLES The Web Interface allows multiple Web sites to be installed with individual, customizable configurations. The following is a list of configuration templates that are available out-of-the box. Administration Site is for individuals who are responsible for implementing password self-management through performing administrative tasks, such as configuring site-specific settings and enforcing password policies, to suit the specific needs of their organization. Help Desk Site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles. Self-Service Site provides users with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators and reducing helpdesk workload.

7 Password Self-Service 4.7 Administrator Guide 3 Administration Site CHECKLIST: CONFIGURING PASSWORD SELF-SERVICE When you have installed Password Self-Service, follow this checklist to configure the solution to implement automated and secure password management in an Active Directory domain. Step 1. It is strongly recommended that you enable HTTPS on the server where Password Self- Service is installed. 2. Prepare the account under which Password Self-Service will access the managed domain. 3. Register the managed domain with Password Self-Service. 4. Create language-specific question lists, and configure the Questions and Answers Policy if required. 5. If you want to provide access to the Self- Service site from the Windows logon screen, install the Secure Password Extension. 6. Configure settings that apply to all domains managed with Password Self-Service (such as site-specific defaults, notification settings, and profile update policy). 7. Grant the access permissions for the Help Desk site to help desk operators. You can also delegate access for the Administrative site to trusted Password Self-Service administrators. 8. Ensure that the screen resolution on client-side computers used to access the Web sites of Password Self-Service is set to a minimum of 800x600 pixels. The recommended screen resolution is 1024x768 pixels. 9. Ensure that all Password Self-Service users have JavaScript enabled in Microsoft Internet Explorer settings. 10. Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks. 11. If required, configure options for user registration notification and enforcement by specifying a registration schedule and enabling registration notification. Reference See Enabling HTTPS See Configuring Permissions to Access a ManagedDomain See Adding a Managed Domain See Managing Questions and Answers Profiles See Configuring Access to Self-Service Site See Specifying Global Settings See Delegating Help Desk and Administrative Tasks See Configuring Access to Self-Service Site See Configuring Registration Notification and Enforcement

8 Password Self-Service 4.7 Administrator Guide 4 Step 12. To allow users access the Self-Service site, explicitly specify the groups which are granted access to the Self-Service site. By default, no managed domain user can access the Self- Service site. 13. If you want to use Password Self-Service to enforce password policies, you first install Password Policy Manager (PPM) on all domain controllers in the domain. Then, create password policies and configure password policy rules. Reference See Installing Password Policy Manager See Creating and Configuring a Password Policy See Configuring Password Policy Rules SPECIFYING GLOBAL SETTINGS This section outlines the procedures required to configure site-specific settings that affect users and helpdesk operators in all domains registered with Password Self-Service. Enabling HTTPS We strongly recommend that you use HTTPS with ScriptLogic Password Self- Service. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web. To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support HTTPS connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at Configuring Self-Service Site Settings You can customize the behavior of the Self-Service site by specifying what password management tasks are allowed to users and configuring user notification. Configuring Security Settings By configuring the security settings, you define whether you want to let users do the following: Hide their security answers on the screen. See the domain name on the Self-Service site pages. See which of the personal questions users have answered incorrectly when authenticating.

9 Password Self-Service 4.7 Administrator Guide 5 To configure security settings for the Self-Service site 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Under Security settings, configure the following options as required: Option Hide users answers by default Allow users to hide their answers Prevent users from seeing whether questions are answered correctly Hide tools not available for user Use a security CAPTCHA image to prevent bot attacks Domain display options Users must agree that Password Self-Service will store their personal information Select this check box to have Password Self-Service display users' security answers as asterisks while they are typing in their answers. Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks. Select this check box to prevent users from seeing to which of their private questions they have provided incorrect answers when performing password self-management tasks using the Self-Service site. Select this check box to prevent users from seeing the tools which are not available for them. Select this check box to have the Self-Service site display a picture with characters and require the user to enter the characters on the picture. This feature provides enhanced protection against automated attacks. Use this section to specify whether Self-Service Site should show the managed domain name to the user. If you select the Show domain list option, the Self-Service site user will be able to see the list of the managed domains registered with Password Self-Service. Select the Hide domain list option to prevent users from seeing the list of domains. Depending on the legislation requirements, organizations may be required to explicitly obtain users consent to store their personal information which is available in Question and Answers profile. Select this check box to have the Self-Service site ask users to agree that Password Self-Service will store their personal information. 4. Click Save. Configuring Allowed Self-Service Site Tasks You can granularly configure the set of the tasks available for the Password Self-Service end-users on the Self-Service site. To configure the tasks available for the Self-Service site users: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab.

10 Password Self-Service 4.7 Administrator Guide 6 3. Click Allowed self-service tasks to expand this section, and then configure the following options as required: Option Allow users to register with Password Self-Service Allow users to unlock their accounts Allow users to reset their passwords Allow users to change their passwords Allow users to change Q&A profile Allow users to change their alert settings Allow users to use passcode Select this check box to allow users to register with Password Self-Service by using the Self-Service site. Select this check box to allow users to unlock their domain accounts by using the Self-Service site. Select this check box to allow users to reset passwords for their domain accounts by using the Self-Service site. Select this check box to allow users to manage passwords for their accounts in managed domains, and in connected data sources, by using the Self-Service site. Select this check box to allow users to manage Questions and Answers profiles for their accounts in managed domains by using the Self-Service site. Select this check box to allow users to specify events upon which they want to receive alerts. Select this check box to allow users to use passcode for creating Questions and Answers profile. 4. Click Save. Configuring Account Search Options To configure account search options: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Click Account search options to expand this section, and then configure the following options as required: Event Allow users to locate their accounts User properties to display in search results Select the checkbox to allow users to perform account search by using the Locate Account functionality of the Self-Service site. By selecting this option, you can specify the number of user accounts that are displayed in search results. To do this, specify the required number in the "Number of users to display in search results in the Locate Account page" field. Select check boxes next to the user account attributes that you want users to view in search results. You can select any of the following attributes: First name Initials Last name Display name Name Full name User logon name 4. Click Save.

11 Password Self-Service 4.7 Administrator Guide 7 Configuring User Notification You can configure a list of events upon which you want all registered users to receive notifications. For each of the events below, you can specify whether users may decide for themselves if they want to receive a specific notification of not. User's Q&A profile is updated User's Alert settings are updated User's account is unlocked User's password is reset User's password is changed User's Q&A profile requires update User's Q&A profile is locked User's password is expired To configure user notification 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Ensure that you have configured the outgoing mail server settings. To specify the SMTP server settings, use the procedure outlined in Configuring Outgoing Mail Servers Settings. 3. On the menu bar, click Settings, and then click the Self-Service Site tab. 4. Click User notification settings to expand this area. 5. Specify events upon which you want users to receive notifications, and whether you want users to be able to change your settings for each of the events, by doing the following: a. Click the link next to a notification event, and then select one of the following options: Option Disabled. Users can change this setting. Enabled. Users can change this setting. Permanently disabled. Permanently enabled. Select this option to disable user notification for the relevant event while allowing users to override this setting on a peruser basis. Select this option to have users notified about the relevant event, and allow to override this setting on a per-user basis. Select this option to disable user notification for the relevant event, and prevent users from changing this setting. Select this option to enable user notification for the relevant event, and prevent users from changing this setting.

12 Password Self-Service 4.7 Administrator Guide 8 b. Under Days to notify a user before their password expires, optionally set the number of days during which you want users to receive password expiration notifications, before their passwords expire. 6. Click Save. Note: If you enable the password expiration notification, then Password Self-Service will send password expiration notifications only to those users from all managed domains, who have registered with Password Self- Service by creating their personal Questions and Answers profiles. Configuring Help Desk Site Settings You can define what password management tasks the help desk operators are allowed or required to perform. The settings described in this section are applied throughout all Active Directory domains managed by Password Self- Service. To specify settings for the Help Desk site 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then select the Help Desk Site tab. 3. In the Allow helpdesk operators to section, configure the following options as required: Option verify user identity assign passcodes reset user passwords Select this option to allow helpdesk operators to verify user identity by using the Help Desk site. Select Yes to allow helpdesk operators to assign temporary passcodes for users who forgot their passwords while not being registered with Password Self-Service. Then, below this option you can specify the Passcode lifetime in minutes value, i.e. the period within which the passcode is valid. Select this option to allow helpdesk operators to reset user passwords by using the Help Desk site. Select the only after user identity verification option to force helpdesk operators to check user identity before resetting user s password. unlock user accounts require users to update their Q&A profiles Passcode lifetime, in minutes unlock users' Q&A profiles Select this option to allow helpdesk operators to unlock user accounts by using the Help Desk site. Select the only after user identity verification option to force helpdesk operators to check user identity before unlocking user account. Select this option to allow helpdesk operators to invalidate users' Questions and Answers profiles and to set a deadline for a user to update their Q&A profile. Specify how long a passcode issued by helpdesk operators to users is valid for users to create their Questions and Answers profile. Select this option to allow helpdesk operators to unlock users' Question and Answers profiles that are locked as a result of a sequence of failed attempts to provide the correct answers.

13 Password Self-Service 4.7 Administrator Guide 9 4. Configure the following options as required: Option Helpdesk operators must verify user identity by Allow helpdesk operators to require users to change their passwords at next logon Defines that helpdesk operators must verify a user's identity before resetting the user's password, or unlocking their account. To configure this option, select how you want operators to authenticate users: Answer to randomly selected mandatory question (user s answer is hidden). In this mode, the operator will ask a user for their complete answer to one of the mandatory questions specified in the user's Q&A profile. Answer to authentication question (user s answer is hidden). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and enter the answers on the identity verification page. Answer to authentication question (user s answer is visible). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and then compare them to the answers displayed on the identity verification page. Random characters of an answer to authentication question. In this mode, the operator will ask a user to tell the specified number of characters in the user's answers to the Help Desk authentication questions, and then type in those characters in the appropriate positions on the identity verification page. Select this option to allow helpdesk operators to force users to change their passwords at next logon. 5. Click Save. Configuring Outgoing Mail Servers Settings You can configure one or more outgoing mail servers. If there are several servers, Password Self-Service will first attempt to use the top one in the list. To add outgoing mail servers (SMTP) 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Notifications tab. 3. Select the Enable notifications option. 4. In the Mail Servers area, click Add.

