ArcWeb Admin Guide - Lieberman Software
Contents
1. 51 Change a Forgotten Password Logon 7 54 Setup My 00 58 Scheduling Reporting esses eene 61 Mew E E 61 ACCOUNT TASKS 62 View Task Results naar ae een 67 Manage heran eese vue n ER Ve 68 View Sync Results uio en rro ee een Le 70 Contents Contents V Copyright 2003 2012 Lieberman Software Corporation All rights reserved The software contains proprietary information of Lieberman Software Corporation it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law Reverse engineering of the software is prohibited Due to continued product development this information may change without notice The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software If there are any problems in the documentation please report them to Lieberman Software in writing Lieberman Software does not warrant that this document is error free No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of Lieberman Software2. Schedule z Sunday YTuesday Runs on YlWednesday v Thursday z Saturday At Noon Midnight Last Run Never Target Target Groups DEMO Domain Users Add Ignore user names which contain the following substrings separate by Filter Users Actions Details Find accounts whose password will expire in 14 day s Disable the user s account Enable the user s account Send the user an email is To RealName your account will expire in PwdDaysToExp Please change your password before it expires to avoid having your account disabled PlainText HTML User email keywords RealName User s full name as stored in Active Directory PwdDaysToExp Days until the user s password expires Email Result To Save Save and Run Now Return How to Use Account Reset Console 67 Don t forget leaving a task in the inactive reports area will cause the report to never run despite any scheduling option configured within the task To allow a task to run on a scheduled basis provide the days for it to run and activate the question by clicking the Activate link next to the question View Tasks Results is located in the Scheduling Reporting area Any task which has been run can have its results in the View Reports section of the Scheduling Reporting area There are two lists to choose the report from The Most Recent Tasks list contains the 10 most recent reports Th
3. Configuration Initial Configurations 14 THE FIRST LOGIN SCREEN Following the initial installation of Account Reset Console nothing will be configured This means that only users who are direct members of the super users group configured during installation will be able to perform an initial login and configuration Being a direct member means that the user account is found in the member of tab of the specified group as opposed to belonging to a group that belongs to that group To perform the initial login type the user name password and choose the domain from the drop down list then click the Log In button ME ties 2 4 TC Account Reset Console Please log in User Name Password Domain Forgot your password Locked out Reset Password Unlock Initial Configurations 15 If the login account is not a member of the super users group during the first login following the tool s configuration the login account will be unable to log in To fix this use the ARC Admin Console ArcAdminConsole found in the ArcWeb folder on the host systems start menu Click the Add Super Users Group link and type the name of a group in which the login account is a direct member Once logged into the website further changes may be made to the delegation structure User Reset Tools Reset User Password Web Pane Controls a Display the ARCWeb Docs Page lo Go to Your Ins
4. Retype New Password eem unlock the account only Password Requirement The password must contain at least one of the Following three types Upper case Lower case Number Snerial character Contact sales liebsoft com Any success or failure messages will appear on a subsequent dialog If the reset unlock was successful the user may logon as normal Account Reset Console Congratulations Your account is unlocked and your password was changed successfully To enroll your identity for self service reset unlock go to Accounts Setup My Identify How to Use Account Reset Console 59 This page is used to configure verification answers for self service password reset account unlock The questions presented on this page are defined by the administrator of Account Reset Console For more information on configuring questions see the Verification section in the Configuration area A user must supply answers to all questions posed When the verification questions are not complete there will be a notice that states Your verification information is not complete Once all of the questions are answered the user will click the Save button Answers provided on this page are not case sensitive though constraints defined in the Self Reset Features section will determine what kind of answers are allowed You are required to complete 2 out of the following 3 question s What is your first pet s name What is you
5. It is recommended to set this to optional or never gt UNLOCK LOCKED ACCOUNTS if an account has become locked out because of failed login attempts ARC can unlock the account by resetting its password It is recommended to set this to optional or always gt REQUIRE THAT RESET PASSWORDS BE CHANGED ON NEXT LOGIN this will set the password must be changed at next login flag on the users account which will force the user to change the password on next login For web applications or other interfaces that are incapable of resetting a user s password this may pose a problem as the user will be unable to change their password the next time they login and may be unable to access resources until they have access to a Windows system The downside of not setting this flag is that now the help desk user and the user both know the password It is recommended to set this to optional or always By default these items are set to optional which means that a help desk user will have the choice to perform or not perform these actions by default the action will be performed When the options are set to never the tool will not show these options during a password reset and the tool will not perform these actions When the options are set to always the tool will not show these options and the tool will always perform these actions Prevent help desk from seeing the answer is designed to mask the verification answers of users when a help desk user is typing in the
6. Match criteria DEMO user01 Send alert email Failure no email address available Record 1 10 of I Per P 12 tems Per Page 10 view synchronization tasks go Scheduling Reporting Manage Synchronization Settings Synchronization is used to save all of ARCs settings to its main database The purpose of this is two fold How to Use Account Reset Console 69 gt Ifthere is need for a restoration of Account Reset Console to a new server gt Multiple ARC Web Servers are configured in an NLB scenario In the latter scenario changes made to one ARC server s configuration would be replicated to the other ARC servers Configure Scheduled Synchronization Here Active Synchronization SaveToDB Save Settings to Database Deactivate Edit Delete Inactive Synchronization Run Selected Synchronization Now Add New Synchronization Schedule Name Save Settings to Database Load Settings from Database Add Type To write the settings to the database supply a name for the Synchronization Schedule then click Add This will add the update task in a deactivated state Such a job could be run at will be selecting the job and clicking Run Selected Synchronization Now To read settings from the database supply a name for the Synchronization Schedule and choose the option to Load Settings from Database then click Add This will add the update task in a deactivated state Such a job could be run a
7. Microsoft Windows Word Office SQL Server SQL Express Access MSDE and MS DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Other brands and product names are trademarks of their respective owners A LIEBERMANSOFTWARE Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310 550 8575 Internet E Mail support liebsoft com Website http www liebsoft com LICENSE AGREEMENT This is a legal and binding contract between you the end user and Lieberman Software Corporation By using this software you agree to be bound by the terms of this agreement If you do not agree to the terms of this agreement you should return the software and documentation as well as all accompanying items promptly for a refund 1 Your Rights Lieberman Software hereby grants you the right to use User Manager Pro to manage the licensed number of systems purchased This software is licensed for use by a single client and its designated employees contractors and authorized 3rd parties to manage the systems owned used by a single client The software license may not be shared with unrelated 3rd parties The serial number provided by Lieberman Software is designed for installation on a specific machine You many install an unlimited number of copies of User Manager Pro for your administrators that connect to the single licensed machine All administrators
8. Reset Console there are many settings The settings pertaining to global program operation are controlled through the Configuration area The Configuration area is used to configure the following items gt DATA SOURCES data sources are used for logging databases for the actions that occur within ARC and are used for storage and retrieval of user verification questions Configure the server and database that ARC will connect to and the method for how ARC will connect to it from this page this area does not identify what the databases will be used for The issue of how a given database will be used once configured for use is addressed in either the Log Config or Verification Q amp A for Self Service areas LOGCONFIG Identify the database previously configured under data sources that you would like ARC to log its use information to gt VERIFICATION Define the questions that will be used for self service reset Self service reset allows user to reset their own password when they have forgotten it without involving your help desk When defining a question you may choose to use the default database or you may identify other datasources previously configured under data sources to store and or retrieve questions and answers from DOMAINS identify the default domain that appears in the drop down list during logon password reset operations and delegation changes Also identify what domains may be managed if multiple trusting do
