NetWrix Password Manager. Quick Start Guide



Similar documents
NETWRIX PASSWORD MANAGER

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

NETWRIX IDENTITY MANAGEMENT SUITE

Password Manager Windows Desktop Client

NETWRIX ACCOUNT LOCKOUT EXAMINER

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

NETWRIX WINDOWS SERVER CHANGE REPORTER

Active Directory Software Deployment

Windows Server Update Services 3.0 SP2 Step By Step Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

NetWrix USB Blocker Version 3.6 Quick Start Guide

DriveLock Quick Start Guide

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

NetWrix USB Blocker. Version 3.6 Administrator Guide

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Distributing SMS v2.0

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

ACTIVE DIRECTORY DEPLOYMENT

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Desktop Surveillance Help

4cast Client Specification and Installation

NETWRIX CHANGE NOTIFIER

Specops Command. Installation Guide

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

NETWRIX EVENT LOG MANAGER

EventTracker: Support to Non English Systems

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

System Administration Training Guide. S100 Installation and Site Management

Trial environment setup. Exchange Server Archiver - 3.0

Installation Guide for Pulse on Windows Server 2008R2

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Microsoft Dynamics GP Release

Symantec Endpoint Encryption Full Disk

Installing and Configuring WhatsUp Gold

How to monitor AD security with MOM

Ekran System Help File

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

XenDesktop Implementation Guide

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Administrators Help Manual

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

QUANTIFY INSTALLATION GUIDE

NETWRIX FILE SERVER CHANGE REPORTER

Sharpdesk V3.5. Push Installation Guide for system administrator Version

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

How to Install and Setup IIS Server

NetWrix SQL Server Change Reporter

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Installation Guide for Pulse on Windows Server 2012

Create, Link, or Edit a GPO with Active Directory Users and Computers

ADSelfService Plus: 3rd party Winlogon Client Software Support

Wavecrest Certificate

Aspera Connect User Guide

Archive Attender Version 3.5

INSTALL AND CONFIGURATION GUIDE. Atlas 5.1 for Microsoft Dynamics AX

Installing and Configuring vcenter Multi-Hypervisor Manager

NetWrix Privileged Account Manager Version 4.0 Quick Start Guide

NetWrix Server Configuration Monitor

ez Agent Administrator s Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Kaseya Server Instal ation User Guide June 6, 2008

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Using Logon Agent for Transparent User Identification

Issue Tracking Anywhere Installation Guide

Reconfiguring VMware vsphere Update Manager

NetWrix Logon Reporter V 2.0

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Product Manual. Administration and Configuration Manual

Web-Access Security Solution

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Promap V4 ActiveX MSI File

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

WhatsUp Gold v16.1 Installation and Configuration Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

How To Install An Archive Service On An Exchange Server (For A Free) With A Free Version Of Ios (For Free) On A Windows Xp Or Windows 7 (For Windows) (For An Ubuntu) (

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

NSi Mobile Installation Guide. Version 6.2

NTP Software File Auditor for Windows Edition

Remote Filtering Software

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Browser-based Support Console

Como configurar o IIS Server para ACTi NVR Enterprise

Installation Manual (MSI Version)

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

SELF SERVICE RESET PASSWORD MANAGEMENT ADMINISTRATOR'S GUIDE

Password Policy Enforcer

Installing OneStop Reporting Products

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

SELF SERVICE RESET PASSWORD MANAGEMENT GPO DISTRIBUTION GUIDE

Transcription:

NetWrix Password Manager Quick Start Guide

Contents Overview... 3 Setup... 3 Deploying the Core Components... 3 System Requirements... 3 Installation... 4 Windows Server 2008 Notes... 4 Upgrade Path... 4 Deploying the Logon Prompt Extension... 5 System Requirements... 5 Manual Deployment... 5 Deployment via Group Policy... 5 Error 401: Unauthorized... 6 Reinstallation and Upgrade through Group Policy... 7 Sample Deployment and Configuration... 7 Installing and Configuring Components... 7 Enrolling a Test User... 7 Testing Self-Service Portal Functionality... 8 Testing Logon Prompt Extension Functionality... 9 Testing Help Desk Portal Functionality... 10 Further Information... 11 Page 2 of 11

Overview Password management is the most common IT support issue bringing the most help desk workload in many organizations. Password complexity and expiration policy requirements lead to frequently forgotten passwords and account lockouts, increasing the overall administrative burden. NetWrix Password Manager is a simple and cost effective solution that gives end-users the ability to securely manage their passwords and resolve account lockout incidents in a self-service fashion without calling help desk personnel. With NetWrix Password Manager, you can increase your overall IT department efficiency through enabling the user self-service password management. Setup After deployment of the product is complete, its components are typically distributed as follows: The core Password Manager service runs on a member server in an Active Directory domain. Installation of the service on domain controllers is possible but not recommended. The Web application that exposes the functionality of the core service is installed on the same computer as the service (though you may want to have installed in DMZ). The Logon Prompt Extension is installed on end-users' computers (this component is optional). The administrative, help-desk and self-service portals provided by the Web application are available through web browsers from anywhere in the domain and optionally from the Internet. The Logon Prompt Extension and the self-service portal are functionally equivalent. Depending on your policies, you can deploy either of these components without the other, and not sacrifice any functionality. Alternatively, you can deploy both of them to give end users more self-service access options. Deploying the Core Components System Requirements Server and Web application: Platform: Intel x86, AMD 32 or 64 bit Operating system: Windows XP Service Pack 2 or later, Windows Server 2003 Service Pack 1 or later, Windows Vista, Windows Server 2008 Memory: minimum 512 Mbytes Hard Disk Space: minimum 20 Mbytes Microsoft Internet Information Services 6.0 or later Page 3 of 11