14 Password Self-Service 4.7 Administrator Guide On the Add SMTP Server page, configure the following options: Option Server name Sender address This server requires authentication User Name Password Confirm password The server requires an encrypted connection (SSL) Type the SMTP server name. If the SMTP server uses the port which is different from the default SMTP port 25, you may specify the port using the following format: <server name>:<port number>where <server name> is the server name and <port number> is the port number used for SMTP communication. Type the sender's user name. Select if the SMTP server requires authentication. Type the user name under which Password Self-Service will access the SMTP server. Type the password for this account. Re-type the password. Select if the SMTP server requires an encrypted connection (SSL). 6. Click Add. 7. Follow steps 4-5 to add any additional SMTP servers. 8. Use the Move Up and Move Down buttons to change the order of the SMTP servers in the list. The order of the servers in the list specifies how Password Self-Service uses the servers to send notification mail messages. Password Self- Service will first attempt to use the servers at the top of the list. To remove a server from the list of outgoing SMTP mail servers 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Notifications tab. 3. In the Mail Servers area select one o more SMTP servers to delete and click Remove. Configuring Alerts and Recipients You can configure Password Self-Service to send alert notifications to the specified administrators when the following actions are completed successfully or fail: Users change their Questions and Answers profiles Users unlock their accounts Users reset their passwords Users change their passwords Users' Questions and Answers profiles are locked Users change their personal alert settings

15 Password Self-Service 4.7 Administrator Guide 11 To specify alerts and recipients 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Ensure that you have configured the outgoing mail (SMTP) server settings. 3. You can configure the SMTP server settings by using the procedure outlined in Configuring Outgoing Mail Servers Settings. 4. On the menu bar, click Settings, and then click the Notifications tab. 5. In the Recipients section, click Add and specify the address of the administrator you want to receive notifications. 6. Verify the changes you have made by selecting one o more recipients and sending a test message. 7. In the Events section, configure the following options: Option Q&A Profile created Q&A Profile changed Account unlocked Password reset Password changed Q&A profile locked Preferred language Select to notify when a user has created and/or failed to create their personal alert settings. Select to notify when a user has changed and/or failed to change their personal alert settings. Select to send notifications when a user has unlocked and/or failed to unlock their account. Select to send alerts when a user has reset and/or failed to reset their password. Select to send alerts when a user has changed and/or failed to change their password. Select to send alerts when a users' Question and Answers profile has become locked and/or has failed to lock. Select and then choose your preferred language for notifications from the drop-down list below. 8. Click Save. Customizing Templates for the Notifications Distributed by Password Self-Service You can customize the notification messages distributed by Password Self-Service to meet specific requirements in your organization. The notifications are sent either in plain text or as HTML. If you select the HTML, you can enhance the notifications by using HTML tags to add custom text formatting, hyperlinks, etc. To modify the notifications: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then select the Templates tab.

16 Password Self-Service 4.7 Administrator Guide In the Select language drop-down box, select the language for which you want to customize the notification templates. 4. In the Events column, click the event group you want to customize. 5. In the Template column edit the subject and the body of notification templates as required. When editing the notification templates, you can use the following parameters in the notification templates: Parameter %1 DNS domain name for managed domain. %2 User name (samacountname). %3 Error message. %4 Error code (HResult). %5 Reserved for internal use. %6 User IP address. %7 Current date in a user readable form. %8 Number of days until the deadline. %9 User display name. %10 User name of the Help Desk operator in the following format: <domain name>\<user name>. 6. In the Message format box, select the format to use for the notifications. You can select from two options either HTML or Plain Text. If you select HTML as the message format, you can add HTML markup tags to the templates to customize the notifications. 7. Click Save. Selecting the Languages for Invitation Notification You can specify one or more languages to use in the messages which invite users to register with Password Self-Service. If you select multiple languages, the invitation message will include several copies of the invitation one copy for each of the selected languages. To select the language(s) to use in invitation notification: 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create the language list, and then click the General tab. 3. On the General tab, in the User registration schedule section, click Specify notification language(s). 4. On the List of Languages for Invitation Notification page click Add. 5. In the Add Language(s) window, select one or more languages to use in the invitation notification message and click Add.

17 Password Self-Service 4.7 Administrator Guide By clicking the Move Up and Move Down buttons specify the order of the languages in the invitation message. The first language in the list will be used for the message subject. 7. Click Save. Configuring Profile Update Policy You can specify when users must update their Q&A profiles. For example, you can require users to update their Q&A profiles, if the question list has been changed. The policy affects all users managed by the Password Self-Service instance. To configure profile update policy 1. On the menu bar, click Settings, and then click the Profile Update Policy tab. 2. Configure the following options: Option Question list or Q&A policy has changed since Q&A profile creation The question user answered to register was modified or deleted User's Q&A profile contains fewer questions than required for registration User's Q&A profile contains fewer questions than required for password reset User's Q&A profile contains fewer questions than required for unlocking account User s answers are shorter than required User-defined questions are shorter than required User has specified the same answer for several questions User specified an answer which is a part of the corresponding question Select to have users update their Q&A profiles if the question list or the Q&A policy was modified, provided that users had already created or updated their Questions and Answers profile. Select to have users update their Q&A profiles if one or more questions which users answered to register was modified or deleted. Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions list longer than it was before users profiles were last updated. Select to have users update their Q&A profiles if you have added one or more questions required to reset password, thus making the list of such questions longer than it was before the users profiles were last updated. Select to have users update their Q&A profiles if you have added one or more questions required to unlock account, thus making the list of such questions longer than it was before users profiles were last updated. Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require. Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require. Select to have users update their Q&A profiles if they contain the same answer for different questions if the current settings specify the opposite. Select to have users update their Q&A profiles if they contain answers that are parts of the corresponding question if the current settings specify the opposite. Enabling this option will affect only those users whose answers are stored using reversible encryption.

18 Password Self-Service 4.7 Administrator Guide 14 Option User's answers are stored using reversible encryption Question list was made unavailable to users since Q&A profile creation Select to have users update their Q&A profiles if users answers are stored without reversible encryption if the current settings specify the opposite. Select to have users update their Q&A profiles if a question list which they used when registering was made unavailable to users. 3. Click Save. Users, whose Q&A profiles were marked as noncompliant, still can use their profiles to reset passwords and unlock accounts, but they will start receiving alerts saying that Q&A profiles must be updated according to the current password management settings. CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN It is very common for business users to forget their password and be unable to log on to the system. Password Self-Service allows users to securely and conveniently reset their forgotten network passwords, or manage their passwords in multiple enterprise systems, before even logging on to the system. To enable user s access to the Self-Service site from the Windows logon screen, Password Self-Service implements Secure Password Extension. Introducing Secure Password Extension The ScriptLogic Secure Password Extension is an application that provides one-click access to the complete functionality of the Self-Service site from the Windows logon screen. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service. The Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure the Secure Password Extension on end-user workstations in the managed domain, see Deploying and Configuring Secure Password Extension. The Secure Password Extension supports the authentication model in Windows Vista and Windows 7, and has been tested for compatibility with GINAs (Graphical Identification and Authentication DLLs) of the following systems: Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows 2003 Novell Client 4.9 for Windows NT/2000/XP and Windows 95/98 Identix BioLogon 3 IBM ThinkVantage Access Connections 3.81 Citrix MetaFrame Presentation Server 4.0 HP ProtectTools

19 Password Self-Service 4.7 Administrator Guide 15 In pre-windows Vista operating systems, such as Microsoft Windows 2000 or XP, the Secure Password Extension uses the GINA-based authentication model, and adds the Forgot My Password and the Manage My Password buttons on the Windows logon screen. On workstations running Microsoft Windows 7, the Secure Password Extension adds the Forgot My Password link to the Windows logon screen. By clicking these buttons and the link, users open the Self-Service site. When running under Microsoft Windows Vista, the behavior of Secure Password Extension is considerably different as compared to pre-windows Vista operating systems. The Secure Password Extension functionality is also subject to several limitations: You cannot enforce user registration by using the Secure Password Extension. For more information, see Configuring Registration Notification and Enforcement. You can access the Self-Service site only after you click the Switch User button on the Windows Vista Welcome screen. When users connect to the Self-Service site from the Windows logon screen, anonymous access is enabled and the functionality of Microsoft Internet Explorer is restricted, thereby preventing the actions that may pose a security threat. Once users open the Self-Service site home page from the Windows logon screen, they cannot access any other Web site, or open a new browser window or a context menu. Deploying and Configuring Secure Password Extension This section describes the prerequisites and steps for deploying and configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension for installing on the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: ScriptLogic Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre-windows Vista, Windows Vista, and Windows 7 operating systems. ScriptLogic Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7.

20 Password Self-Service 4.7 Administrator Guide 16 You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. The prm_gina.adm administrative template file is located in the \Password Self-Service\Setup\Administrative Template\ folder of the installation CD. Before using the file, copy it from the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller. Follow the steps below to configure and deploy the Secure Password Extension on end-user computers. To deploy and configure the Secure Password Extension 1. Copy the required installation package (Secure Password Extension x86.msi or Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The MSI packages are located in the \ Password Self-Service\Setup\ folder of the installation CD. 2. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension. 3. Open the GPO in the Group Policy Object Editor, and then do the following: a. Expand Computer Configuration/Software Settings, right-click Software installation, and then select New Package. b. Browse for the MSI package you have copied in step 2, and then click Open. c. In the Deploy Software window, select a deployment method and click OK. d. Verify and configure the properties of the installation, if needed. 4. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Self-Service Site Location and Service Connection Points To enable users open the Self-Service site by clicking the Forgot My Password or the Manage My Password links on the Windows logon screen, you do not need to configure the URL path that points to a specific server where the Self-Service site is deployed because Secure Password Extension automatically locates the nearest Self-Service site. Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory.

21 Password Self-Service 4.7 Administrator Guide 17 When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self- Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance. Password Self-Service Realm Affinity In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating Self-Service site. You can force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service realm. Password Self-Service realm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service realm by installing a new Password Self-Service instance using the A replica of an existing instance option. To force Secure Password Extension to use only Password Self-Service from a specific realm, you must set the Secure Password Extension affinity for that realm. To set Secure Password Extension affinity for a Password Self-Service realm: 1. Open the Administration site of the Password Self-Service instance that belongs to the target realm. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain to which belongs the computer running the Secure Password Extension instance you want to bind. 3. On the General tab, select the contents of the Password Self-Service Realm Affinity ID box, right-click the selection and select Copy. 4. Open Administrative Tools (located at Start Menu Settings Control Panel). 5. Open Active Directory Users and Computers. 6. Right-click the managed domain name on the left pane and select Properties. 7. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 8. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add /Remove Templates. 9. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 10. Click Close to close the Add/Remove Templates dialog box. 11. Select Administrative Templates node, and then double-click the ScriptLogic Password Self-Service template on the right pane.

22 Password Self-Service 4.7 Administrator Guide Click Generic Settings in the left pane. 13. In the right pane, double-click Password Self-Service Realm Affinity. 14. Select the Enabled option on the Settings tab, and then right-click the Realm Affinity ID text box and select Paste. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Application of the updated policy to the computers in the managed domain may take some time to complete. Overriding Automatic Self-Site Location In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Self- Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below. To override automatic Self-Service site location: 1. Open Administrative Tools (located at Start Menu Settings Control Panel). 2. Open Active Directory Users and Computers. 3. Right-click the managed domain name on the left pane and select Properties. 4. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 5. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 6. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 7. Click Close to close the Add/Remove Templates dialog box. 8. Select Administrative Templates node, then double-click ScriptLogic Password Self-Service template on the right pane. 9. Double-click Generic Settings. 10. Double-click Specify URL to the Self-Service site. 11. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during ScriptLogic Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS.