9. To configure Super Users go to Configuration Super Users Groups defined here in the Super Users section have full control of the ARC application regardless of any other delegated rights or lack thereof including changing delegations manipulating data sources changing security etc By default this list contains only the group identified during installation of Account Reset Console To add a new group to the list of super users choose the correct domain and enter their group name in the group name field towards the top right of this screen then click Add Super Users If the add is successful the group will appear in the list below as an Allowed Windows Group Initial Configurations 32 To remove a group simply click the Delete link next to the group name Global Program Access Rules Global Access Category Allowed Windows Groups Allow application config demo domain admins Delete Add a New Application Superuser Group DEMO Enter Group Name Here Add Initial Configurations 33 MANAGEMENT The settings defined in Management are for delegations resetting of other user s passwords self service reset abilities appearance and email settings There are many settings which can be made here which change the user s experience when resetting another user s or their own password Incorrect settings made here can block ARC from working Please be sure to read about the settings when making changes PROGRAM ACCESS To configur
10. your first pet s name m Submit Answer Cancel Based on the options defined in Management Self Reset Options the user may be able to select among up to three actions How to Use Account Reset Console 54 gt Unlock the account only lt Reset the password only gt Unlock and Reset the Password The user will enter the new password twice then click Change Self Service Options Unlock the account only Reset the password only Unlock and Reset the Password Self Service Actions Please enter your new Password twice to reset User Name DEMO susan New Password Repeat New Password enn Change Once the user clicks change logging messages will appear indicating success or failure for each step ARC goes through during a reset unlock notify process Results 3 22 2012 5 49 33 AM Password by DEMO Vsusan for account DEMO susan Success Server 2K8R2 DC2 3 22 2012 5 49 33 AM PwdExpired by DEMO susan for account DEMO susan Success Server 2K8R2 DC2 3 22 2012 5 49 33 AM SetAccountFlags by DEMO susan for account DEMO susan Setting Flag Expired to FALSE Change a Forgotten Password is available from the Logon Provider when the feature is enabled Account Reset Console allows for users to reset their own password in one of two scenarios If they know their current password If they have forgotten their current password but have enrolled for self service reset How t
11. Account Inactivity find users whose accounts have not logged on in N days Configure Scheduled Tasks Here Active Tasks Inactive Tasks Run Selected Tasks Now Add New Task Task Name Password Expiration Task Type Self Reset Configuration Account Inactivity Add How to Use Account Reset Console 64 When a task is first added it will show under the Inactive Reports heading The task must be edited before it is useful identify the report parameters Once those are done activate the question or leave it inactive Leaving a question inactive simply means it will not run on an automatic scheduled basis Tasks may be run ad hoc at any time by selecting the report and clicking the Run Selected Reports Now button Configure Scheduled Tasks Here Active Tasks type Inactive Tasks action Password Expiry Password Expiration Activate Edit Delete Run Selected Tasks Now Add New Task Task Name Password Expiration Task Self Reset Configuration Account Inactivity Add Torun the report to run on a scheduled basis Active Task choose the days for the report to run and whether the task should run at noon or at midnight The task will run as a result of one of two scheduled tasks probably called AT1 and AT2 in the scheduled tasks folder visible in control panel Identify the target global group that Account Reset Console will report on Once the name is typed click the Add
12. Admin Guide ArcWeb Admin Guide Lieberman Software Corporation CONTENTS LICENSE AGREEMENT RER 7 LIMITED 2 EEE NESER EAEAN ERTE 8 PRE USAGE CONSIDERATIONS 11 INITIAL CONFIGURATIONS 2 13 First Login Screen E IE ENTE 14 hear e HS 16 e 18 Data Sources M 19 LOB COMTI E Lube EU iet E EE E 21 23 Adding or Updating Verification 25 E aaa EE A EEE Ea RE E ES 29 DomalirniDetalils ierit eo EP nra E EEE REE E RSA 29 SEC NTY EN 30 USELS occ EC aieea 31 EVERS 33 Program ACCESS isisisi m 33 Group CCESS une ES 34 Help Desk Reset Features ana ei 35 Self Reset ee aka 38 Config re Emalil ee en a ei 42 units B 44 HOW TO USE ACCOUNT RESET 60501 47 Accounts 48 l OOK D ReSBt 48 Change My 355 Joc 50 Change a Forgotten Password
13. CHEDULING REPORTING 69 SECURITY 34 SELF RESET FEATURES 38 39 54 57 58 62 67 SELF RESET FEATURES 43 SETUP MY IDENTITY 58 62 SETUP MY IDENTITY 66 SUPER USERS 35 T THE FIRST LOGIN SCREEN 14 V VERIFICATION 67 VERIFICATION 25 VIEW LOGS 69 VIEW SYNC RESULTS 79 VIEW TASK RESULTS 76 74
14. DEMO self service reset Reset Password 7 View User Answers Permissions Add To configure Help Desk Reset Features go to Management Help Desk Reset Help Desk Reset Features are the settings that apply to users resetting other users passwords using Account Reset Console For settings that apply to users resetting their own passwords see the section for Self Reset Features The first setting Reset passwords through Account Reset Console is the global setting to enable the functionality allowing users to reset other user s passwords To allow users to reset other user s passwords this setting must be enabled The Minimum number of questions help desk has to ask is only valid if user s have enrolled with the verification questions If a user who is having their password reset has enrolled with verification questions and this setting is set to a number higher than O the help desk must ask the user that many verification questions If the user has not answered that many questions or there are not that many questions configured then the help desk user will need to ask the user every question they have enrolled with The next three options deal with specific user account flags and the preferred behavior of ARC in dealing with those flags when a user account is reset Initial Configurations 36 gt ENABLE DISABLED ACCOUNTS if an account has been disabled by an administrator ARC can re enable the account by resetting its password
15. O SUSAN 3 22 2012 8 34 24 AM 192 168 20 183 logon success DEMO SUSAN 3 22 2012 8 35 13 AM 192 168 20 183 logoff DEMO SUSAN 3 22 2012 8 35 34 AM 192 168 20 183 logon success DEMO SUSAN 3 22 2012 8 35 46 AM 192 168 20 183 logoff DEMO SUSAN Record 1 10 of 13 Items Per Page 10 Save Output CSV Save To create account tasks go to Scheduling Reporting Account Tasks Account Tasks reports are used to provide the administrator reports of users whose passwords will expire users who have become inactive have not logged on in a while and users who have not enrolled for self service reset Account Tasks reports can also notify the specific user and take action against the user account such as disabling accounts By default there are no account task reports configured Create a task by choosing the task type providing a name and configuring the various options asked for within the task properties The steps outlined below identify how to create a management report the steps are the same no matter what report type First type in a report name choose a report type and click the Add button How to Use Account Reset Console 63 gt Password Expiration find users whose passwords will expire in N number of days A value of 0 days will look for account s whose passwords are currently expired gt Self Reset Configuration find users whose password verification information is not completely filled out gt
16. ToDB 3 22 2012 9 09 13 AM All actions were completed successfully SyncTasks By Name SaveToDB 3 22 2012 9 09 13 AM Below is a sample report SyncTasks SaveToDB Run on 3 22 2012 9 09 13 AM All actions were completed successfully Configuration Task Description Save settings to database Task Computer Name 2K332 UMPWEB Task Action s email the user DEMO Iscadmin SyncToDB INDEX A ACCOUNT TASKS 58 62 ACCOUNT TASKS 70 ACCOUNTS 54 ADDING OR UPDATING VERIFICATION QUESTIONS 26 ADDING OR UPDATING VERIFICATION QUESTIONS 28 APPEARANCE 49 C CHANGE A FORGOTTEN PASSWORD LOGON PROVIDER 62 CHANGE A FORGOTTEN PASSWORD WEB 57 CHANGE A FORGOTTEN PASSWORD WEB 57 CHANGE MY PASSWORD 57 CHANGE MY PASSWORD 56 CONFIGURATION 20 CONFIGURE EMAIL SETTINGS 27 42 47 CONFIGURE EMAIL SETTINGS 48 D DATA SOURCES 21 DOMAIN DETAILS 33 DOMAIN DETAILS 34 73 DOMAINS 20 DOMAINS 33 G GROUP ACCESS 37 GROUP ACCESS 38 H HELP DESK RESET FEATURES 54 55 HELP DESK RESET FEATURES 39 HOW TO USE ACCOUNT RESET CONSOLE 53 l INITIAL CONFIGURATIONS 13 INPUT THE LICENSE 17 L LICENSE AGREEMENT 7 LIMITED WARRANTY 8 LOG CONFIG 23 LOOKUP RESET 54 M MANAGE SYNCHRONIZATION 77 MANAGEMENT 20 27 42 47 54 55 MANAGEMENT 37 P PRE USAGE CONSIDERATIONS 11 Index PROGRAM ACCESS 37 S S
17. a ID verification Logon Provider Allow users to unlock their own account via ID verification Logon Provider Allowed incorrect answers before account lockout 3 Account lockout timeout minutes 3 Randomly choose verification questions from user s pool of questions Number of verification questions user must answer 3 Force user to change password on next login Send verification failure to Administrator and Help Desk Initial Configurations 41 The Verification Answers Features subsection places constraints on the user s answers that may be provided for the verification questions during the ID verification enrollment process To help users properly fill out their verification answers the first time enable Display identity answer requirement This option will display the elements to the user for a proper verification during the enrollment process To stop the user from entering repeated strings of characters enable Do not allow repeated character patters such as AAAA Users will often input the text of the question as their answer stop this behavior enable Do not allow the answer to contain text from the question However if the user still includes additional text they may work around this rule To stop users from re using the same answer to all questions enable Do not allow questions to contain duplicate answers from other questions As an example the user would not be able to put in the answer red more than once To stop the us
18. age of these features does not require the involvement of help desk Enabling these features is not a requirement for users to reset their own password via ARC when the current password is NOT forgotten To allow a user to reset their current password when the current password is not forgotten use the Change My Password Features in the Accounts area Account Reset Console provides two alternatives for users to reset their own password or unlock their own account when the current password is unknown These available options are to perform these operations from the ARC website or from a Logon Provider The Logon provider is an additional component that would typically be installed on end user s workstations Proper installation of the Logon Provider will create an additional element on the CTRL ALT DEL dialog of a Windows system With this option a user will not need to have access to a kiosk or a neighbors computer The options pertaining to website usage are labeled as Website The options pertaining to the Logon Provider are labeled as Logon Provider In either scenario a user will have pre enrolled with a series of admin defined verification questions These questions will be asked of the user when they begin the process whether they are performing this from the website or from the Logon Provider To allow a user to reset their own account via ID verification enable the Allow users to reset their own password via ID verification option To allo
