diff --git a/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md b/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md index 10674687d0..47128697d5 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md +++ b/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md @@ -20,8 +20,11 @@ not jeopardize network security. You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other networks and applications. -**NOTE:** The +:::note +The [Evaluation](/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md) topic contains step-by-step instructions to help you quickly install, configure, and evaluate Password Policy Enforcer. Read the Evaluation topic if you are using Password Policy Enforcer for the first time. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/connecting.md b/docs/passwordpolicyenforcer/10.2/administration/connecting.md index 904a10b2ae..e15ee2eaa3 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/connecting.md +++ b/docs/passwordpolicyenforcer/10.2/administration/connecting.md @@ -29,8 +29,11 @@ Enforcer view. **Step 4 –** Enter the **name** or **IP address** of a domain controller, then click **OK**. -**NOTE:** You cannot make changes to the Password Policy Enforcer configuration while the management +:::note +You cannot make changes to the Password Policy Enforcer configuration while the management console is connected to a read-only domain controller. +::: + ## Connecting to a Local Configuration @@ -50,9 +53,18 @@ Enforcer view. **Step 3 –** Select the **Local** option, then click **OK**. -**NOTE:** Domain configurations are stored in the CN=Password Policy Enforcer 10.0,CN=System object. +:::note +Domain configurations are stored in the CN=Password Policy Enforcer 10.0,CN=System object. +::: + -**NOTE:** Local configurations are stored in the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 10.0\ +:::note +Local configurations are stored in the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 10.0\ registry key. +::: + + +:::note +Users with write permission to these objects can configure Password Policy Enforcer. -**NOTE:** Users with write permission to these objects can configure Password Policy Enforcer. +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/hibpupdater.md b/docs/passwordpolicyenforcer/10.2/administration/hibpupdater.md index 2d38658b4a..8d496edf6f 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/hibpupdater.md +++ b/docs/passwordpolicyenforcer/10.2/administration/hibpupdater.md @@ -32,11 +32,14 @@ location. The HIBP Updater is installed when you install the Password Policy Enforcer Management Server. -**_RECOMMENDED:_** Only run this from one server. +:::info +Only run this from one server. +::: + **Step 1 –** To access the HIBP Updater, navigate to the installation location: -...\Program Files (x86)\Password Policy Enforcer\HIBP\ +**...\Program Files (x86)\Password Policy Enforcer\HIBP\** ![hibpfolder](/img/product_docs/passwordpolicyenforcer/10.2/administration/hibpfolder.webp) @@ -48,18 +51,24 @@ Password Policy Enforcer utilizes the Passwords Hash database to check if users password (i.e. during a password reset) matches the hash of a compromised password from a data breach. -**NOTE:** First-time configuration of this window requires downloading the HIBP database from the +:::note +First-time configuration of this window requires downloading the HIBP database from the Netwrix website. +::: + ![passwordhashdatabase](/img/product_docs/passwordpolicyenforcer/10.2/administration/passwordhashdatabase.webp) -**CAUTION:** Ensure the initial update of the database occurs during non-office hours. Due to the +:::warning +Ensure the initial update of the database occurs during non-office hours. Due to the size of the hash file, this download takes up a significant amount of CPU and download time. +::: + - Passwords Hash Database Folder – Central location of the Pwned database on the application server. The default path is: - …\HIBP\DB +**…\HIBP\DB** - Update Type: @@ -68,10 +77,13 @@ size of the hash file, this download takes up a significant amount of CPU and do instead of downloading the full HIBP database. This option is enabled after a full download of the HIBP database has completed. - **NOTE:** Only the full HIBP database file obtained from the Netwrix website has version + :::note + Only the full HIBP database file obtained from the Netwrix website has version information. That full HIBP database file can be obtained using the Website option. Alternately, the HIBP database can be obtained outside of the application by downloading it directly from the Netwrix website using an FTP connection: + ::: + - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip) - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt) @@ -102,7 +114,7 @@ files. Copy the hash files into the Sysvol share on one domain controller, and t System will copy the files into the Sysvol share of all other domain controllers. Configure the Compromised rule to read the files from: -\\127.0.0.1\sysvol\your.domain\filename.db +**\\127.0.0.1\sysvol\your.domain\filename.db** See the [Compromised Rule](/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md) @@ -114,8 +126,11 @@ local policies. If you are using Password Policy Enforcer for local policies and to receive hash file updates, then use the Sysvol share for file replication and a script or scheduled task to copy the file to a local folder. -**CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files +:::warning +%SystemRoot%. hash files should only be read from a local disk. Using shared hash files degrades performance, and could jeopardize security. +::: + ## Scheduler diff --git a/docs/passwordpolicyenforcer/10.2/administration/installation/automated_installation.md b/docs/passwordpolicyenforcer/10.2/administration/installation/automated_installation.md index 45b971880d..21f44abbcc 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/installation/automated_installation.md +++ b/docs/passwordpolicyenforcer/10.2/administration/installation/automated_installation.md @@ -70,8 +70,11 @@ button. **Step 4 –** Enter the full **UNC path to PPE10.1.msi** in the Open dialog box. -**NOTE:** You must enter a UNC path so that other computers can access this file over the network. +:::note +You must enter a UNC path so that other computers can access this file over the network. For example: \\file server\distribution point share\PPE10.1.msi +::: + **Step 5 –** Click **Open**. diff --git a/docs/passwordpolicyenforcer/10.2/administration/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/10.2/administration/installation/disable_windows_rules.md index 2ae8c82bf5..a30aeb2108 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/10.2/administration/installation/disable_windows_rules.md @@ -44,7 +44,10 @@ Settings**, **Account Policies**, and **Password Policy** items. ![installing_ppe_3](/img/product_docs/passwordpolicyenforcer/10.2/evaluation/preparing_the_computer.webp) -**NOTE:** You do not have to disable all the Windows password policy rules to use Password Policy +:::note +You do not have to disable all the Windows password policy rules to use Password Policy Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you like. Just remember that a password is only accepted if it complies with the rules enforced by both Windows and Password Policy Enforcer. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/installation/installation.md b/docs/passwordpolicyenforcer/10.2/administration/installation/installation.md index d849d134ce..d012f841fe 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/installation/installation.md +++ b/docs/passwordpolicyenforcer/10.2/administration/installation/installation.md @@ -17,10 +17,13 @@ topic for additional information. - Fifteen megabytes free disk space - Eight megabytes free RAM (72 megabytes if using Argon2 hashes) -**NOTE:** Users do not have to change their password immediately after Password Policy Enforcer is +:::note +Users do not have to change their password immediately after Password Policy Enforcer is installed. They can continue using their current password until it expires, even if their current password does not comply with the password policy. Installing Password Policy Enforcer does not extend the Active Directory schema. +::: + ## Installation Types diff --git a/docs/passwordpolicyenforcer/10.2/administration/mailer/email_delivery_options.md b/docs/passwordpolicyenforcer/10.2/administration/mailer/email_delivery_options.md index 18b0ef463a..cead5eff20 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/mailer/email_delivery_options.md +++ b/docs/passwordpolicyenforcer/10.2/administration/mailer/email_delivery_options.md @@ -33,8 +33,11 @@ Select the **Save email to a pickup folder** option to have the Password Policy emails to a folder for later delivery by a mail server. Click the **Browse** button to select a folder. The mail server must monitor this folder for new email. -**NOTE:** Saving email to a pickup folder is the fastest and most reliable delivery method. Use this +:::note +Saving email to a pickup folder is the fastest and most reliable delivery method. Use this option if your mail server supports pickup folders. +::: + The Password Policy Enforcer Mailer sends emails at 2:00 AM every day. Check the Windows Application Event Log to monitor its progress. You can also run the Password Policy Enforcer Mailer from the diff --git a/docs/passwordpolicyenforcer/10.2/administration/mailer/mailer.md b/docs/passwordpolicyenforcer/10.2/administration/mailer/mailer.md index 7241f1893a..96debf9af0 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/mailer/mailer.md +++ b/docs/passwordpolicyenforcer/10.2/administration/mailer/mailer.md @@ -34,8 +34,11 @@ conditions. **Step 5 –** If you are prompted to Modify, Repair, or Remove the installation, select **Modify**, then click **Next**. Proceed to step 11. Do not disable the other features as described below. -**CAUTION:** If prompted to Modify, Repair, or Remove, do not modify any settings or disable any +:::warning +If prompted to