23 Password Self-Service 4.7 Administrator Guide 19 Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server. 12. Click OK. 13. Double-click Override URL path to Self-Service site. 14. Select the Enabled option on the Settings tab. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Please note that application of the updated policy to the computers in the managed domain may take some time to complete. Customizing the Logo for Secure Password Extension For pre-windows Vista operating systems, you can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. The image must be a 417-by-58-pixel.bmp file. To deploy a custom logo for Secure Password Extension on end-user computers 1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run. 3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 4. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Password Self-Service. 5. Under ScriptLogic Password Self-Service, expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers. The local path you specify in these policy settings must be the same as in the startup script specified later in this section. 6. Expand Computer configuration/windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane. 7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window. 8. Click OK.

24 Password Self-Service 4.7 Administrator Guide 20 The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local off rem "SPE startup script" rem *Check target directory existence* if exist "c:\program Files\ScriptLogic Corporation\ScriptLogic Password Self-Service Extension" goto :COPY_FILE md "c:\program Files\ScriptLogic Corporation\ScriptLogic Secure Password Extension" rem *Copy BMP image - %1* :COPY_FILE copy [SharedDir]1 "c:\program Files\ScriptLogic Corporation\ScriptLogic Secure Password Extension\*.*" rem pause :out Exit Note: [SharedDir] is a shared domain directory that must be available during boot. The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes. You can modify the sample target path in the script as you need. Customizing Position of the Secure Password Extension Window You can specify the position of the Secure Password Extension window on the logon screen of user computers. To change the position of Secure Password Extension window on enduser computers 1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 2. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Password Self-Service. 3. Under ScriptLogic Password Self-Service, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers. 4. Click OK.

25 Password Self-Service 4.7 Administrator Guide 21 Managing Secure Password Extension Using Administrative Templates The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements. The Administrative Template layout includes the following folders: Generic Settings - includes policy settings that can be applied to computers running pre-vista, Windows Vista, and Windows 7 Microsoft operating systems. Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-vista operating systems. Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy. Generic Settings The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension. Policy Name Generic Settings Specify URL path to the Self-Service site Override URL path to Self-Service site Password Self-Service Realm Affinity Maximum number of attempts to connect to the Self-Service site Force HTTPS This policy lets you specify the link for access to the Self- Service site from the Windows logon screen. This link is opened when users click the Forgot My Password or Manage My Password buttons on the Windows logon screen in pre-vista operating systems, and the Forgot My Password command link in Windows Vista and Windows 7 operating systems. Use the following URL path format: where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY is a virtual directory name that was configured during ScriptLogic Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS. By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the Specify URL path to the Self-service site setting. This policy setting lets you force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service realm. This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension. If this setting is disabled or not configured, the default number of attempts is 5. This policy setting lets you enforce HTTPS for connections with the Self-Service site established using the Secure Password Extension.

26 Password Self-Service 4.7 Administrator Guide 22 Policy Name Proxy Settings Enable proxy server access Configure required proxy settings Configure optional proxy settings Shortcut Policies Restore desktop shortcuts for the Self-Service site Do not create desktop shortcuts for the Self-Service site Do not create any shortcuts for the Self-Service site Secure Password Extension Title Settings Display custom names for the Secure Password Extension window title Set custom name for the Secure Password Extension window title in <Language> This policy setting determines whether connections to the Self-Service from the Windows logon screen are established through the specified proxy server. Specifies the settings required to enable proxy server access to the Self-Service site from the Windows logon screen. Specifies optional settings for the proxy server access. This policy setting lets you define whether the desktop shortcut to the Self-Service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut. This policy setting lets you define whether the desktop shortcuts to the Self-Service site on users' computers should not be created by the Secure Password Extension. This policy setting lets you define whether any shortcuts to the Self-Service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension. This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages. This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyph s width. The URL length must not exceed 256 characters. Usage Policy Settings Display the usage policy button (command link) Set default URL Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs. The usage policy button on pre-windows Vista operating systems, and the usage policy command link on Windows Vista and Windows 7 operating systems, are displayed on the Windows logon screen, and are intended to open an HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users. This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to an HTML file.

27 Password Self-Service 4.7 Administrator Guide 23 Policy Name Set name and URL for the usage policy button (command link) in <Language> This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyph s width. The URL length must not exceed 256 characters. Forgot My Password Settings Display custom names for the Forgot My Password button (command link) Set custom name for the Forgot My Password button (command link) in <Language> Notifications Customization Notification recurrence interval Set background image for registration notification dialog box Enable customization of registration notifications Registration Notifications Customize registration notification in <Language> Q&A profile update notifications Customize Q&A profile update notification in <Language> This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button and command link with the names that you specify for the required logon languages. The Forgot My Password button (command link) is intended to open the Self-Service site from the Windows logon screen. On pre-windows Vista operating systems, the Forgot My Password button is displayed if you are already logged on to the system. On Windows Vista and Windows 7 operating systems, the command link is displayed on the Windows logon screen, irrespective of whether the user is logged on to the system or not. This group of policy settings allows you to specify names of the Forgot My Password button (command link) individually for each of the required logon languages. Thirty-six language-specific policy settings are available. If the registration notification is turned on, users will be notified of the necessity to register with Password Self- Service through a dialog box displayed on the desktop screen. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running. This policy setting allows you to change the default background by specifying an image that will be used as a new background. This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialog boxes with your custom text. This group of policy settings allows you to customize texts in notification dialog boxes individually for each of the required logon languages. 36 language-specific policy settings are available. This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available.

28 Password Self-Service 4.7 Administrator Guide 24 Pre-Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in pre-windows Vista operating systems. Policy Name Registration and Q&A profile update enforcement Enforce registration and Q&A profile update Secure Password Extension Logo Set dialog background image Secure Password Extension Window Settings Set the Secure Password Extension Window Position Manage My Password Settings Display custom names for the Manage My Password button Set custom name of the Manage My Password button in <Language> This policy setting allows you to specify whether to enforce users to register with Password Self-Service or update their invalid Q&A profiles before they log on to their computers. If you enable this policy and select the "Prevent users from logging on after deadline" check box in the Setting tab of the Properties window, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required. This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen. This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers. This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button with the names that you specify for the required logon languages. The Manage My Password button is intended to open the Self-Service site on pre-windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are logged on to the system. This group of policy settings allows you to specify the name of the Manage My Password button individually for each of the required logon languages. Thirty-six language-specific policy settings are available. Uninstalling Secure Password Extension You uninstall the Secure Password Extension from end-user computers by removing the appropriate installation packages assigned through Group Policy. Uninstalling the Secure Password Extension makes the Self-Service site no longer available from the Windows logon screen. To remove an assigned.msi package 1. Start the Group Policy Management snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Group Policy Management. 2. In the console tree, click the group policy object with which you deployed the package, and then click Edit. 3. Expand the Software Settings container that contains the Software installation item with which you deployed the package.

29 Password Self-Service 4.7 Administrator Guide Click the Software installation container that contains the package. 5. In the right pane of the Group Policy window, right-click the package name, point to All Tasks, and then click Remove. 6. Click Immediately uninstall the software from users and computers, and then click OK. 7. Quit the Group Policy Object Editor snap-in, and then quit the Group Policy Management snap-in. Troubleshooting Secure Password Extension If the user logon interface DLL prm_gina.dll fails to load at system startup, users will encounter the following system message: "The logon user interface DLL 'prm_gina.dll' failed to load. Contact your system administrator to replace the DLL, or restore the original DLL." This problem may occur when the prm_gina.dll file on the local computer is corrupt or missing. To resolve this behavior, follow these steps: 1. Run Windows in safe mode. 2. In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, replace the GinaDLL value data with the Original value data from the HKEY_LOCAL_MACHINE\SOFTWARE\ScriptLogic Corporation\PRM key, if the latter exists. OR If the HKEY_LOCAL_MACHINE\SOFTWARE\ScriptLogic Corporation\PRM key does not exist, then delete the GinaDLL value from the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. 3. Restart the computer in normal mode. 4. Uninstall Secure Password Extension, and then install it by running the appropriate.msi package on the local computer.

30 Password Self-Service 4.7 Administrator Guide 26 MANAGING DOMAINS This section describes how to configure Password Self-Service managed domains. A managed domain is a domain managed by Password Self-Service. To start using Password Self-Service, you must add one or more managed domains. Configuring Permissions to Access a ManagedDomain When adding a managed domain, you must specify an account under which Password Self-Service will access the domain. Before adding a managed domain, ensure that this account has the following minimum set of permissions required to successfully perform password management tasks in the domain: Membership in the Domain Users group The Read permission for all attributes of user objects The Write permission for the following attributes of user objects: pwdlastset, comment, and useraccountcontrol The right to reset user passwords The Write permission to create user accounts in the Users container The Read permission for attributes of the organizationalunit object and domain objects The Write permission for the gplink attribute of the organizationalunit objects and domain objects The Read permission for attributes of the grouppolicycontainer objects The Write permission to create and delete the grouppolicycontainer objects in the System Policies container The Read permission for the ntsecuritydecriptor attribute of the grouppolicycontainer objects The permission to create and delete container and the serviceconnectionpoint objects in Group Policy containers The Read permission for the attributes of the container and serviceconnectionpoint objects in Group Policy containers Thee Write permission for the servicebindinginformation and displayname attributes of the serviceconnectionpoint objects in Group Policy containers The permission to create container objects in the System container The permission to create the serviceconnectionpoint objects in the System container The permission to delete the serviceconnectionpoint objects in the System container The Write permission for the keywords attribute of the serviceconnectionpoint objects in the System container

31 Password Self-Service 4.7 Administrator Guide 27 Note: It is advisable to use the Password Self-Service account to add managed domains and manage domain-specific data. When you add a managed domain by using the Administration site, Password Self-Service creates Configuration Storage Account with the name '_DAPSS_svc_usr1' in the 'Users' container of the managed domain. Password Self-Service uses this account to store its configuration data. If you configure other Password Self-Service instances to manage the same domain, those instances will create Configuration Storage Accounts with names '_DAPSS_svc_usr2', '_DAPSS_svc_usr3', and so on, and use the corresponding accounts to store their configuration data. Adding a Managed Domain To manage a domain by Password Self-Service you must add the domain to managed domains. Managed domain is a domain managed by Password Self- Service. You can add one or more managed domains. After adding a managed domain, you can manage the domain s users by using Password Self-Service. To add a managed domain 1. On the home page of the Administration site, click Managed Domains. 2. On the Configure Managed Domains page, click Add. 3. On the Domain Name and User Account Details page, configure access to the domain by doing the following: a. In the Domain name text box, type in the name of the domain that you want to register with Password Self-Service. b. In the Domain alias for the Self-Service Site text box, type in the alias for the domain which will be used to address the domain on the Self-Service Site. c. To have Password Self-Service access the managed domain using the Password Self-Service account, click Password Self-Service account. Otherwise, click Specific SQL Server account, and then enter user name and password of the SQL Server user account you want Password Self-Service to use when accessing the domain. Note: For information on how to prepare an account for accessing a managed domain, see Configuring Permissions to Access a ManagedDomain. 4. Click OK. After you have added a managed domain, you must create a question list for users' Q&A profiles, and configure password management settings for this domain, so that users can create their personal profiles by using the Self-Service site. For more information, see Managing Questions and Answers Profiles and Configuring Password Policies.