19. authentication This is only visible when the RSA client supplied by RSA is installed and functioning on the ARC host system By default the group identified as the super users group during setup listed for each right Initial Configurations 34 To add a group for user access select the rights to assign from the top left of the page then add the group name in the top right corner and click the Add button The group name will appear in the Allowed Windows Groups column Global Program Access Rules Global Access Category Allowed Windows Groups mE Allow Web Logon demo domain admins Delete View Console Logs and Task Reports demo domain admins Delete Manage All Web Access Controls demo domain admins Delete Add a New Global Program Access Rule Allow Web Logon DEMO x View Console Logs and Task Reports m 2 5 E Manage All Web Access Controls E Require Web Logon with RSA Add Once a group has been allowed access those rights may be removed at a later date To remove an assigned right from a group click the Delete link to the right of the group name To configure Program Access go to Management Group Access To allow users to reset their own passwords no configurations need to be made to this page However certain options in the Self Reset Features section must be enabled The Group Access section is used to delegate rights to reset passwords for specific groups of users In order for a
20. button and the group name will appear in the Target Groups list If there are users who are members of any of the groups being reported on who should not be included as part of the report such as service or process accounts type in their names in the format of domainName userName in the Filter Users list Multiple entries are separated by a semi colon Depending on the report type a number may also be required such as Find accounts whose password will expire in N days N is the inclusive number of days from today For example if you input a value of 60 the report will find any users whose passwords will expire any time within the next 60 days Account Tasks provide additional functionality such as the ability to disable or enable an account that meets the criteria of the report or to notify that user that they were found by the report If Send the user an email is selected ARC will lookup the user s email address attribute in Active Directory for this information How to Use Account Reset Console 65 Optionally provide an email address to email the report results to If this value is not provided the reports can still be viewed by examining the View Task Results section and choosing the report from the list How to Use Account Reset Console 66 Once options are configured click either Save or Save and Run Now which would initiate the report right now To exit without making any changes click Return
21. can share the pool of purchased managed node licenses There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of User Manager Pro You may install and use the User Manager Pro Web Interface to Random Password Generator Password Recovery Console with your duly licensed copy of User Manager Pro Random Password Generator without any additional payment to Lieberman Software The cost of Microsoft web servers SSL certificates and other supporting equipment and technology are the sole responsibility of the user of this software not Lieberman Software 2 Copyright The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions Therefore you must treat the software like any other copyrighted material e g a book or musical recording except that you may either a make one copy of the SOFTWARE solely for backup and archival purposes or b transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes The manual is a copyrighted work also you may not make copies of the manual for any purpose other than the use of the software 3 Other Restrictions You may not rent lease or transfer the SOFTWARE to any other entity You may not reverse engineer de compile or disassemble the SOFTWARE that is provided solely as executable programs EXE files If the SOFTWARE is an updat
22. e Update nm Managed User Count 843 Recalculate Managed User Timestamp 3 19 2012 12 01 21 PM Version 5 5 120314 Maximum Users 5000 License Expiration Date never Support Expiration Date 10 30 2012 11 53 53 AM If the key is accepted the page will refresh and the text License Key Updated will appear in the above page Following the initial installation if licensing was configured using the website the following steps need not be performed To configure a new license using the ARC Admin Console launch ArcAdminConsole from the ArcWeb folder found under the host system s Start menu Initial Configurations 17 Click on the Set New License link in the ArcWeb Admin Tools section Z A User Reset Tools Reset User Password Web Pane Controls A Display the ARCWeb Docs Page local Go to Your Installation of ARCWeb ARCWeb Admin Tools A Add Super User Group Access Remove Licensed Group Add SQL Data Source Change an Existing SQL Data Source Manage Objects Synchronize ARC Settings Enter in the new updated license key and click OK Set ARCWeb License cC xi Enter the ARCWeb license sent to you by Lieberman Software This will dear the existing pee If the key is accepted the following dialog will appear Click OK to continue ARCAdminConsole x o Your ARCWeb license has been updated Initial Configurations 18 CONFIGURATION In Account
23. e any transfer must include the update and all prior versions 4 Notice This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys By using this software you consent to allow the software to send information to Lieberman Software under these circumstances and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party Limited Warranty 8 When used lawfully this software periodically transmits to us the serial number and network identification information of the machine running the software No personally identifiable information or usage details are transmitted to us in this case The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party A LIEBERMANSOFTWARE Lieberman Software Corporation 1900 Avenue ofthe Stars Suite 425 Los Angeles CA 90067 310 550 8575 LIMITED WARRANTY Internet E Mail support liebsoft com Website http www liebsoft com The media optional and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30 days from the date of your purchase If you notify us within the warranty period of such defects in material and workmanship we will replace the defective manual o
24. e Program Access go to Management Program Access The Program Access section is the first part of delegating access to the console This section provides global access to the ARCWeb console but it does not grant the rights to reset other user s passwords To control the rights of users who can reset other user s passwords configure settings in the Group Access section as well ARC does not perform recursive queries to determine group membership Intended users must be direct members of the delegated groups Rights are cumulative If a user belongs to two or more groups granted access in this page that user will be granted all of those rights The rights defined on this page are gt ALLOW WEB LOGON groups granted this right can log into the Account Reset Console This right must be granted in order for any user to use this tool VIEW CONSOLE LOGS AND TASK REPORTS this in conjunction with the Allow Web Logon right will allow users assigned this right the ability to logon and view the activity that takes place in this web application These logs are available in the View Logs section of the Scheduling Reporting area gt MANAGE ALL WEB ACCESS CONTROLS grants users the rights to change all delegations and options available in the Management area This does not grant any configuration rights for any options or settings in the Configuration area gt REQUIRE WEB LOGON WITH RSA will require the group of users to use RSA two factor
25. e Tasks By Name list lists all reports by name that have been run By clicking on links in that list a list all the run times for a particular report will be displayed and those reports can be viewed Most Recent Tasks Password Expiry 3 22 2012 8 59 38 AM Some actions could not be completed Password Expiry 3 22 2012 8 59 02 AM This task was run on no groups Password Expiry 3 22 2012 8 58 49 AM This task was run on no groups Tasks By Name Password Expiry 3 22 2012 8 59 38 AM How to Use Account Reset Console 68 Below is a sample report The report will only contain entries that match the task criteria If searching for users whose passwords will expire in N days the report will only contain users matching that criteria The task report will also contain information about any subsequent task it was supposed to perform such as email users Configuration Task Description Find accounts that expire in 1000 days Target Groups DEMO domain users Task Action s email the user Page 1 of 2 Select a page 1 Domain User Action Results Joe Match criteria DEMO Joe Send alert email Failure no email address available DEMO dtest Match criteria DEMO dtest Send alert email Failure no email address available DEMO jeff Match criteria DEMO Jeff Send alert email OK DEMO _krbtgt Match criteria DEMO krbtgt Send alert email Failure no email address available DEMO _user01
26. e these settings are entered click Save Data Source Settings The connection will be verified at this time If there are no problems this page will refresh and the Status notification at the bottom of this page will display a green check mark next to your database with a status of OK Edit Data Source Name ARCDB Type SQL Server Server Name Database Name Authentication Windows Authentication SQL Server Authentication User Name Password Status Not Working LOG CONFIG To configure Logging database settings go to Configuration Logging The Log Config is used to identify the database previously configured under data sources that ARC should use to log its use information to By default ARC will use the database default Database configured during program installation If additional data sources have been configured in the Data Sources area it is possible to use change the logging database to one of these data sources If the required tables used to log the information are missing form the data source ARC will attempt to automatically create the missing table Initial Configurations 22 Note If the logging database is changed information previously logged will not be copied or duplicated in any way to the new database Once logging database has been changed by selecting it from the Logging Data Source drop down menu click the Update Logging Settings button Once the update is compl