Web client: Microsoft Internet Explorer 6.0 or later Mozilla FireFox 2.0 or later Apple Safari 2.0 or later Logon Prompt Extension: Installation Windows XP SP2 with Internet Explorer 6.0 or higher Windows Vista SP1 1. Run the product setup file (prm_setup.exe). It is recommended to install the product on a member server or workstation, not a domain controller. For Windows Server 2008, installation please see Windows Server 2008 Notes below. 2. In a simple scenario, leave all settings in the default state, supply only the service account. Password Manager comes with an account lockout troubleshooting module, and in order to utilize it, the service account must have rights to access the Security event logs on domain controllers (By default, only members of the Domain Admins group have this right). If you do not require the account lockout troubleshooting module, simply use an account that does not have DC event log viewing privileges absence of these privileges will not prevent the essential Password Manager operation. 3. The administrative portal is started in the default web browser after installation is finished. It is recommended that you enable the HTTPS protocol for the Web server on the computer that hosts the Password Manager core components. For details on enabling encryption for Internet Information Services, see the following links: http://support.microsoft.com/kb/299875 http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/ For advanced installation scenario, e.g. installing on an Internet-facing DMZ server, please refer to the Password Manager Administrator Guide. Windows Server 2008 Notes The Web Server role must be installed (disabled by default) with the following features enabled: IIS 6 Management Compatibility ASP extension ISAPI extensions Windows Integrated Authentication Upgrade Path 1. Back up the three *.bin files in the product installation folder. Page 4 of 11

2. Install the new version (launch prm_setup.exe). All existing settings will be preserved, no reconfiguration is required. Deploying the Logon Prompt Extension The Logon Prompt Extension can be installed in several ways. This document describes manual installation and deployment through Group Policy. For more deployment options, see the Administrator Guide. System Requirements Operating system: Microsoft Windows XP, Vista (with or without Service Packs), Windows Server 2003, or Windows Server 2008 (with or without Service Packs), or later Microsoft Internet Explorer 6.0 or later Manual Deployment To deploy the Logon Prompt Extension manually on the computers of your choice, run the prm_client.msi installation package on those computers. This file is located in the Password Manager installation folder. Deployment via Group Policy Prerequisites: NetWrix Password Manager must be already installed on a server machine. Group Policy Management Console is required. GPMC is a free download from the Microsoft Web site (http://go.microsoft.com/fwlink/?linkid=58541). Take the following steps: 1. Start GPMC (Administrative Tools Group Policy Management) 2. Right-click an OU (or entire domain) containing your computers and select Create and Link a GPO Here. 3. Enter the name of the new GPO (e.g. NetWrix Password Manager ) 4. Right-click the newly created GPO and select Edit to start the Group Policy Object Editor. 5. Navigate to the Computer Configuration Administrative Templates node, right-click it and select Add/Remove Templates. Then click Add and browse for the netwrixpm.adm file there (this file is installed into %ProgramFiles%\NetWrix Password Manager by default). 6. Navigate to the Computer Configuration Administrative Templates NetWrix Password Manager node, double-click Installation URL in the right pane, set Enabled and supply the URL of the already installed Password Manager there (e.g. http://myserver/pm or https://myserver/pm if HTTPS is configured on the Password Manager server). 7. Adjust advanced options (e.g. Suppress Enrollment Errors, Reset Local Credentials Cache) if required. Page 5 of 11

8. Place the prm_client.msi package in a network share, e. g. \\MYSERVER\Share (please make sure this share and its contents are available to all users). 9. Navigate to Computer Configuration Software Settings Software Installation, right-click it and select New Package. 10. Select the package from the share chosen on the previous step. 11. In the Deploy Software dialog, select Assigned (this is the default value), click OK. Note: Automated deployment takes places during the next computer startup. The system is automatically restarted again after the installation. Reconfiguration: Repeat steps 1, 4, 6-8 to update the URL of the Password Manager (for example, if you moved it to another server). Error 401: Unauthorized If an error like the following occurs on client computers when the Logon Prompt Extension tries to start: Automatic user enrollment failed: Unauthorized (Error code: 401, URL: http://mywebserver/pm/gina_isprofilecreated.asp)., then ensure through Group Policy that the Password Manager Web site is present in the Intranet zone. For that: 1. Use the Group Policy Object Editor snap-in to open the GPO that manages Logon Prompt Extension deployment. 2. Select the User Configuration Administrative Templates Windows Components Internet Explorer Internet Control Panel Security Page node. 3. Open properties of the Site to Zone Assignment List entry in the right pane. 4. Set this setting to Enabled and click Show. 5. In the Show Contents dialog box, click Add and add the Password Manager URL with value set to 1 (Intranet Sites zone) and click Ok. The client computers need to be restarted for these settings to take effect. The same configuration can be created using the registry (for example, if you want to create offline images for remote employees that don t process Group Policy): 1. Navigate to: HKEY_USERS\S-1-5-18\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains 2. Create a key named as your domain name (e.g. example.com) 3. Under newly created key create a child key named as your server name (e.g. if the full name were myserver.example.com the value name would be myserver) 4. Create a DWORD value named https and set it to 1 5. Repeat steps 2-4 for HKEY_USERS\.DEFAULT\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains Page 6 of 11