32 Password Self-Service 4.7 Administrator Guide 28 Managing Questions and Answers Profiles Password Self-Service uses personal Question and Answers profiles as an authentication method to allow users and helpdesk operators to manage user passwords in Active Directory domains and in multiple connected systems. A Questions and Answers profile, or personal profile, is a set of questions predesigned by the Password Self-Service administrator, to which users must provide their secret answers that later can be used to authenticate the users. You can also require users to specify their own questions in their personal profiles. Then, users can securely reset their passwords or unlock their accounts by answering a series of questions from their personal profiles. Before users can register with Password Self-Service by creating their personal Questions and Answers profiles, you must configure a question list containing the questions that will be presented to users. You can create question lists in a specific language, so that users can select a preferred language of questions and answers. You can set requirements for answers that users specify in their Questions and Answers profiles. For example, you can prevent users from specifying the same answer for different questions, or set a minimum answer length. Password Self-Service allows you to specify criteria for recognizing users' Questions and Answers profiles as not compliant with the current password management settings. This is essential if you want users to update their profiles each time when password management settings are changed. You can have noncompliant user Q&A profiles manually invalidated by help desk operators, thus preventing users with invalidated profiles from resetting passwords and unlocking accounts. Such users are then required to update their Questions and Answers profiles. For information on how to configure Q&A profile compliance rules, see Configuring Profile Update Policy. Creating and Configuring Question Lists A question list is a series of questions to which users provide their own answers, thus creating a personal Questions and Answers profile. Later, the user has to answer the specified number of questions from the question list to be allowed to perform password self-management tasks, such as resetting password or unlocking account. You can create question lists in different languages. Then, users can select a preferred language for questions and answers in their personal profile. Every question list can contain the following types of questions: Question Type Mandatory Questions of this type are an integral part of a user's Q&A profile. Users must provide an answer to each of these questions. You must specify at least one mandatory question if you want Help Desk operators to be able to unlock user accounts and reset user passwords. Thus, a user must answer a randomly selected mandatory question before help desk operator can reset the user's password or unlock the user's account. Optional User-defined Users can decide for themselves whether they want to use any questions of this type in their Q&A profile. A question that must be composed by the user.

33 Password Self-Service 4.7 Administrator Guide 29 Question Type Help Desk authentication Security question used by Help Desk to verify a user's identity when resetting the user's password or unlocking the user's account. This question is not configurable, and is included in users' Q&A profiles if you select the Operators must verify user identity option on the Help Desk site settings page. For more information about this option, see Configuring Help Desk Site Settings. User's answers to this type of questions are always stored using reversible encryption. For information about changing cryptographic and hashing algorithms for configuration data storage, see Quick Start Guide. For users to be able to create their personal Questions and Answers profiles, you must specify at least one question in a question list. To create and configure a question list 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create a question list, and then click the Questions tab. 3. On the Questions tab, make the list of languages for which you want to create question lists by selecting one language at a time in the Add a language into the list and clicking Add. 4. On the Questions tab under Language, click the language for which you want to create a question list. 5. On the Configure Question List page, specify the following options as required: Option Make questions in this language unavailable to users Mandatory questions Optional questions Users must answer this number of optional questions to register Users must configure this number of user-defined questions Number of questions that users must answer to register Select this check box to temporarily prevent users from creating or updating their Q&A profiles using the question list language Click the Add button under the Mandatory questions list box, and then type a question and press ENTER. Click the Add button under the Optional questions list box, and then type a question and press ENTER. To add more optional questions, repeat this step. Under Users must answer this number of optional questions to register, set the number of optional questions that a user must answer to register. Set the required number of optional questions that a user must answer to create his Questions and Answers profile. Set the required number of user-defined questions that a user must specify to create their Questions and Answers profile. Set the required number of optional questions that a user must answer to create their Questions and Answers profile.

34 Password Self-Service 4.7 Administrator Guide 30 Option Number of questions from user s Q&A profile that a user must answer to reset his password or unlock his account Set the number of questions that are presented to users when they reset their password or unlock their account, by doing one of the following: Click All questions from user s Q&A profile to have users answer all the questions from their profiles. Click Specified number of randomly selected questions, and then set the number of questions required to reset password and to unlock account. 6. Click Save. 7. Repeat steps 4 6 for each language in the language list. Note: Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the settings that require users to update Q&A profiles when the question list is modified. Configuring Questions and Answers Policy This policy allows you to define settings and requirements for user s questions and answers. For example, you can prevent users from using the same answer for multiple questions. Questions and answers that do not comply with the policy will not be accepted. To configure Questions and Answers policy 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Click Manage Domains. 3. On the Managed Domains page, click a domain, and then click the Q&A Policy tab. 4. On the Q&A Policy tab, specify the following options: Option Minimum length of answer Minimum length of user-defined questions Reject the same answers for different questions Reject answers that are parts of the corresponding questions Store answers using reversible encryption Set the least number of characters that users' answers can contain. Set the least number of characters that users' questions can contain. Select to prevent users from specifying same answers for different questions. Select to prevent users from specifying answers that are parts of the corresponding questions. Select to store users' answers using reversible encryption. 5. Click Save.

35 Password Self-Service 4.7 Administrator Guide 31 Performing Bulk Profile Updates Password Self-Service stores a user's Questions and Answers profile data in an attribute of the user's account. You can perform a bulk update of Questions and Answers profiles by updating the proper attribute of each of the registered user's accounts. Upon request, ScriptLogic Technical Support will provide you with the solutions that allow to perform the following tasks: Change the attribute to store Questions and Answers profiles Bulk creation of Questions and Answers profiles Changing the Attribute Used for Storing Questions and Answers Profiles By default, ScriptLogic Password Self-Service stores Questions and Answers Profile data in the comment attribute of each user's account. You can configure ScriptLogic Password Self-Service to use another attribute instead. You can change the Active Directory attribute in which the Questions and Answers Profiles are stored and move existing profiles to the newly specified attribute. For more information on how to change the default attribute please contact ScriptLogic Technical Support. Bulk Creation of Questions and Answers Profiles ScriptLogic Password Self-Service stores users' Questions and Answers Profile data in an attribute of each user's account. You can pre-populate or create Questions and Answers profiles in bulk by writing new data to these attributes. Upon request, ScriptLogic Technical Support will provide you with a solution that performs the bulk updating and automatic enrollment of users from an external data source. For more information on how to pre-populate or create Questions and Answers profiles in bulk please contact ScriptLogic Technical Support. Configuring Password Policies About Password Policies You can use ScriptLogic Password Self-Service to create password policies that define which passwords to reject or accept. Password policy settings are stored in Group Policy objects (GPOs). A GPO is applied by linking the GPOs to a target container defined in Active Directory, such an organizational unit or a group. Group Policy objects from parent containers are inherited by default. When multiple Group Policy objects are applied, the policy settings are aggregated. For information on how to apply a password policy and change policy link order, see Managing Password Policy Links.

36 Password Self-Service 4.7 Administrator Guide 32 Password Policy Manager Password Policy Manager is an independently deployed component of Password Self-Service. Password Policy Manager is necessary to enforce password policies configured in Password Self-Service, when users change their passwords using means other than Password Self-Service. To enforce password policies that you define with Password Self-Service, you must deploy the Password Policy Manager on all domain controllers in a managed domain. Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of Password Policy Manager must be installed. The procedure for installing PPM is outlined in Installing Password Policy Manager. Password Policy Rules Password Self-Service uses a set of powerful and flexible rules to define requirements for domain passwords. Each password policy has rules that are configured independently of the rules in other policies. The following rules duplicate and extend system password policy rules: Password Age Rule, Length Rule, Complexity Rule, and User Properties rule. For information on how to create and configure a password policy, see Installing Password Policy Manager. To display the properties of a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. Installing Password Policy Manager This section describes the steps for deploying Password Policy Manager in a managed domain. Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO), or use an existing one, to assign the installation package with Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: ScriptLogic Password Policy Manager x86.msi - Installs Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system. ScriptLogic Password Policy Manager x64.msi - Installs Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system.

37 Password Self-Service 4.7 Administrator Guide 33 The installation packages are located in the \Password Self- Service\Setup\Password Policy Manager\ folder on the installation CD. Note: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. To install Password Policy Manager on a single domain controller 1. Run the appropriate Password Policy Manager.MSI package located in the \Password Self-Service\Setup\Password Policy Manager\ folder on the installation CD. 2. Restart the computer once the installation completes. To deploy Password Policy Manager on multiple domain controllers 1. Copy the appropriate Password Policy Manager.MSI package from the installation CD to a network share accessible from all domain controllers in a managed domain. 2. Create a GPO and link it to all domain controllers in a managed domain. You may also choose an existing GPO to deploy the Password Policy Manager. 3. Open the Computer Configuration folder under the selected GPO, and then open the Software Settings folder. 4. Right-click Software installation, and then select New Package. 5. Select the.msi package you have copied in step Click Open. 7. Select the deployment method and click OK. 8. Verify and configure the installation properties, if needed. Creating and Configuring a Password Policy When you have created a password policy, you can modify its default properties. To create a domain password policy 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password Policies, click the link next to a domain for which you want to add a policy. 3. On the Password Policies for the <DomainName> Domain page, click Add. 4. On the Enter Policy Name page, type a name for the new policy. 5. Click Finish, and then do one of the following: Click the policy link to modify the default policy settings, and then follow steps 2-4 of the procedure outlined later in this section. Click Add to create a new password policy in the managed domain.