27. ect to and the method for how ARC will connect to it this area does not identify what the databases will be used for The issue of how a given database will be used once configured for use is addressed in either the Log Config or Verification areas If a database will be used to store questions that will be used for verifying a user s identity to allow for self service password reset or account unlock then use the Verification link from the action menu If this is the first time examining this page notice there is already a data source that is configured with a name of Default Database This is the database that was configured during the installation of Account Reset Console and is the default location for all logging and verification questions and answers If any settings should change about that database such as server name database name or authentication method select the Edit link inline with the named database To add a new data source to use for logging or verification questions supply the following information Initial Configurations 20 gt NAME this is the friendly name as it will appear in drop down lists within this tool gt TYPE the type of database we are connecting to Any ODBC OLEDB data source can be used to retrieve or write information to Choices are Microsoft SQL or Explicit ADO connection string which is used for connecting to non Microsoft databases Once this information is identified click the Add button Co
28. eir own passwords by logging into ARC When users change their own passwords ARC will default to using the authority and credentials of the COM object see installation guide that runs ARC This has the same effect of performing an administrative password reset This means that users have the potential to bypass domain password policies such as password history and minimum age To ensure users adhere to defined domain policies enable the option to Emulate the user account Initial Configurations 39 to comply with domain policies When users change their own passwords ARC also provides the option expire them so that they must be changed on next login generally this option should not be enabled ARC can also display a useful message to users resetting their own password in this scenario The message can be input in standard text or by using HTML formatting To create a custom message to display to users when they are resetting their own password enable Display the following HTML message to users resetting their own passwords Change My Password Features v Allow users to change their own passwords by logging into ARC 4 Emulate the user account to comply with domain policies Display the following HTML message to users resetting their own passwords Use the Forgotten Password amp Locked Out Features to allow users to reset their password or unlock their own account when the users current password is unknown or their account is locked out Us
29. er from supplying a blank answer to the question enable Require a minimum character length for each answer and identifies how many characters a user must input for their question s answers Verification Answers Features Display identity answer requirement Do not allow repeated character patterns such as AAAA Do not allow the answer to contain word from the question lt Do not allow questions to contain duplicate answers from other questions 6 Require a minimum character length for each answer 1 When a user attempts to reset their own password ARC can notify the user that this process was even attempted This is designed to keep the user aware of the goings on of their own account In order to notify the user ARC will retrieve their primary e mail address from Active Directory If not using Active Directory or this attribute is not configured the user cannot be notified by ARC The e mail as plain text or HTML Choosing to format the e mail as HTML will require using HTML to write the e mail There are a list of variables which may be used within the e mails at the bottom of this page When a User Resets Own Password Notify user of successful update status Notify user of failed update status Dear RealName This is an automatic notification that an action to update your account has resulted in Resulr Plain Text HTML Mail Initial Configurations 42 Help desk may be notified of successful or
30. ete the status will change to OK r Current Settings Name Type Status Update Settings Logging Data Source Default Database SQL Server 4 ok Default Database z Update Initial Configurations 23 VERIFICATION To configure verification questions go to Configuration Verification The Verification area is used to define the questions that will be used for user verification during self service password reset or help desk initiated password reset of a user Self service password reset allows a user to reset their own password when they have forgotten it without involving the help desk When defining a question possible data storage retrieval locations are the Default Database or other configured data sources Account Reset Console ships with three pre existing questions that are configured as inactive Before any user can take part in self service password reset via ID verification there must be at least one active question Questions may be added to the active pool by selecting the Activate link next to the question Questions may be added edited or deleted entirely by using the respective Add Questions Edit or Delete links If any changes are made to the status of the questions be sure to save the new settings using the Save Verification Options button at the bottom of the page To add more verification questions type in the text of the question in the Question Text field the click Add Question This wil
31. failed updates to the user s password The e mail addresses used for the help desk and arc admin are defined in the Configure Email Settings area in the Management section The e mail as plain text or HTML Choosing to format the e mail as HTML will require using HTML to write the e mail There are a list of variables which may be used within the e mails at the bottom of this page Notify help desk of successful update status Notify help desk of failed update status The action by UserName RealName to update their user account with Action has resulted in Result Action Performed Acrion Text HTML Mail The admin may be notified of successful or failed updates the user s password The e mail addresses used for the help desk and arc admin are defined in the Configure Email Settings area in the Management section The e mail as plain text or HTML Choosing to format the e mail as HTML will require using HTML to write the e mail There are a list of variables which may be used within the e mails at the bottom of this page Notify admin of successful update status Notify admin of failed update status The action by UserName RealName to update their user account with Action has resulted in Result at Time from IPAddress Action Performed Acrion t 4 OPlain Text amp HTML Mail Email Keywords RealName User s full name as stored in Active Director
32. gured with Account Reset Console the Accounts menu may display different options For example if a user can reset other user passwords and ARC has been configured to allow resetting of one s own password both normally and via ID verification a user will see three links on the on the Accounts menu 1 Lookup Reset 2 Change My Password 3 Setup My Identity These options are configured in the Help desk Reset Features and Self Reset Features sections of the Management area EE Ss gt Lookup Reset Change My Password Set Up My Identity LOOKUP RESET To begin a password reset for another user go to Accounts Lookup Reset Lookup Reset is the default page following a user logon Here they will type in the user account name to be managed choose the correct domain and then click Look Up Answers Enter a user name to look up User Name Domain DEMO Look up Answers Based on whether or not user verification is turned on and the help desk user has been granted the rights to lookup this user s verification answers the following screen will be displayed wherein a user s verification answers can be validated If the user has not enrolled yet or enrollment is not required ARC will go straight to the password reset screen If the target account has enrolled with the verification questions the help desk user must validate N user verification questions where N is equal to the setting defined in the Help desk Rese
33. hat they need to enroll This can be configured on the Account Tasks section under Scheduling Reporting A user may reset their own forgotten password or locked out account by opening the Account Reset Console website or optionally by clicking the link on their CTRL ALT DEL dialog prior to logging in and selecting the Reset Password Unlock button at the bottom of the ARC logon page JF WARI uw idis M 64 Account Reset Console Please log in User Name Password Domain Forgot your password Locked out Reset Password Unlock How to Use Account Reset Console 53 Enter the username select the correct domain then click Start Password Reset Please enter your user name to begin User Name susan Domain DEMO x Start Cancel Answer any verification questions that are prompted Answers are not case sensitive Click Submit Answer If the answers are correct the process will move forward If any ofthe answers are incorrect a brief error message will appear and the the answers must be corrected If incorrect answers are input N number of times where N is defined in Management Self Reset options the user will be locked out of the product for N minutes and the user help desk and ARC administrator may be notified To verify your identity the Account Reset Console will ask you a series of questions Please enter the answers to these questions to confirm your login credentials What is
34. inimum rights to reset passwords If there are additional trusting domains to manage and the COM account configured during installation has the required permissions to manage those domains clicking the Show All link towards the top right corner and enabling the check box in the Manage column will permit ARC to manage user s passwords in those domains delegations permitting To see more information about a given domain including the preferred domain controller for password changes select the Details link For more information on this see the next section Domain Details Managed Domains and Domain Controllers Show All Default Managed Domain Primary Domain Controller Manage Status Actions 2K8R2 DC v 4 Details C DEMO2 2K8R2 DC DEMO2 4 Details C local v 4 6 Save The Default Domain defines what domain will be automatically displayed in domain selection drop down lists Following installation this is defaulted to local If any changes have been made which should be saved click Save Domain Configuration There will be no further confirmation of changes to these options To discard any changes you have made simply navigate away from this page without clicking Save Domain Configuration DOMAIN DETAILS When viewing the details of a domain the COM account will attempt an administrative connection to the preferred domain controller to gather the status of this domain If the COM account is not an Initial Configuration