Reinstallation and Upgrade through Group Policy Upload the new *.msi file to the network share specified in step 8 of the previous procedure. Then open the Group Policy Object Editor snap-in, and in the Software Installation section, right-click the NetWrix Password Manager Self-service Client package and select All Tasks Redeploy application. Sample Deployment and Configuration This section describes the simplest deployment scenario and how you can verify that the configuration works. You can use this procedure for initial installation of the components, and later scale the deployment to your environment. For this scenario, you need two computers: a member server where the core Password Manager service will run, and another member server or workstation to test the Web portals. Installing and Configuring Components 1. Log on to the computer you have designated as the Password Manager server under an account with local administrative privileges (see the Deploying the Core Components section above for details). 2. Use prm_setup.exe to install the product on the computer. 3. Specify the service account with appropriate access rights to your domain accounts (to be able to reset passwords and unlock accounts). 4. IMPORTANT: After the installation is complete, please make sure that the service account has read/write rights to the *.bin files in the installation folder. This may not be true if the service account doesn t have local administrative rights on this server. 5. Open the Password Manager administrative portal from the Start menu. 6. Click Domains, and confirm that the current domain is set as the managed domain. 7. Copy the prm_client.msi file from the Password Manager installation folder to the computer where you are going to test the client applications, and launch the package on that computer to install the Logon Prompt Extension. Enrolling a Test User 1. Create a test user account in the current domain, e. g. TestUser01. 2. On the client computer, log on as TestUser01. 3. The enrollment dialog should pop up automatically after logon. Complete the enrollment steps. Page 7 of 11

If instead of the enrollment dialog you get an error like the following: Automatic user enrollment failed: Unauthorized (Error code: 401, URL: http://mywebserver/pm/gina_isprofilecreated.asp)., then add the Password Manager site to the list of trusted sites in the Internet Properties dialog box on the Security tab (Internet Options facility in the Control Panel). As an alternative to the enrollment wizard, you can use the Enroll command in the self-service portal to enroll the test user. Testing Self-Service Portal Functionality 1. On the client computer, open the URL of the self-service portal in Internet Explorer (http://<password_manager_server>/pm/ by default). If the Web page cannot be displayed due to authentication problems, add the Password Manager site to the list of trusted sites in the Internet Properties dialog box on the Security tab (Internet Options facility in the Control Panel). Page 8 of 11

2. In the self-service portal, click Reset Password, and specify the TestUser01 account. 3. Reset the password of the account. 4. Log off and log on as TestUser01 again. Testing Logon Prompt Extension Functionality 1. On the client computer, induce the lockout of the TestUser01 account by deliberately making multiple failed logon attempts in a row. 2. Click the Logon Assistance button at the bottom of the logon prompt dialog. 3. In the Logon Assistance Wizard that starts, unlock the account. Page 9 of 11

If you get an error with error code 401 instead of the wizard window, this means that you are not authorized to access the Password Manager site. For details about correcting this error, see the Error 401: Unauthorized section above. Testing Help Desk Portal Functionality 1. On the client computer, induce the lockout of the TestUser01 account by deliberately making multiple failed logon attempts in a row. 2. Log in at the client computer under the account you used for Password Manager installation. 3. Open the URL of the help desk portal in Internet Explorer (http://<password_manager_server>/pm/helpdesk by default). If the Web page cannot be displayed properly due to security zone restrictions, add the Password Manager site to the list of trusted sites in the Internet Properties dialog box. 4. In the help desk portal, find the locked TestUser01 account and unlock it. When you unlock an account, an identity verification window pops up. This window shows you the user's secret questions and the first and last characters in the answers. In real-life scenarios, this information is used to confirm the identity of the user who is requesting the operation. You should ask the user two or more random questions from the list and check that the answers match. Page 10 of 11

If you can successfully perform all of the suggested operations, the configuration works and can be further adapted to your environment. Further Information For more information about Password Manager not found in this guide, see the following documents: Administrator Guide provides details on the configuration and administration of the product Help Desk Portal Help (click Help link in the portal) describes the use of the help desk portal User Guide (click Help link in the portal) describes the use of the self-service portal 2009 NetWrix Corporation. All rights reserved. NetWrix and Password Manager are trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. Page 11 of 11