38 Password Self-Service 4.7 Administrator Guide 34 To configure settings for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. 4. On the Policy settings tab of the Settings for Password Policy page, view or modify the following options, and then click Save: Option Disable this policy Domain Policy name Select this check box to temporarily turn off the policy. View the name of the managed domain to which this policy is linked. View of modify the name of the password policy. 5. Click the Policy Rules tab to configure the password policy rules by using the procedure outlined in Configuring Password Policy Rules, and then click Save. 6. Click the Policy Scope tab to manage the password policy links by using the procedure outlined in Managing Password Policy Links, and then click Save. Note: The password policies do not override domain security settings; both the Password Self-Service password policies and the domain security settings are applied. In case you are running Microsoft Windows Server 2008, Password Self- Service allows configuring and using not only ScriptLogic password policies but Native Windows 2008 password policies as well. For Native Windows 2008 password policies, among other options, you can configure policy precedence that defines Native Windows 2008 password policies application order. Configuring Password Policy Rules For each of the domain password policies, you can configure a set of policy rules that define what passwords to reject or accept in the domain to which a particular policy is applied. For each password policy, you can set up the following rules: Password Age Rule. Ensures that users cannot use expired passwords or change their passwords too frequently. Length Rule. Ensures that passwords contain the required number of characters. Complexity Rule. Ensures that passwords meet minimum complexity requirements. Required Characters Rule. Ensures that passwords contain certain character categories.

39 Password Self-Service 4.7 Administrator Guide 35 Disallowed Characters Rule. Rejects passwords that contain certain character categories. Sequence Rule. Rejects passwords that contain more repeated characters than it is allowed. User Properties Rule. Rejects passwords that contain part of a user account property value. Dictionary Rule. Rejects passwords that match dictionary words or their parts. Symmetry Rule. Ensures that password or its part does not read the same in both directions. The following is a general procedure for configuring the password policy rules: To configure rules for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the Domain page, click a policy, and then click the Policy rules tab. 4. On the Policy Rules tab, click the rule that you want to configure, and, under the rule's name, modify the appropriate rule settings. 5. Repeat step 4 for each of the rules that you want to configure for this password policy, and then click Save. For information about how to configure each of the policy rules, see the sections below. Password Age Rule The Password Age rule ensures that users cannot use expired passwords or change their passwords too frequently. Specify Minimum password age so that passwords cannot be changed until they are more than a certain number of days old. If a minimum password age is defined, users must wait the specified number of days to change their passwords. To configure the Password Age rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Password Age Rule to expand the rule settings.

40 Password Self-Service 4.7 Administrator Guide Under Password Age Rule, select the Specify password age check box, and then specify the following options as required: Option Minimum password age Maximum password age Specifies how many days users must keep new passwords before they can change them. Specifies how many days a password can be used before the user is required to change it. Length Rule The Length rule ensures that passwords contain the required number of characters. Define a minimum length so that passwords must consist of at least a specified number of characters. Long passwords - seven or more characters - are usually stronger than short ones. With this setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long. To configure the Length rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Length Rule to expand the rule settings. 3. Under Length Rule, select the Password must contain check box, and then specify the following options as required: Option Minimum characters Maximum characters Set the minimum number of characters that passwords must contain. Set the maximum number of characters allowed in a password. Complexity Rule The Complexity rule ensures that passwords meet the following minimum complexity requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example,!, $, #, %) The Complexity rule imposes the same requirements as the standard Windows policy "Password must meet complexity requirements."

41 Password Self-Service 4.7 Administrator Guide 37 To configure the Complexity rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Complexity Rule to expand the rule settings. 3. Under Complexity Rule, select the Password must meet complexity requirements check box. Required Characters Rule The Required Characters rule ensures that passwords contain certain character categories. Required characters are necessary to make a password stronger. For example, if you set the minimum number of uppercase characters to 4, then the password "ElePHant" will be rejected. To configure the Required Characters rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Required Characters Rule to expand the rule settings. 3. Under Required Characters Rule, select the Password must contain at least check box, and then specify the following options as required: Option Alphabetic characters Lowercase characters Uppercase characters Unique characters Digits (0-9) Special characters Set the minimum number of alphabetic characters (A-z) that must appear in a password. Set the minimum number of lowercase characters that must appear in a password. Set the minimum number of uppercase characters that must appear in a password. Set the number of characters that must be unique within a password. To require case sensitivity for this setting, select the Case sensitive check box. Specify whether passwords must contain digits: Set the minimum number of digits that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where digits must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many digits must be in the end of a password. Specify whether passwords must contain special characters: Set the minimum number of special characters that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where special characters must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many special characters there must be in the end of a password. Special characters include the following characters:!"#$%&'()*+,-./:;<=>?@[\\]^_`{}~

42 Password Self-Service 4.7 Administrator Guide 38 Note: By default, the table of lowercase, uppercase, and special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start Settings Control Panel Regional Options and click the General tab. Disallowed Characters Rule The Disallowed Characters rule rejects passwords that contain certain character categories. The categories include digits from 0-9 and special characters such as "#$%". If you specify that special characters must not appear in the begining of a password, then the password "@work" will be rejected. To configure the Disallowed Characters rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Disallowed Characters Rule to expand the rule settings. 3. Under Disallowed Characters Rule, select the Password must not contain check box, and then specify the following options as required: Option Digits (0-9) Special characters Specify whether the rule will reject passwords containing digits. First, select this check box, and then do any of the following: Select the In positions check box, and then type the numbers of positions within a password where digits must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many digits there must be in the end of a password. Specify whether the rule will reject passwords containing special characters. First, select this check box, and then do any of the following: Select the In positions check box, and then type the numbers of positions within a password where special characters must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many special characters there must be in the end of a password. Special characters include the following characters:!"#$%&'()*+,-./:;<=>?@[\\]^_`{}~ Note: By default, the table of special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start Settings Control Panel Regional Options and click the General tab.

43 Password Self-Service 4.7 Administrator Guide 39 Sequence Rule The Sequence rule rejects passwords that contain more repeated characters than it is allowed. Repeated characters can appear in succession or in different positions in a password. This policy also includes characters typed in direct or inverse numerical or alphabetical order. For example, if you set the maximum number of same charaters that appear in succession to three, then the password "eeeegle" will be rejected. To configure the Sequence rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Sequence Rule to expand the rule settings. 3. Under Sequence Rule, select the Password must not contain more than check box, and then specify the following options: Option Number of characters repeated in succession (AAAB) Number of identical characters (ABCA) Number of characters in direct or inverse numerical or alphabetical order (ABC_321) Case sensitive Set the maximum number of same characters in a row that the policy will tolerate before rejecting a password. Set the maximum number of same characters typed in different positions of password that the policy will tolerate before rejecting a password. Set the maximum number of characters typed in direct or inverse numerical or alphabetical order that the policy will tolerate before rejecting a password. Select this check box to require case sensitivity for this rule. User Properties Rule The User Properties rule rejects passwords that contain part of a user account property value. This rule splits the user account property value by non-alphanumeric characters (for example, "_"), and then checks if any part of the value is available in the password. For example, if user s name is "Peter_US", Password Self-Service splits the property into: "Peter" and "US", and checks if any part can be found in the password. For example, the password "US_US" will be rejected. To configure the User Properties rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click User Properties Rule to expand the rule settings.

44 Password Self-Service 4.7 Administrator Guide Under User Properties Rule, select the Prevent users from using account properties as part of passwords check box, and then specify the following options: Option Beginning characters of a user property value Set the maximum number of beginning characters from a user property value that users are allowed to use as part of their passwords. For example, if a user's full name is "Anna Fairweather", and the option value is set to 3, then the user is allowed to type the strings "Ann" and "Fai" as part of her password. The password will be rejected if it contains "Anna" or "Fair". You can select from the following user account properties: displaynameprintable mailnickname userprincipalname displayname title sn samaccountname personaltitle middlename mail givenname employeeid cn The entire value of a user property Case sensitive Enable bi-directional analysis Select to reject passwords containing the entire value of a user property. You can select any of the user account properties listed in the description of the of the Beginning characters of a user property value option above. Select this check box to require case sensitivity for this rule. Select to reject passwords containing the entire value of a user property or its part (depending on which of the two previous options you have selected), if read backwards. Dictionary Rule The Dictionary rule rejects passwords that match dictionary words or their parts. The Dictionary rule compares user passwords against a list of words stored in the QPMDictionary.txt text file (in the Unicode format). Depending on how you configure the rule settings, user passwords that partially or fully match dictionary words are rejected by Password Self-Service. The QPMDictionary.txt dictionary file is located on the Password Self-Service server, in the following folder: '<install location>\password Policy Manager\', and is automatically deployed together with Password Policy Manager (PPM). To ensure consistency of the dictionary, make sure that QPMDictionary.txt is up-to-date on all servers where it is deployed.

45 Password Self-Service 4.7 Administrator Guide 41 The dictionary file is never cached. During each password validity check, the dictionary file is read from the Password Self-Service server, or from the user's domain controller. To modify the QPMDictionary.txt file, such as by adding new words to the word list, you can use Notepad (or any text editor). When modifying the dictionary file, ensure that you begin every new word on a new line. We recommend that you maintain alphabetical order. The Dictionary rule is not case-sensitive which means that, on the one side, you can use either uppercase or lowercase when adding or modifying dictionary entries; and, on the other side, user input will undergo validity check irrespective of whether users use capitals or small letters in their passwords. To configure the Dictionary rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Dictionary Rule to expand the rule settings. 3. Under Dictionary Rule, select the Enable dictionary lookup to reject passwords that contain check box, and then specify the following options: Option Beginning characters of a dictionary word A complete word from the dictionary Detect inclusion of non-alpha characters (pas7swo%rd) Enable bi-directional analysis Specify to reject passwords starting with this number of beginning characters of a dictionary word. Select this check box to reject passwords that represent an entire word from the dictionary. Select this check box to remove non-alphabetic characters during analysis. Select to reject passwords containing an entire dictionary word or its part (depending on which of the other three options you have selected), if read backwards. Symmetry Rule The Symmetry rule ensures that password or its part does not read the same in both directions. For example, if you enable the Reject passwords that read the same in both directions option, then the password "redivider" will be rejected. To configure the Symmetry rule 1. Follow the steps outlined in Configuring Password Policy Rules. 2. On the Policy Rules tab, click Symmetry Rule to expand the rule settings. 3. Under Symmetry Rule, select the Password must comply with symmetry criteria check box, and then specify the following options: Option Reject passwords that read the same in both directions (pass8ssap) Select to reject passwords that are palindromes.

46 Password Self-Service 4.7 Administrator Guide 42 Option Maximum number of beginning characters that match ending characters of password if read backwards (pas47sap) Maximum number of consecutive characters within a password, that read the same in both directions (pass4554word) Case sensitive Specify the number of beginning characters matching the ending characters of password, if read backwards, which the policy will tolerate before rejecting a password. Specify the number of password characters in a row that read the same in both directions, which the policy will tolerate before rejecting a password. Select to define this rule as case sensitive. Managing Password Policy Links Applying Password Policies A newly created password policy is linked to the managed domain for which it was created and applies to all authenticated users group by default. You can define granular password policies by linking them to certain Organizational Units and groups in a managed domain. To link a Password Policy to Organizational Units and Groups 1. Display properties of a password policy by using the procedure outlined in About Password Policies. 2. Click the Policy Scope tab. 3. Click the Add button under The following domains and OUs are linked to this policy, and then browse for an organizational unit. 4. Click the Add button under The settings in this policy can only apply to the following groups, and then browse for a group in the organizational unit that you have specified in step Click Save. Changing policy link order When multiple password policies affect an OU or a group, they are processed sequentially in order of precedence. Policies with the highest precedence are processed first. A newly created password policy is disabled by default. To change policy link order 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password policies, click the link next to a domain for which you want to change the policy link order. 3. On the Password Policies for the <DomainName> Domain page, click Policy Order. 4. In the table below Policy Order, move policies up or down in the list by selecting them and clicking the Move Up or Move Down buttons. Note: To have a password policy only affect users of a specific groups, remove the Authenticated Users group from the policy scope and specify the organizational units and the groups in those organizational units that you want the policy to affect.