35. l add the question without any settings to the Inactive Questions list Once the question is configured it may be added to the Active Questions list by selecting the Activate link found inline with any inactive questions For further information on adding or editing verification questions see the next section Adding or Updating Verification Questions Configure User Identity Verification Questions Here Active Questions Question Text Action What is your first pet s name Deactivate Delete Edit What is your mother s maiden name Deactivate Delete Edit Number of questions user has to answer 0 Inactive Questions Question Text Action This is question 1 Activate Delete Edit What is your favorite color Activate Delete Edit Add New Questions Question Text Add Initial Configurations 24 The second portion of the Verification page allows defining if a notification will occur when a user attempts to update their verification question s and who those notifications will go to The user may be notified of a successful or failed update In order to notify the user ARC will retrieve their primary e mail address from Active Directory If not using Active Directory or this attribute is not configured the user cannot be notified The e mail can be configured as plain text or HTML Choosing to format the e mail as HTML will require you to use HTML to write the e mail There are a list of variables which may be used within the e mails a
36. mail There is a list of variables which may be used within the e mails at the bottom of this page Notify admin of successful update Notify admin of failed update The action by HDUser to reset the password for UserName RealName has resulted in Result at Time from IPAddress Plain Text amp HTML Mail Email Keywords RealName User s full name as stored in Active Directory UserName User s logon name Email User s email address as stored in Active Directory Password The user s new password IPAddress IP Address Time Current time RealName User s full name as stored in Active Directory HDUser Help Desk User Name Result Help Desk resets password result Save Once changes are made to this page click the Save Program Features button at the bottom of the page SELF RESET FEATURES To configure Self Reset Features go to Management Self Reset The Self Reset Features section is for configuring all of the options surrounding a user resetting their own password or unlocking their own account whether through the web interface question verification or through the credential providers without help desk intervention To guarantee that only help desk users could use this tool to change other user s passwords every option on this page should be de selected To allow users to reset their own password when their current password is not forgotten enable Allow users to change th
37. mains exist This area is also used to identify preferred domain controllers and validate connectivity to target domains gt SECURITY Configure session timeout and approved characters that can be used for self service reset operations P SUPER USERS Groups defined here have complete control of the application regardless of any other rights gt LICENSING Input a new license for ARC to use and see how many user accounts are being managed by ARC Following a fresh installation of Account Reset Console there is nothing else which must be configured with the exception of delegation rules that allow groups of users to reset other groups of user s passwords This is handled in the Management area It is recommended to configure a default domain For steps to do this go to the Domains option found under Configuration The following pages outline the Configuration options Initial Configurations 19 DATA SOURCES To configure data sources for ARC to use for verification questions or logging go to Configuration Data Sources Data sources are databases that are defined within ARC and are used for gt LOGGING DATABASES Actions that occur within ARC such as logging in or resetting a user s password gt VERIFICATION QUESTIONS Data sources define the databases that will be used to store and retrieve answers to a user s verification questions When configuring a data source configure the server and database that ARC will conn
38. nfigure Existing Data Sources Name Type Working LogDB Actions Default Database SQL Server 4 vi Edit Delete Add New Data Source Name Type Microsoft SQL Server Add When first adding a new data source the Working column will be labeled with a red X This indicates that the database is not configured Select the Edit link in order to finish setting up the data source In order to properly configure an ADO data source the complete connection string which includes the server database and account information required to connect will be required In order to properly configure a Microsoft SQL data source the following information must be supplied Initial Configurations 21 gt SERVER INSTALLATION this is the name of the database server and any instance naming information For example a default instance of MS SQL will simply be addressed by the server name An instance of MS SQL using a named instance will be addressed as ServerNameMnstanceName as noted in the screen shot below DATABASE NAME the is the name of the pre existing database to use on the specified server gt AUTHENTICATION TYPE choices are Windows Authentication or SQL Server Authentication It is recommended to use Windows Authentication which will use the integrated authentication token of the COM object to authenticate to the database This method does not require a password to be stored in the connection string used to connect to this database Onc
39. o Use Account Reset Console 55 This section details how a user may reset their password using Account Reset Console Logon Provider if they have forgotten their password and or locked out their account This option is useful in the scenario where a user has locked out their account has forgotten their password or both and the user has enrolled their verification questions In order for a user to be able to reset their own password using account reset console when they have forgotten their password the option to Allow users to reset their own passwords via ID verification Login Provider must be enabled in the Management Self Reset section For more information on this and other options please see Self Reset Features Further a user must have previously enrolled with user verification questions using the Setup My Identity feature of account reset console Account Reset Console provides for a nag feature to alert the user that they need to enroll This can be configured on the Account Tasks section under Scheduling Reporting Once the user hits CTRL ALT DEL to login a new area on the login dialog will appear below the username and password fields for the Logon Provider Click the link to begin the self reset process Log On to Windows Copyright 1985 2001 Microsoft Corporation Username Password Log on to DEMO Log on using dial up connection Locked out Forgot password Click here to
40. on can be used identify which database to use and who must answer the question Presented for all users means all users who enroll must provide an answer to the question Presented for the following selected groups means only users who belong to the identified groups will be required to answer the question Enter the group name as DomainName GroupName Edit Verification Question Question Text What is your first pet s name Target User Presented for all users C Presented for the following selected groups DEMO Enter Group Name Here Add Which database to use The default database is the database that is configured during the installation of ARC It is also the database that is used for logging by default This is the best choice to use if the answers will not be pre populated but rather supplied by users via an enrollment process Initial Configurations 27 Use a custom verification database to read and or write user answers from a non Microsoft SQL database or if retrieving answers from other data sources such as Lotus Notes Active Directory or some other HR database For example to retrieve the last four of a user s social security number from an HR database use the custom database Data Storage Use current active database for verification Use custom verification database Data Source Default Database Queries Retrieval If your retrieval query is not working please ensure that you have
41. ord twice and select options for the account to be reset susan DEMO Reset the account password Enable account if disabled Unlock account if locked Require that reset passwords be changed on next login Reset Account How to Use Account Reset Console 50 If the reset is successful logging messages above the user name to that effect will be displayed Similarly if there are failures The operation that failed will also indicate that there was a failure Results 3 20 2012 1 39 48 PM DateOfExpiration by DEMO fred for account DEMO susan Success Server 2K8R2 DC 3 20 2012 1 39 48 PM Password by DEMO fred for account DEMO susan Success Server 2K8R2 DC 3 20 2012 1 39 48 PM PwdExpired by DEMO fred for account DEMO susan Failure Server 2K8R2 DC Error 87 User s password never expires 3 20 2012 1 39 48 PM SetAccountFlags by DEMO fred for account DEMO susan Setting Flag Expired to FALSE All actions from the time of user login verification and password reset attempt will be logged The logs are accessible at Scheduling Reporting View Logs CHANGE MY PASSWORD For a user to reset their own password go to Accounts Change My Password Account Reset Console allows for users to reset their own password in one of two scenarios Ifthe user knows their current password gt Ifthe user has forgotten their current password but have enrolled for self service reset This section details how a u