47 Password Self-Service 4.7 Administrator Guide 43 Deleting a Password Policy To delete a password policy from a domain 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Domain Password Policies page, select the check box next to the policy that you want to delete and click Remove. Note: When you delete a password policy from a managed domain, the deleted policy becomes no longer valid for this domain. To restore a deleted password policy, create a new policy and manually configure its settings as required. Configuring Logon Security Options Using logon security options you can define logon conditions for end users. For example, you can allow Password Self-Service to treat users with disabled accounts as locked users, so that they could unlock their accounts and reset their passwords. You can also require users to change password at next logon after they have reset it using Password Self-Service. To configure logon security options 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain whose password management settings you want to configure. 3. Under Logon security options, specify the following options, and then click Save. Option Allow users to re-enable their disabled accounts Allow users that are required to change password at next logon to use Password Self-Service Force users to change passwords Users must change password after it was reset by Password Self-Service If you select this check box, Password Self-Service will allow users whose accounts are disabled to unlock and re-enable their accounts, reset and manage passwords using their Q&A profiles. Select this check box to provide access to the Self- Service Site to those users required to change their passwords at next logon. If you clear this check box, users will be denied any access to Password Self- Service functionality when their password is expired or required to be changed at the next logon. If you select this check box, Password Self-Service will require users to change their password. Defines that users are required to change their password at next logon after the password has been reset by using Password Self-Service.

48 Password Self-Service 4.7 Administrator Guide 44 Option Enforce password history Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings. Before selecting this option, you should consider the following by-design behavior of Password Self- Service when that the Enforce password history option is enabled: Password Self-Service uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Self-Service checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains. Q&A profile lockout conditions Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know. Select this check box to specify the following criteria for locking users' Question and Answer profiles: Maximum number of failed attempts Lockout period, in minutes Time before failed attempts limit is reached, in minutes Configuring Registration Notification and Enforcement You can configure Password Self-Service to force users in the managed domain to register with Password Self-Service or to update their Questions and Answers profiles. Password Self-Service provides the following methods to implement registration notification and enforcement: Configure a notification schedule to send notifications to those users who have not yet registered with Password Self-Service. To configure a notification schedule, see the procedure outlined later in this section. You can configure the scope of users you want to be notified. Configure a notification that will be displayed as a dialog box on users desktop screens at specified time intervals. The dialog box will notify users who must register with Password Self-Service or update their Q&A profiles. This notification is customized through Group Policy by properly configuring Secure Password Extension. For more information see Managing Secure Password Extension Using Administrative Templates. To enable registration enforcement, you must configure notification schedule. The step-by-step instruction on how to configure notification schedule is outlined later in this section.

49 Password Self-Service 4.7 Administrator Guide 45 By default, when you enable registration enforcement, no users in a managed domain will receive registration notifications through notification dialog boxes or messages. To define a list of users you want to be prompted to register with Password Self-Service, you must add a corresponding group of users to the Groups Allowed to Receive Registration Notifications list. To configure the list, see the procedure outlined later in this section. Note: You can also specify whether users who have not registered with Password Self-Service, or have invalid Questions and Answers profiles, must create or update their Q&A profiles before they can log on to the network. If you enable this policy, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required. This type of registration enforcement can be configured only for pre-windows Vista operating systems, and is enabled through Group Policy by properly configuring Secure Password Extension. Password Self-Service provides two registration enforcement options: Apply immediately and Schedule enforcement. If you select the Apply immediately option, all users in the managed domain who are not registered with Password Self-Service will be immediately notified through a dialog box displayed on their desktop screens. Use this option with caution when the number of users managed by Password Self- Service is large. Immediate enforcement of a large number of users may drastically decrease the performance of your production environment. Note, that you must select the Notify users using notification dialog box check box to have users notified through a dialog box displayed on their desktop screens. You can cancel immediate user notification at any time. To cancel the immediate notification, clear the Enforce creation and update of users Questions and Answers profiles check box or select the Schedule enforcement option. If you select the Schedule enforcement option, users will be required to register with Password Self-Service within the number of days that you specify. You can choose whether to notify users by or dialog box, or both. You can also specify the number of users you want to be scheduled to be notified a day. Use this option to reduce server load and enhance performance. Note, that scheduled notification starts only after the ScriptLogic Password Self-Service task has run. For more information on the scheduled tasks in Password Self-Service, see The Scheduled Tasks in Password Self-Service. Once the task has set deadline for creating users Questions and Answers profiles, you cannot remove the deadline, but you can change it by configuring the Once forced to create Questions and Answers profiles, users must create their profiles within <%> days option. To enforce users to update their Questions and Answers profiles, configure the notification schedule using the options described in the Force users to update their Questions and Answers profiles section of the table below.

50 Password Self-Service 4.7 Administrator Guide 46 To configure notification schedule Specify an outgoing mail server (SMTP). For more information, see Configuring Outgoing Mail Servers Settings. 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. Under User Enforcement tab, specify the following options, and then click Save. Option Enforce creation and update of users Questions and Answers profiles Notify users using notification dialog box Select this check box to configure user enforcement options. If you select this check box, users who must create or update their Questions and Answers profiles will be notified through a dialog box displayed on their desktop screens. Force users to create their Questions and Answers profiles Apply immediately Forces all users to immediately create their Questions and Answers profiles. Schedule enforcement Requires users to create their Questions and Answers profiles within specific number of days after they are scheduled to register. Once forced to create Questions and Answers profiles, users must create their profiles within <%> days Start notifying users by notification dialog box and <%> days before registration term Notify users by Schedule to force to create their Questions and Answers profiles the following number of users: Specify the deadline within which users must create their Questions and Answers profiles with Password Self-Service after the first registration notification. Force users to update their Questions and Answers profiles Once forced to update Questions and Answers profiles, users must update their profiles within <%> days Start notifying users by notification dialog box and <%> days before update term Select this check box to remind those users who already received the first registration notification but have not created their Questions and Answers profiles of the necessity to complete the registration procedure. Such users will receive a notification every day during the specified number of days before the registration term. Select this option, if you want to have uses notified using . By clicking the Specify notification language(s) link you can specify the language to be used for sending notifications. Set the daily number of new users who will be notified to create their Questions and Answers profiles. Specify the deadline within which users must update their Questions and Answers profiles with Password Self-Service after the first notification. Select this check box to remind those users who already received the first notification but have not updated their Questions and Answers profiles of the necessity update profiles. Such users will receive a notification every day during the specified number of days before the update term.

51 Password Self-Service 4.7 Administrator Guide 47 Option Notify users by Schedule to force to update their Questions and Answers profiles the following number of users: Select this option, if you want to have users notified using . By clicking the Specify notification language(s) link you can specify the language to be used for sending notifications. Set the daily number of new users who will be notified to update their Questions and Answers profiles. To specify an explicit list of groups to receive registration notifications 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Receive Registration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to receive registration notifications and click Save. Only members of the groups in this list will be prompted to register. To exclude a group from registration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Registration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive registration notifications and click Save. Members of the groups in this list will never be prompted to register with Password Self-Service. If you add a group in both the Groups Allowed to Receive Registration Notifications and Groups Denied Receiving Registration Notifications lists, the members of this group will never be prompted to register with Password Self-Service. Note: To specify criteria that define whether users must update their Questions and Answers profiles, you can configure profile update policies. For more information, see Configuring Profile Update Policy. You can configure which groups will receive password expiration notifications and which will not.

52 Password Self-Service 4.7 Administrator Guide 48 To specify an explicit list of groups to receive password expiration notifications 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Receive Password Expiration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to receive password expiration notifications and click Save. Only members of the groups in this list will receive password expiration notifications. To exclude a group from password expiration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Password Expiration Notification. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive password expiration registration notifications and click Save. Members of the groups in this list will never receive password expiration notifications. If you add a group in both the Groups Allowed to Receive Password Expiration Notifications and the Groups Denied Receiving Password Expiration Notification groups, the members of this group will never receive password expiration notifications. Delegating Help Desk and Administrative Tasks You can assign help desk tasks to dedicated help desk operators, and delegate Password Self-Service configuration management to lower-level administrators by simply adding the trusted individuals' accounts to precreated security groups. Delegating Help Desk Tasks The Help Desk site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles.

53 Password Self-Service 4.7 Administrator Guide 49 By default, only members of the local Administrators group on the Password Self-Service server can access the Help Desk site Web interface. To delegate help desk tasks to dedicated personnel, add the operators' accounts to the QPMHelpDesk group. This group is created during setup, on the computer where you install Password Self-Service, and has the Read and Execute permission on the \HelpDesk folder at the following default location: C:\Program Files\ScriptLogic Corporation\ScriptLogic Password Self- Service\web\DPSS\. Members of the QPMHelpDesk group have access to the complete functionality of the Help Desk site, and can perform help desk tasks. Delegating Administrative Tasks Delegation of access to the Administration site provides the ability to distribute Password Self-Service configuration management tasks among trusted persons. By default, access to the Administration site is granted to the local Administrators group and to the account under which you have installed Password Self-Service. To provide access to the Administration site, add the delegated administrators' accounts to the pre-created QPMAdmin group, on the computer where Password Self-Service is installed. Members of the QPMAdmin group have access to the complete functionality of the Administration site. Note: Make sure you add only most highly trustworthy persons to the QPMAdmin group, since changing Password Self-Service configuration involves dealing with user-sensitive information. Configuring Access to Self-Service Site By default, no user in a managed domain can access the Self-Service site. To allow users access the Self-Service site, you must explicitly specify the groups which can use the Self-Service site. You can also explicitly deny specific groups the access to the Self-Service site. To specify a list of groups which are explicitly allowed to access the Self-Service site 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Access the Password Self-Service Self-Service Site. 4. Click Add. 5. In the object selection window, select the groups whose members you want to be able to access the Self-Service site and click Save. Only members of the groups in this list will be granted access the Self- Service site.