42. ors used throughout the website use the Themes and Colors section The default themes are Blue Green and Red When selecting these options the User Theme color hex codes will not change The User Theme color hex codes will become active when the User theme is selected With this option the admin can configure any and all color settings in the product Themes and Colors Themes e Blue Green Red User User Theme Company Tagline Color Menu Bar Color Menu Text Color FFFFFF Active Menu Bar Color Page Header Color DFEFFC Page Header Text Color Page Border Color A6C9E2 Inactive Content Color BEELI Active Content Color 29074 Alternative Table Row Color FOFOFO Save Restore Once changes have been made be sure to click the Save button at the bottom of the page To revert Account Reset Console back to its default appearance settings click the Restore button at the bottom of the page then click the Save button 47 HOW TO USE ACCOUNT RESET CONSOLE The following pages describe the basic use of Account Reset Console including resetting user passwords and one s own password how to view these actions in the programs logs and how to run reports on users IN THIS CHAPTER ACCOUNTS ised C H MN 48 0 7 1 How to Use Account Reset Console 48 ACCOUNTS The Accounts area is used both by regular users and help desk Depending on the various options and delegations confi
43. r it has been installed please contact Lieberman s support department for assistance Incorrect installation or poor security practices could allow the compromise of passwords When used and installed properly this program provides excellent performance speed and security for password management Call Lieberman Software if there are any questions about this product INITIAL CONFIGURATIONS 13 Following the initial installation of Account Reset Console virtually nothing will be configured and no user be able to use ARC to reset other user s passwords or their own The following sections describe the processes required to enable password management functionality options available with Account Reset Console what it means to turn on a specific option and recommended practices The following sections are organized by navigation bar headings those are the links found horizontally across the top of any page and sub organized by the navigation options found vertically under the left side of each navigation bar heading a LIEBERMANSOFTWARE Logged in user Account Reset Console Li user LTManicu Navigation Bar Accounts S Reporting Management Location Bar Enter a user name to look up User Name Domain LT Look up Answers IN THIS CHAPTER TheFirst Login Screen uuu eto ioca ede ein Rene duda ca 14 Input The ee EY ER Yr oo e YE UE 16 Config ratiOris c eie ir uc onte e Pr Past 18 Management sense 33 Logout
44. r manipulate the look of Account Reset Console Various visual elements such as banners headers footers and colors for each of the elements within Account Reset Console can be controlled on this page Initial Configurations 45 gt COMPANY TAG LINE typical use is for the company name utility name for ARC or catch phrase This can also be left blank P SELECT BANNER IMAGE These are images that have been uploaded via the Upload new banner image option or placed into the banners subdirectory in the arcweb www directory of the host system gt UPLOAD NEW BANNER IMAGE allows you to upload images of up to 640x100 pixels for use as the primary banner image at the top of every page Typical use is for company logos In order for this option to work the anonymous user account typically iusr computername or just IUSR must have list and write permissions on this arcweb www banners directory gt FOOTER DISPLAYS LOGO allows to show or hide the Lieberman Software Logo in the lower left corner of every page gt FOOTER DISPLAYS VERSION show or hide the Account Reset Console version information the lower right corner of every page Adjust Appearance Settings Company Tagline Account Reset Console Select Banner Image lieberman horizontal gif Upload New Banner Image maximum size 640x100 Choose File No file chosen Footer displays logo Footer displays version Initial Configurations 46 To configure the col
45. r media The sole remedy for breach of this warranty is limited to replacement of defective materials and or refund of purchase price and does not include any other kinds of damages Apart from the foregoing limited warranty the software programs are provided AS IS without warranty of any kind either expressed or implied The entire risk as to the performance of the programs is with the purchaser Lieberman Software does not warrant that the operation will be uninterrupted or error free Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of for consequences of any such errors This agreement is governed by the laws of the State of California Should you have any questions concerning this Agreement or if you wish to contact Lieberman Software please write Limited Warranty Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 You can also keep up to date on the latest upgrades via our website at http www liebsoft com or e mail us at sales liebsoft com 11 PRE USAGE CONSIDERATIONS Please ensure completion of all steps as outlined in the Account Reset Console Installation Guide The steps outlined in that guide outline SQL configuration IIS configuration and recommendations as well as COM account configuration requirements If there are any questions or concerns about this program s installation or operation before or afte
46. r mother s maiden name What is your favorite color Save Your verification information is not complete You must complete all required questions before the verification system will function If there are no problems with the answers supplied for the questions the page will display a notice Your verification information is complete and the answers will have green check arks to the right of them You are required to complete 2 out of the following 3 question s What is your first pet s name kitty 4 What is your mother s maiden name smith 4 What is your favorite color red 4 Save Your verification information is complete How to Use Account Reset Console 60 How to Use Account Reset Console 61 SCHEDULING REPORTING The Scheduling Reporting area of Account Reset Console is used to view the logs that are kept for all password reset functions in Account Reset Console as well as create various notification and management reports VIEW LOGS To view activity logs go to Scheduling Reporting View Logs Account Reset Console keeps track of all successful and failed logon attempts as well as all password reset actions and notifications These are stored in the default logging database and can be accessed within ARC from the View Logs section under Scheduling Reporting In order to view the logs a group must have been granted access to View console Logs and Task Reports from Management Program Access To see who has succes
47. records in the appropriate database for your test user iv Allow users to set their own answers to this question Answer is in plain text Setting Insertion Examples Retrieval select Answer from CustomerTable where UserName USER and DomainName DOMAIN and ID GUID Setting update CustomerTable set Answer ANSWER where UserName USER and DomainName DOMAIN and ID GUID Insertion insert into CustomerTable UserName DomainName ID Answer values USER DOMAIN GUID ANSWER Save Return To use a custom database the data source must have been previously defined in the Data Sources section of the Configuration area Also provide retrieval setting and insertion queries The following examples are the minimum queries for each of the three query strings gt Retrieval used to retrieve user answers select QuestionAnswer from ARC VerificationAnswers where UserName USER and DomainName DOMAIN and QuestionGUID GUID If a user should not be able to update the answer in the target data source clear the check box next to Allow users to set their own answers to this question gt Setting used to update user answers to custom database via ARC Leave this blank if users will not be allowed to edit their own answers update VerificationAnswers set QuestionAnswer HANSWER where UserName USER Initial Configurations 28 and DomainName DOMAIN and Que
48. reset uenermansormuse How to Use Account Reset Console 56 Enter the username select the correct domain then click Next Account Reset Console Identity Password Reset Account Reset Console Copyright 2007 Lieberman Software LIEBERMANSOFTWARE How to Use Account Reset Console 57 Answer any verification questions that are prompted Answers are not case sensitive Click Submit Answer If the answers are correct the process will move forward If any of the answers are incorrect a brief error message will appear and the the answers must be corrected If incorrect answers are input N number of times where N is defined in Management Self Reset options the user will be locked out of the product for N minutes and the user help desk and ARC administrator may be notified Click Next to continue Account Reset Console Verification Password Reset Account Reset Console ht 2007 Lieberman Software LIEBERMANSOFTWARE What is your first pet s name BE Based on the options defined in Management Self Reset Options the user may be able to select among up to two actions Unlock and Reset the Password or Unlock the account only How to Use Account Reset Console 58 If resetting the password the user will enter the new password twice then click Next Account Reset Console Reset Password Password Reset Account Reset Console LIEBERMANSOFTWARE New Password 00000000
49. s 30 administrator on the domain controller this will fail and status information will not be retrieved This error can be ignored From this page a preferred domain controller from which to perform password changes may be selected By default ARC will attempt to use any available domain controller with a preference to the domain controller holding the PDC Emulator role If that machine is unavailable ARC will try another domain controller from the list of available domain controllers To change this behavior to change and use a particular DC simply click the link next to the preferred domain controller that says Set as Default DC Later to revert to the default behavior choose the link that says Use any available DC next to the Default Domain Controller Edit Domain Configuration Domain Name DEMO Primary Domain Controller 2K8R2 DC Domain Controller Status 2K8R2 DC Success Default Domain Controller 2K8R2 DC Use any available DC 2K8R2 DC 2K8R2 DC2 Set as Default DC Domain Controller List Check All Domain Controller Status Domain Details Admin Privileges Check Code 0 Admin Privileges Check Description Domain is Managed True Last Error Code 0 Last Error Description SECURITY Security is located in the Configuration area The Security section defines session timeout how long before ARC kills an idle session The security section also defines an allowed character set which are the characters that are allowed for verifica
50. ser may reset their password using Account Reset Console if they know their current password If a user needs to reset their forgotten password and or unlock their locked out account please see the next section Change a Forgotten Password This option is useful in the scenario where a user has access to a neighbor s computer secured kiosk or access to a published web page In order for a user to be able to reset their own password using account reset console when the password is known the option to Allow users to change their own passwords by logging into ARC must be enabled in the Management Self Reset section For more information on this and other options please see Self Reset Features How to Use Account Reset Console 51 Once the afore mentioned options are enabled a user may log into the web console select Change My Password from the Accounts menu Once there they must input a new password twice then click the Change button Please enter your new Password twice to reset New Password Repeat New Password Change CHANGE A FORGOTTEN PASSWORD WEB Change a Forgotten Password is available from the ARC Web Login screen when the feature is enabled Account Reset Console allows for users to reset their own password in one of two scenarios gt If they know their current password gt If they have forgotten their current password but have enrolled for self service reset This section details how a user may reset their pas
51. sfully or unsuccessfully attempted logging into the Account Reset Console website choose Access Log To see the actions performed by various users against themselves or other users select the Action Log radio button Choose a date range presented as MM DD YYYY and optionally choose a user to filter for then click the Display Log button Clicking in the Date Time field will also display a date picker You may additionally filter times with a 24 hour time filter such as 12 09 2008 14 30 30 Display Activity Log Event Type ZjAccess jAction From 3 21 2012 To 3 22 2012 User Name Display Log The logs will show the date the action occurred the IP address it occurred from the action the user who performed the action the account it was performed against and the status of the action How to Use Account Reset Console 62 Logs may be exported by choosing the output type as CSV or XML and the clicking the Save button The user will be prompted for the directory in their machine to save the log to Page 1 of 2 Select a page 1 x Date IP Address Action User 3 21 2012 3 39 19 PM 127 0 0 1 logon success _DEMO LSCADMIN 3 21 2012 6 41 29 PM 192 168 8 4 logon success DEMO LSCADMIN 3 21 2012 6 48 42 PM 192 168 8 4 logon success DEMO LSCADMIN 3 21 2012 6 55 08 PM 192 168 8 4 logon success DEMO LSCADMIN 3 22 2012 5 43 57 AM 192 168 20 183 multifactor logon success DEMO SUSAN 3 22 2012 5 56 56 AM 192 168 20 183 logoff DEM
52. stionGUID GUID gt Insertion used to add user answers to custom database via ARC Leave this blank if users will not be allowed to add their answers insert into ARC VerificationAnswers QuestionGUID UserName DomainName QuestionAnswer values HGUID HUSER HDOMAIN HANSWER Once the questions are configured click Save Settings at the bottom of the page There is no visual indication that the question was saved Then choose Return to Question List Inactive Questions Question Text Action Delete Edit What is your favorite color Activate Delete Edit Questions may then be activated for use When a question is activated it will be moved from the inactive questions list to the active questions list Similarly deactivate questions by clicking on the Deactivate link which will move the question to the inactive questions list from the active questions list Initial Configurations 29 DOMAINS To configure authentication domains go to Configuration Domains The Domains section is used to define three things Which domains to manage Which domain controller in each domain to prefer And what should be the default domain When this page is displayed it will only show domains that have been selected for management by selecting the check box in the Manage column By default this is the local system and the local domain If the status is a green check mark then your COM account has at least the m
53. sword using Account Reset Console if they have forgotten their password and or locked out their account The previous section Change My Password details how a user may reset their password using Account Reset Console if they know their current password This option is useful in the scenario where a user has locked out their account has forgotten their password or both Note Additionally there is a Logon Provider to integrate into the CTRL ALT DEL logon screen of Windows to allow a user to perform the same actions if they are unable to user another computer or there is no secured kiosk This item can be downloaded from the Lieberman Software website from the same page as Account Reset Console Instructions for installation and use of these items is included with the download In order for a user to be able to reset their own password using account reset console when they have forgotten their password the option to Allow users to reset their own passwords via ID verification Website or Allow users to reset their own passwords via ID verification Logon Provider must be enabled in the Management Self Reset section For more information on this and other options please see Self Reset Features Further a user must have previously enrolled with user verification questions How to Use Account Reset Console 52 using the Setup My Identity feature of account reset console Account Reset Console provides for a nag feature to alert the user t
54. t Features section of the Management area The help desk user will select the check box next to the question they wish to ask ask the user for the answer and type in the answer into the question s answer field Based on the options defined in the Help desk Reset Features section of the Management area the help desk user may see the answer text or it may be obfuscated as shown in the image below How to Use Account Reset Console 49 Once the answer is input the help desk user will click the Verify button If the answer is incorrect there will be a notification as such otherwise the help desk user will be brought to the final screen Enter identity information for DEMO susan Select any 1 question s to verify the user s identity Question What is your first pet s name What is your mother s maiden name Verify Ensure the first option to Reset the user account password is selected type in the new password twice and examine the three options below the password input fields These options are defined in the Help Desk Reset Features section of the Management area as to whether they will be mandatory optional default or disabled If they are left as optional they will all be enabled Once the help desk user has set the password and configured the options click the Reset Account button to reset the password User Name Domain vj New Password Password again a Enter a new passw
55. t may occur when a user resets or has their password reset Source what email address the email appears to come from If the mail server does not perform reverse lookup it is generally acceptable to use any source address desired If the server does perform reverse lookup a legitimate email address may be required Generally it is always wise to use an e mail address that appears to come from your company s domain Reply if someone does hit the reply button on the notification email this is the address it will go to If not monitoring user replies to these e mails supply a junk address such as donotrespond nevergonnacheckit never Administrator this is typically the administrator of ARC and is the email address referred to in ARC when reference is made to Administrator If multiple people should receive a notification put in the address of a distribution group Initial Configurations 44 Help Desk this is typically the help desk users of ARC or your company s help desk This is the email address referred to in ARC when reference is made to Help Desk If multiple people should receive a notification put in the address of a distribution group Email Address Source Reply Administrator Help Desk Once configuration changes have been made click the Save Email Configuration button at the bottom of the page To configure Appearance settings go to Management Email The appearance page is used to skin o
56. t the bottom of this page When a User Updates Verification Answers Notify user of successful update Notify user of failed update Dear RealName mi This is an automatic notification that your account verification questions used for self service password reset have been recently modified or were attempted to be 4 E aim an V E m am im i I a C Plain Text HTML Mail Help desk and the ARC admin may also be notified of successful or failed updates to the user s verification answers The e mail addresses used for the help desk and arc admin are defined with the Configure Email Settings action in the Management area The e mail can be configured as plain text or HTML Choosing to format the e mail as HTML will require the use of HTML to write the e mail Initial Configurations 25 There are a list of variables which may be used within the e mails at the bottom of this page Notify help desk of successful update Notify help desk of failed update Notify admin of successful update Notify admin of failed update UserName RealName has just attempted to update their password verification questions and Result C Plain Text HTML Mail Email Keywords RealName User s full name as stored in Active Directory UserNames User s logon IPAddress IP Address Time Current time Result User resets password result Save If any changes are made
57. t will be selecting the job and clicking Run Selected Synchronization Now How to Use Account Reset Console 70 To allow the jobs to run on a automatically on a schedule the jobs must be activated and edited to include a schedule To edit a job click the Edit link next to the job Schedule a Sunday Monday Tuesday Isi Runs on Wednesday Thursday Friday z Saturday At Noon Midnight Last Run Never Actions Email Result To arcadmin yourco com Save Save and Now Return Choose the day s for the synchronization to run and at what point noon or midnight the synchronization should occur If details of the synchronization should be emailed supply the email address for the notification in the Email results to field Choose to Save when all desired changes have been made To view ARC synchronization task results go to Scheduling Reporting View Synchronization Results View Sync Results provides logging information for all synchronizations that have occurred How to Use Account Reset Console 71 There are two lists to choose the report from The Most Recent Synchronization list contains the 10 most recent reports The Synchronization By Name list lists all reports by name that have been run By clicking on links in that list a list all the run times for a particular report will be displayed and those reports can be viewed Most Recent SyncTasks Save