54 Password Self-Service 4.7 Administrator Guide 50 To specify a list of groups which are explicitly denied access the Self- Service site 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Access to the Password Self- Service Self-Service Site. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never be able to access Self-Service site and click Save. Members of the groups in this list will be denied access the Self-Service site. If you add a group in both the Groups Allowed to Access the Password Self-Service Self-Service Site and the Groups Denied Access to the Password Self-Service Self-Service Site lists, the members of the group will be denied access to the self-service site. Changing Account to Access a Managed Domain To access a managed domain you can use either Password Self-Service account or specify another account. Password Self-Service account is the default account that was configured during Password Self-Service installation. If you want to use another account, specify username and password for the new account. To modify credentials used to access a domain 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain whose password management settings you want to configure. 3. Click the General tab, and then click the Access credentials link. 4. On the Specify Access Credentials page, specify the following information, and then click OK. Option Password Self-Service account Specified user name and password User name Password Select this option to have Password Self-Service access the domain with the user account supplied during Password Self-Service installation (default account). Select this option to have Password Self-Service access the domain using specific user logon name and password. Supply user logon name that Password Self-Service will use to access the domain. For more information, see Configuring Permissions to Access a ManagedDomain. Supply user password that Password Self-Service will use to access the domain.

55 Password Self-Service 4.7 Administrator Guide 51 Note: You may need to modify the user name and password used to access a managed domain, for example if you receive the following error message: "The account used to access the domain is invalid. Please reset this account." This may occur if the password for this account has been changed or the account was locked and so on. Deleting a Managed Domain To delete a managed domain 1. On the home page of the Administration site, click Managed Domains. 2. Select one or more managed domain that you want to delete and click the Remove button. Note: When you delete a managed domain from Password Self-Service, then password policies, question lists, and users' Questions and Answers profiles are not deleted.policy objects, which were created with Password Self-Service, can be deleted from all domaincontrollers manually. REPORTING ScriptLogic Password Self-Service provides a simple and convenient way to view, print, and save reports and charts allowing you to analyze information on how the application is being used. The reporting functionality within the solution is based on Microsoft SQL Server Reporting Services as a common reporting environment. The Reports section of the Administrator site includes a number of predefined reports that help you perform the following tasks: Track user registration activity Analyze information about what actions are performed by users in Password Self-Service Check users registration status View a list of users whose Questions and Answers profiles must be updated to comply with the current administrator-defined settings Track Help Desk operators activity Setting Up Reporting Environment To enable the reporting functionality of Password Self-Service, ensure that the following requirements are met: A SQL Server is deployed in your environment and the Password Self- Service database is configured on that server. A SQL Server Reporting Services report server is installed in your working environment.

56 Password Self-Service 4.7 Administrator Guide 52 You have configured a connection to the report server through the Administration site. The interactive Web-based reports are built on data that the report server retrieves from the Password Self-Service SQL database, and can be either viewed online or exported into multiple file formats. Using Reports You can create and view reports interactively using the Administration site, and save them to multiple file formats. To use the reporting functionality, you have to specify the SQL Server to store the Password Self-Service database and connect to the Report Server that is capable of building reports using the data stored in the Password Self-Service database. When specifying the SQL Server and the database to store the log data, ensure that the account under which Password Self-Service will access the server has the appropriate permissions to create and write to a database on the server. When connecting to a report server for the first time, Password Self-Service publishes the reports included with the solution to the server, and populates the list of reports on the Administration site. Before connecting to a report server, ensure that the account under which Password Self-Service will access the server has the appropriate permissions to publish the Password Self- Service reports. The administrative rights on the report server will be sufficient for this account to publish reports. To specify the SQL Server and the Password Self-Service database 1. On the home page of the Password Self-Service Administration site, click Settings. 2. Click the Reporting and Logging tab. 3. On the Reporting and Logging tab, expand the Reporting Settings section. 4. Click Connect to SQL Server. 5. In the Reporting Settings section, specify the following settings. Setting SQL Server Database name Delete log records older than Type in the name of the SQL Server to use for storing the Password Self-Service database. Specify the name for the database where Password Self- Service will log information used for building reports. If the database you specified does not yet exist, you will be prompted to confirm creation of the database. Select this checkbox to have SQL Server purge old records to prevent the logging database from growing indefinitely. Specify the age for the log records to be eligible for deletion.

57 Password Self-Service 4.7 Administrator Guide To have Password Self-Service access the SQL Server under the Password Self-Service account, select Password Self-Service account. Otherwise, select Specific SQL Server account, and then enter user name and password of the user account you want Password Self-Service to use when accessing the SQL Server. To specify a report server 1. On the home page of the Password Self-Service Administration site, click Settings. 2. Click the Reporting and Logging tab. 3. On the Reporting and Logging tab, expand the Reporting Settings section. 4. Click Connect to Report Server. 5. In the Report Server section, specify the following settings. Setting Report Server URL Report Manager URL Password Self-Service account Specified user name and password Override the reports on the Report Server Type in the URL address of the Report Server in the following format: where <server_name> is the name of the server where Report Server resides, <report_server> is the name of the report server instance Type in the URL address of the Report Manager in the following format: where <server_name> is the name of the server where Report Server resides, <report_server> is the name of the Report Manager instance This is an optional setting. If you select this option, Password Self-Service will use its Service account to access the Report server. Select this option to specify the account which Password Self-Service will use to access the Report Server. Select this option if you want Password Self-Service to overwrite any Password Self-Service reports which were previously installed on the Report Server. By default this option is not selected and Password Self- Service installs on the Report Server only the reports which are not available on the Report Server. Disconnect the Report Server Click this option to disconnect previously connected Report Server. 6. Click Save.

58 Password Self-Service 4.7 Administrator Guide 54 To create and preview a report 1. On the home page of the Administration site, click Reports, and on the List of Reports page, click the report you want to preview. The following table lists the reports included with Password Self-Service. Report Name Profile states (table) This is a table report displaying a list of users in the managed domains, and the states of the users Questions and Answers profiles in Password Self-Service. You can see who of the users has registered with Password Self-Service and who has not, who of the users must re-create their profiles, and who is scheduled to update their profiles. Profile states distribution (chart) Actions by user (table) Actions distribution (chart) Registrations by month (chart) Actions by month (chart) Actions by type (table) Help Desk usage by actions (table) Actions by helpdesk operators (table) Help Desk activity by user (table) notifications by user (table) notifications by type (table) This is a pie chart report showing the percentage of the total number of users for each of the Q&A profiles states. This is a table report showing what actions each of the users performed in Password Self-Service, and whether the result of a user action was successful of not. You can view this report for a specified period of time. This is a pie chart report displaying the percentage of the total number of user actions for all types of user actions such as registration with Password Self-Service or password reset. You can view this report for a specified period of time. This is a column chart showing the monthly numbers of users registered with Password Self-Service. You can view this report for a specified month range. This is a line chart showing the monthly numbers of user actions performed in Password Self-Service. You can view this report for a specified month range. This is a table report showing a summary of user actions in Password Self-Service sorted by action type. You can view this report for a specified period of time. This is a table report showing a summary of actions on the Help Desk site. You can view this report for a specified period of time. This is a table report showing what actions each of the helpdesk operators performed in Password Self-Service, and whether the result of an operator action was successful of not. You can view this report for a specified period of time. This table report shows what actions each helpdesk operator has performed for specific users. You can view this report for a specified period of time. This table report lists the notifications sent to specific users. You can view this report for a specified period of time. This is a table report showing a summary of notifications sent to users. The notifications are sorted by action type. You can view this report for a specified period of time. 2. Once the report is generated, it is displayed in the Report Viewer, in a new browser window. 3. Select the zoom ratio in the drop-down list on the toolbar.

59 Password Self-Service 4.7 Administrator Guide To go to a particular page, type in a page number in the leftmost text box on the toolbar and press ENTER, or use the navigation arrows beside this text box. 5. To modify report parameters, set the new parameter values by using the group of controls in the upper area of the Report Viewer, and then click the View Report button. 6. To close the Report Viewer and return to the List of Reports page, simply close the Report Viewer window. When previewing a report, you can easily locate specific records, or find certain values within the report. The Report Viewer finds each occurrence of the item you are looking for. To search a report 1. Enter the text you are looking for in the Find Text text box on the menu bar. 2. Click Find. 3. Click Next to find the next occurrence. In the Report Viewer, you can also save the report in a file, or print the report. To save a report, select the target file format from the Select a format dropdown list on the menu bar, and then click Export. The Report Viewer supports the following file formats: XML file (.XML) Microsoft Excel Comma Separated Values file (.CSV) TIFF file (.TIFF) Portable Document Format (.PDF) Web archive file (.MHTML) Microsoft Excel Worksheet (.XLS) To print a report, click the printer icon on the menu bar, and in the Print window, click OK. You can modify properties of any of the Password Self-Service reports by using SQL Server Reporting Services Report Manager console. For example, you can edit report name and description, or the report parameters. To modify report properties 1. On the home page of the Administration site, click Reports, and on the List of Reports page, click the rightmost icon next to the report whose properties you want to modify. 2. In the Report Manager window, modify the report properties as needed, and click the Apply button. 3. For information about how to use the Report Manager, see the Report Manager Online Help.

60 Password Self-Service 4.7 Administrator Guide To preview the report with modified properties, click the View tab. 5. To close the Report Manager, simply close the Report Manager window. DIAGNOSTIC LOGGING ScriptLogic Password Self-Service provides a simple and convenient way to collect the diagnostic information about activity of Password Self-Service. Diagnostic logging is mainly intended to be used by support personnel for troubleshooting purposes. To enable diagnostic logging in Password Self-Service 1. On the home page of the Administration site, click Settings, and then click the Reporting and Logging. 2. Under Diagnostic Logging, configure the following options as required: Option Log diagnostic information to a file Specify the path and file name of the log file: Set log level Select this check box to have Password Self-Service collect the diagnostic information about Password Self-Service activity. Type the name and path of the file to store the diagnostic information. The following log levels are available: Log only errors - Select this options to log only errors. Verbose logging - Select this options to log the most extended diagnostic information. Important: Do not enable verbose logging tracing for long periods of time. Verbose logging creates log files that can accumulate quickly. Always monitor available disk space when verbose logging is enabled. 3. Click Save. BEST PRACTICES FOR CONFIGURING REPORTING SERVICES This section provides instructions on how to configure the Reporting Services component. The following topics are covered: Reporting Services default configuration. Reporting Services authorization issues. Reporting Services firewall issues.