58. tallation of ARCWeb ARCWeb Admin Tools emove roup Set New License Add SQL Data Source Change an Existing SQL Data Source Manage COM Objects Type in the group name as DomainName GroupName such as domain domain admins Click OK to continue A confirmation that the group was added successfully will appear Add Super User Group to ARCWeb xj Enter the name of the Windows Group to add to the Super User list It must be specified in the form DOMAIN GROUPNAME for domain groups An ARCWeb Super User has the right to change anything in ARCWeb including database and log configurations a4 Initial Configurations 16 INPUT THE LICENSE If this is a fresh installation of Account Reset Console then following the successful installation of Account Reset Console the license will also need to be configured If this is an evaluation of Account Reset Console licensing may be skipped as ARC ships with a fully functional 30 day license for 100 users Licensing may be configured using the ARC Admin Console or the ARC web site To configure licensing using the ARC Admin Console skip to the next step To configure a license for ARC using the website log into ARC as a member of the super users group and go to Configuration Licensing Input the license and click the Update License Key Logged in user LTManicu Logout Accounts Scheduling Reporting Management Configuration Current License Details Computer Nam
59. tion answers not case sensitive The default sessions timeout is 20 minutes The default allowed character set is ABCDEFGHIKLMNOPQRSTUVWXYZ1234567890 without the quotes Note that there is a blank space following the 0 If the space is removed users will not be allowed to use spaces in their verification questions Also note that no punctuation is allowed in the default character set This is the preferred setting to avoid complications with various data sources that treat punctuation in different ways Initial Configurations 31 It is recommended to not change the allowed character set The Technical Support field allows a message to be specified in the event of a password change error If changes are made to this page click the Save button at the bottom of the page There will be no further confirmation of changes to these options If changes were made but the settings have not been and should be discarded simply navigate away from this page without clicking Save button Session timeout 20 The session timeout controls how many minutes a web browser session will remain logged in without activity Allowed charset ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 The allowed character set controls which characters case insensitive will be accepted as valid characters for verification answers For safety reasons not recommended Technical Support Please notify your system administrator of this error Save
60. to this page be sure to save the new settings using the Save Verification Options button at the bottom of the page ADDING OR UPDATING VERIFICATION QUESTIONS Account Reset Console ships with three pre existing questions that are configured as Active This means a user will be required to answer these questions in order to participate with self service reset A question may be removed from the active pool by selecting the Deactivate link next to the question or deleted entirely A question may be edited by selecting the Edit link Editing a question will allow changing its text and database query strings Initial Configurations To add more verification questions type in the text of the question in the Question Text field the click the Add Question button This will add the question without any settings to the Inactive Questions list Before the question will be asked of a user the question must first be edited and assigned to a data source and then choose to Activate the question Configure User Identity Verification Questions Here Active Questions Question Text Action What is your first pet s name Deactivate What is your mother s maiden name Deactivate Number of questions user has to answer 0 Inactive Questions Question Text Action This is question 1 Activate What is your favorite color Activate Add New Questions Question Text Delete Delete Delete Delete Edit Edit Edit Edit Add Before a questi
61. u to use HTML to write the e mail There is a list of variables which may be used within the e mails at the bottom of this page When a Help Desk User Resets a User Password 7 Notify user of successful update Notify user of failed update Dear RealName This is an automatic notification that your help desk s action to reset your user 4 account s password has resulted in Result Plain Text HTML Mail The help desk may be notified of successful or failed updates to the user s password The e mail addresses used for the help desk and arc admin are defined in the Configure Email Settings area in the Management section The e mail can be formatted as plain text or HTML Choosing to format the e mail as HTML will require you to use HTML to write the e mail There is a list of variables which may be used within the e mails at the bottom of this page E Notify help desk of successful update Notify help desk of failed update The action by HDUser to reset the password for UserName RealName has resulted in Result Plain Text HTML Mail The ARC admin may be notified of successful or failed updates to the user s password The e mail addresses used for the help desk and arc admin are defined in the Configure Email Settings area in the Management section Initial Configurations 38 The e mail can be formatted as plain text or HTML Choosing to format the e mail as HTML will require you to use HTML to write the e
62. user to reset another user s passwords the people resetting passwords must be in the Administrative Group and the people having their passwords reset must be in the Managed Group ARC does not perform recursive queries to determine group membership Your intended users must be direct members of the delegated groups Rights are cumulative If a user belongs to two or more groups granted access in this page that user will be granted all of those rights To allow a group of users to reset passwords enter their group name in the administrative group name field Then identify which group of users they can reset by specifying that group name in the managed group name field Finally select the Reset Password right check box Initial Configurations 35 Additionally you may elect to allow administrative groups to view a particular managed group s verification answers This is useful when help desk will be performing password resets for users and you wish for those help desk users to validate the identity of those users using the verification questions Group Access Rules Account Reset Privileges Administrative Group Managed Group DEMO can reset passwords DEMO self service reset Delete Group Access Rules View User Answers Privileges Administrative Group Managed Group pem DEMO can reset passwords DEMO self service reset Delete Add a New Group Access Rule Administrative Group DEMO can reset passwords Managed Group
63. verification answer during reset of another user s password If this option is not set ARC will display the typed text in clear text making it visible to the help desk user and anyone else who may be shoulder surfing or taking screen shots Help Desk Reset Features 4 Reset passwords through Account Reset Console Minimum number of questions help desk has to ask Note A value of 0 will allow the help desk to reset the user s password without verification Enable account if disabled 5 Always Optional Never Unlock locked accounts Always 9 Optional Never Require that reset passwords be changed on next login ignored when user cannot change password Always Optional Never V Prevent help desk from seeing the answer Initial Configurations 37 Display the following HTML message creates a heading at the top of the Account s page that is visible to users resetting other user s passwords Display the following HTML message to help desk personnel resetting accounts When a help desk user attempts to reset a user s password setting will notify the user that their password has been reset by a help desk user In order to notify the user ARC will retrieve their primary e mail address from Active Directory If Active Directory is not being used or this attribute is not configured the user cannot be notified The e mail can be formatted as plain text or HTML Choosing to format the e mail as HTML will require yo
64. w a user to unlock their own account via ID verification enable the Allow users to unlock their own account via ID verification option When a user is answering questions it is possible that the user may have forgotten which answer they actually provided to a question Allowed incorrect answers before account lockout is the number of times a user may answer a verification question incorrectly before ARC will lock the user out of the self reset process for the number of minutes defined in the Account lockout timeout minutes When there Initial Configurations 40 are multiple verifications defined and answered ARC can randomly choose some or all of those questions to ask the user during the ID verification process To have ARC randomly select verifications enable Randomly choose verification questions from user s pool of questions and then define the number of random questions to ask by putting a valid number in the Number of verification questions users must answer field If a user fails the ID verification ARC can notify the administrator and help desk email addresses defined in the email setting section by enabling Send verification failure to Administrator and Help Desk Forgotten Password amp Locked Out Features v v v v Allow users to reset their own passwords via ID verification Website Allow users to unlock their own account via ID verification Website Allow users to reset their own passwords vi
65. y UserName User s logon name Email User s email address as stored in Active Directory Password The user s new password IPAddress Address Action Unlock Reset Time Current time Result user s password self reset result Save Once changes have been made to this page click the Save Program Features button at the bottom of the page To configure Email settings go to Management Email Initial Configurations 43 The email server settings are only required to use any of the notification options for user password reset updates or for e mailing scheduled report results SMTP Express is a standalone mail relay that can be installed on the local system and is used when ARC will not be allowed to connect directly to a mail server The preferred option is Use External Server which allows connection to an SMTP mail server At a minimum provide the server name Many mail systems require user authentication If this is true for the preferred mail server then supply the user name and password Change the SMTP port number if it is appropriate for the preferred server By default and typically SMTP operates over port 25 Email Server Use Local SMTP Express Server Use External Server Server Name This email server requires authentication User Name Password Port Number 25 The e mail addresses defined on this page are the email addresses that are used for the various notification tha
Download Pdf Manuals
Related Search