61 Password Self-Service 4.7 Administrator Guide 57 Reporting Services default configuration Note: The instructions in this section apply to Microsoft SQL Server The SQL Server Reporting Services component and the Management Tools component must be installed in order to use the Password Self-Service Reporting functionality. Make sure you select the required features when running the Microsoft SQL Server Setup. Use the Reporting Services Configuration tool to configure SQL Server Reporting Services. If you installed a report server using the Install but do not configure the server option, you must use this tool to configure the server prior to using it. If you installed a report server using the Install the default configuration option, you can use this tool to verify or modify the settings that were specified during setup. It is recommended to select the Install the default configuration option during SQL Server and Reporting Services setup on the Report Server Installation Options page of the Setup Wizard. In most cases this will save you much time and effort as long as Reporting Services default configuration is concerned. Reporting Services Configuration tool can be used to configure a local or a remote report server instance. You must have local system administrator permissions on the computer that hosts the report server you want to configure. Note: Please note that remote data sources are not supported by SQL Server Reporting Services included in Microsoft SQL Server Express Edition. To configure the Reporting Services default configuration: 1. Start the Reporting Services Configuration tool. 2. Enter the SQL Server machine name and the Report Server Instance name and then click Connect. Note: Sequentially configure the Report Server options listed in the left pane of the Reporting Services Configuration tool. There must not be any Not configured options after the configuration is finished. 3. Open the Report Server Virtual Directory Settings section. 4. Click New to create a new virtual directory. This opens a dialog box with the default settings entered. To accept the default settings click OK. 5. Click Apply. 6. Check the Apply default settings checkbox and click Apply. 7. Open the Report Manager Virtual Directory Settings section. 8. Click New to create a new virtual directory. This opens a dialog box with the default settings entered. To accept the default settings click OK. 9. Click Apply. 10. Open the Web Service Identity section.

62 Password Self-Service 4.7 Administrator Guide Click Apply to accept the default application pool names for the Report Server and the Report Manager OR Click New to specify your own application pool names. 12. Click Apply. The Reporting Services feature requires a SQL Server database (different from the Password Self-Service database) to store report server service data. You can create the report server database in the following ways: Automatically through Setup, if you choose the default configuration installation option in the SQL Server Installation Wizard, by selecting the Install the default configuration option in the Report Server Installation Options page. Manually through Reporting Services Configuration tool. To create a report server database: 1. Start the Reporting Services Configuration tool and connect to the report server instance you want to configure (the default instance name is MSSQLSERVER for SQL Server and SQLEXPRESS for SQL Server Express Edition). 2. In the Database Setup page, click Connect. This opens a SQL Server Connection dialog box. 3. Type the name of the SQL Server database engine you want to use. 4. Select the type of credentials used to connect to the SQL Server. You can specify a SQL Server login or use your credentials. The credentials you specify must have permission to log on to the server. Click OK. 5. In the Database Setup page, click New. This reopens the SQL Server Connection dialog box. 6. Type the name of the SQL Server database engine and select credentials. The credentials you specify must have permission to create a database. 7. Type the name of the report server database. A temporary database is created along with the primary database. 8. Choose the language to use, and then click OK. 9. In the Database Setup page, specify the credentials used by the report server to connect to the report server database. a. Select the Service credentials option to use the Windows service account and Web service account to connect through integrated security. b. Select the Windows credentials option to specify a domain user account. A domain user account must be specified as <domain>\<user>. c. Select the SQL Server credentials option to specify a SQL Server login. 10. Click Apply.

63 Password Self-Service 4.7 Administrator Guide 59 A report server database can be created on a local or on a remote SQL Server database engine instance. When you finish the Report Server configuration please restart the Report Server instance for the changes to take effect. You can restart the Report Server by sequential clicking the Stop button and then the Start button at the Server Status tab of the Reporting Services Configuration tool. If the configuration is performed correctly, the Initialization will be successfully passed for the Report Server instance. Follow this checklist to verify Password Self-Service reporting functionality configuration and settings. Step Ensure that MS SQL Server with the Reporting Services component is installed and configured. Install ScriptLogic Password Self-Service and its components. Ensure that the DefaultAppPool, QPM, and ReportServer application pools are running in the IIS Manager on the QPM and the Report Services servers. If any of these pools are not running start them manually. Ensure that the Default Web Site is running in the IIS Manager on the QPM and the Report Services servers. If the web site is not running start it manually. Connect to the Reporting Services server through Password Self-Service Administration site. Refer to MS SQL Server documentation and to the Quick Start Guide. Refer to the Quick Start Guide. The interactive Web-based reports are built using the data that the report server retrieves from the Password Self-Service SQL database. For more information on Reporting Services setup and configuration please refer to SQL Server documentation. Reporting Services firewall issues If Password Self-Service fails to operate properly in a network environment protected by a firewall, please configure the firewall to allow Password Self- Service communicate with all the required application and services. THE PASSWORD SELF-SERVICE DATABASE IN SQL SERVER This section provides instructions on how to perform administration and maintenance of the Password Self-Service SQL Server database. The following topics are covered: Database Size. Database Cleaning. Database Backup and Database Restore.

64 Password Self-Service 4.7 Administrator Guide 60 Database Size Password Self-Service SQL Server database is populated with the data from the following data sources: The Password Self-Service instance activity. Password Self-Service instance populates the dbo.domainuseraction table of the Password Self-Service database. The table logs every action performed by users, therefore its size increases relatively quickly. The "ScriptLogic Password Self-Service" scheduled task. The "ScriptLogic Password Self-Service" scheduled task populates all the other tables of the Password Self-Service database with user statistic information. These tables grow relatively slowly. Note: The only data stored in the Password Self-Service database is user action history and statistics, neither user profiles nor passwords are stored in this database. Database Cleaning In the previous versions of Password Self-Service, to prevent the Password Self-Service database from growing indefinitely, administrators had to regularly clean data from the database. Now, you can configure Password Self-Service to automatically delete the log records older than the specific date. For more details, see the "Using Reports" section in this document. Database Backup and Restore To backup and restore the database, which may be needed for database backup purposes or for moving the database to a different server, you can use the standard SQL Server management tools, for instance SQL Server Management Studio. For the information on how to perform MS SQL database backup and restore operations please refer to MS SQL Server documentation. THE SCHEDULED TASKS IN PASSWORD SELF-SERVICE When installing Password Self-Service, Password Self-Service setup adds two scheduled tasks on the computer where Password Self-Service is installed: ScriptLogic Password Self-Service and ScriptLogic Password Self-Service Publisher. By default, the ScriptLogic Password Self-Service task runs every day at 1:00 AM. Normally, it not recommended to change the schedule, although if you have other heavy-duty tasks (for instance, an Active Directory backup task) running at that time, we recommend that you reschedule the ScriptLogic Password Self-Service task to run in off-peak hours. The ScriptLogic Password Self-Service task is used to do the following: Enumerating users for licensing purposes Password Self-Service is licensed for specific number of user accounts enabled for management by Password Self-Service in all managed domains. The ScriptLogic Password Self-Service task checks whether the managed user count is within the license limit.

65 Password Self-Service 4.7 Administrator Guide 61 Sending notifications and setting deadlines for user registration If you configure notification schedule, the task will enumerate all enabled users in the managed domains, set the registration deadlines if required, and send registration enforcement messages. Once you configure notification schedule, the changes affect users only after the ScriptLogic Password Self-Service task runs. Thus, to immediately enforce any registration enforcement or notification messages distribution, you can run the task manually. Note: Depending on the number of users in managed domain, this operation may overload domain controllers and the server running Password Self-Service. Collecting statistic information about users including the total user count, the number of users registered and the users not-registered with Password Self-Service, number of users required to register with Password Self-Service, and the number of users required to update profile. This information is collected for all the domains managed by specific Password Self-Service instance and displayed on the home page of the Administration site. The ScriptLogic Password Self-Service Publisher task publishes the Password Self-Service connection points in all the domains managed by the underlying Password Self-Service instance. Secure Password Extension relies on this service connection points for locating Password Self-Service that hosts Self- Service site. For more information on Password Self-Service connection points, see Self-Service Site Location and Service Connection Points.

66 Password Self-Service 4.7 Administrator Guide 62 Glossary A account A record that consists of all the information that defines a user to Microsoft Active Directory. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. application log The log that lists all actions performed by ScriptLogic Password Self-Service. attribute D domain A piece of data that stores information that is specific to an object. A set of attributes stores the data that defines an object. A logical collection of resources that consists of computers, printers, computer accounts, user accounts, and other related objects. domain controller For a Windows Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources. G Group Policy An administrator s tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. Once a Questions and Answers Profile becomes invalid, its owner can use it only once to reset a password or unlock an account. Then they must recreate their Questions and Answers Profile.

67 Password Self-Service 4.7 Administrator Guide 63 L locked Questions and Answers Profile A Questions and Answers Profile that temporarily cannot be used. A Questions and Answers Profile can become locked after a number of unsuccessful attempts to answer the questions. M mailbox The delivery location for all incoming mail messages addressed to a designated owner. Information in a user's mailbox is stored in the private information store on a Microsoft Exchange server computer. A mailbox can contain received messages, message attachments, folders, folder hierarchy, and more. Server applications for Microsoft Exchange server are often designed with a mailbox for communication. mandatory question A question, the same for all users in a domain, that a person must answer in order to authenticate themselves using ScriptLogic Password Self-Service. managed domain A domain registered with ScriptLogic Password Self-Service. You can manage multiple domains by using ScriptLogic Password Self-Service. mixed mode The default mode setting for domains on Windows 2000/2003/2008 domain controllers. Mixed mode allows Windows 2000/2003/2008 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000/2003/2008. N native mode A Windows 2000/2003/2008 Domain is in native mode when: All domain controllers in the domain have been upgraded to Windows 2000/2003/2008. O An administrator has enabled the native mode operation using the domain property page in the Active Directory Users and Computers snap-in. optional question A question from the pre-defined list that a person must answer in order to authenticate themselves using ScriptLogic Password Self-Service. organizational unit An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other

68 Password Self-Service 4.7 Administrator Guide 64 P organizational units are placed. It can contain objects only from its parent domain. Password Self-Service Realm A set of Password Self-Service instances sharing common configuration to ensure enhanced availability and load balancing. A single domain may be managed by several different Password Self-Service realms. Password Self-Service Realm Affinity An association between Secure Password Extension and a Password Self- Service. If you enforce an affinity to specific Password Self-Service realm using Group Policy, all the clients running Secure Password Extension and affected by this policy will use only the Password Self-Service instances that belong to the specified realm. Q Questions and Answers Profile (Q&A Profile) A set of questions selected by a user from the Questions and Answers Profile template, and that user's answers to them. A Questions and Answers Profile is used to authenticate a person using ScriptLogic Password Self-Service. Question list A set of questions used in creating users' Questions and Answers profiles. The list is defined by the administrator and contains a series of questions in a certain language that users from a specific domain must answer in order to create or update their personal Questions and Answers profiles. A question list defines the number of questions of each type and the wording of mandatory and optional questions. S Secure Password Extension A component of Password Self-Service that facilitates access to the Self- Service site from the Windows logon screen. This component is installed on end-user computers. site One or more Microsoft Exchange servers that provide services to a set of users. Sites can be centrally managed and can span physical locations. special character A character that is neither alphabetic nor numeric. U user-defined question A question that a person must provide along with the answer in order to authenticate themselves using ScriptLogic Password Self-Service.