Modify, Repair, or Remove, do not modify any settings or disable any features as described in steps 6 - 10. +::: + **Step 6 –** Click **Next** when the Password Policy Enforcer Installation Wizard opens. diff --git a/docs/passwordpolicyenforcer/10.2/administration/managementconsole/management_console.md b/docs/passwordpolicyenforcer/10.2/administration/managementconsole/management_console.md index 3c0f02b5c8..26b17ab9b5 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/managementconsole/management_console.md +++ b/docs/passwordpolicyenforcer/10.2/administration/managementconsole/management_console.md @@ -53,8 +53,14 @@ Password Policy Enforcer management console. ![configuring_ppe_1](/img/product_docs/passwordpolicyenforcer/10.2/administration/configuring_ppe_1.webp) -**NOTE:** If you are opening the management console for the first time, click **Yes** when asked if +:::note +If you are opening the management console for the first time, click **Yes** when asked if you would like to create a new Password Policy Enforcer configuration. +::: -**NOTE:** Press F1 while using the management console to display help information for the current + +:::note +Press F1 while using the management console to display help information for the current window. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/assigning_policies.md b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/assigning_policies.md index 0ae4c09435..0b93fefa2a 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/assigning_policies.md +++ b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/assigning_policies.md @@ -18,18 +18,24 @@ Info Tech group, then any policy assigned to the Info Tech group also applies to Helpdesk group. If this behavior is not desired, then you can assign a different policy to the Helpdesk group. -**NOTE:** When a policy is assigned to a container, Password Policy Enforcer enforces the policy for +:::note +When a policy is assigned to a container, Password Policy Enforcer enforces the policy for all users in the container as well as any child containers. For example, if the Helpdesk and Managers OUs are children of the Info Tech OU, then any policy assigned to the Info Tech OU also applies to the two child OUs. If this behavior is not desired, then you can assign a different policy to a child OU. +::: + ![managing_policies_3](/img/product_docs/passwordpolicyenforcer/10.2/administration/managing_policies_3.webp) -**NOTE:** When a domain policy is assigned to a user or group, Password Policy Enforcer stores the +:::note +When a domain policy is assigned to a user or group, Password Policy Enforcer stores the user or group SID in the configuration. The assignment remains valid even if the user or group is renamed. When a local policy is assigned to a user, Password Policy Enforcer stores the username in the configuration. The assignment is invalidated if the user is renamed. +::: + ![managing_policies_4](/img/product_docs/passwordpolicyenforcer/10.2/administration/managing_policies_4.webp) @@ -70,8 +76,11 @@ Follow the steps to remove a policy assignment. **Step 7 –** Click OK to close the Policy Properties page. -**NOTE:** Different assignment types can be used for a single policy. For example, you may assign +:::note +Different assignment types can be used for a single policy. For example, you may assign users to a policy by both OU and group at the same time. +::: + ## Policy Assignment Conflicts diff --git a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/passphrases.md b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/passphrases.md index d3abca5861..310b058629 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/passphrases.md +++ b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/passphrases.md @@ -40,6 +40,9 @@ will accept passphrases that comply with all enabled rules, irrespective of the This ensures that passphrases can be used, even if they do not meet the compliance level when Password Policy Enforcer is configured to disable one or more rules for passphrases. -**NOTE:** Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can +:::note +Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can be weaker than a well-chosen password. Do not disable too many rules under the assumption that length alone will make up for the reduced complexity as this is not always true. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/policy_properties.md b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/policy_properties.md index 8319cc0cbf..a96424b1ab 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/policy_properties.md +++ b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/policy_properties.md @@ -24,10 +24,13 @@ Password Policy Enforcer should enforce this policy, or deselect it to disable t policy's icon in the left pane of the management console changes to an X icon when a policy is disabled. -**NOTE:** A user's password history may be updated even when the policy assigned to the user is +:::note +A user's password history may be updated even when the policy assigned to the user is disabled. See the [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md) topic for additional information. +::: + The **Default character set** drop-down list specifies which character set Password Policy Enforcer will use to enforce its rules. The default value (Netwrix Password Policy @@ -35,15 +38,21 @@ Enforcer) requires users to comply with rules that use the Password Policy Enfo Choose the alternate option (Windows) to have users comply with rules that use the Windows character set. -**NOTE:** Only Password Policy Enforcer 10.0 and higher will contain the Windows character set. +:::note +Only Password Policy Enforcer 10.0 and higher will contain the Windows character set. Password Policy Enforcer 9, Netwrix Password Reset and Password Policy Enforcer/Web 7 (and older for all products) will always use the Password Policy Enforcer character set. +::: + -**CAUTION:** This value should not be changed while using PPE9.x clients, APR 3.x and Password +:::warning +This value should not be changed while using PPE9.x clients, APR 3.x and Password Policy Enforcer/Web 7.x (and older for all above). These clients only support the Password Policy Enforcer character set. They will work if Password Policy Enforcer is configured to use the Windows character sets, but they will still continue to use the Password Policy Enforcer character set as that is all they know. +::: + - Some languages such as Japanese do not distinguish between uppercase and lowercase. These characters will be in the Windows Alpha set, but not in the Upper or Lower sets. @@ -79,17 +88,23 @@ The user logon name and new password are sent to the program as command-line par example, if you add the commands below to a batch file, Password Policy Enforcer will record each user's logon name and new password in a text file called passwords.txt: -echo Username: %1 >> c:\passwords.txt +**echo Username: %1 >> c:\passwords.txt** echo Password: %2 >> c:\passwords.txt -**CAUTION:** This script is shown as an example only. You should not store user passwords. +:::warning +This script is shown as an example only. You should not store user passwords. +::: + The command can now include the [USERNAME] and [PASSWORD] macros. If neither is specified, then the command is executed with both parameters to maintain compatibility with existing programs/scripts. -**_RECOMMENDED:_** Use the [USERNAME] parameter if the password is not needed by the program/script +:::info +Use the [USERNAME] parameter if the password is not needed by the program/script so that the password is not unnecessarily sent to the change notification command/script. +::: + Record any configuration notes about this policy in the Notes text box. diff --git a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/testing_policies.md b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/testing_policies.md index 986a42c53d..2a06128877 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/testing_policies.md +++ b/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/testing_policies.md @@ -26,8 +26,11 @@ New Password text boxes. **Step 5 –** Click **Test**, or wait a few seconds if Test passwords as I type is selected. -**NOTE:** Policy testing simulates a password change, but it does not change the password. As it is +:::note +Policy testing simulates a password change, but it does not change the password. As it is only a simulation, you do not have to enter the correct password in the Old Password text box. +::: + The Password Policy Enforcer management console displays a green check mark below the Test button if the new password complies with the Password Policy Enforcer password policy, or a red cross if it @@ -70,8 +73,11 @@ Follow the steps below to test your configuration. **Step 4 –** Select the location of the folder where you want to upload the result. -**NOTE:** It is recommended that the Password File and Result folder are not located on a shared +:::note +It is recommended that the Password File and Result folder are not located on a shared drive, so the processing can be done faster. +::: + **Step 5 –** Select a desired policy from the drop down list. diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/configuring_the_password_policy_client.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/configuring_the_password_policy_client.md index 9d56d731d1..40325c20d0 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/configuring_the_password_policy_client.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/configuring_the_password_policy_client.md @@ -20,7 +20,7 @@ Client. You can use Active Directory GPOs to configure many computers, or the Lo Editor to configure one computer. The Password Policy Client configuration is stored in the HKLM\SOFTWARE\Policies\ANIXIS\Password Policy Client\ registry key. -Install the Password Policy Client Administrative Template +**Install the Password Policy Client Administrative Template** **Step 1 –** Connect to any Domain Controller where you have Password Policy Enforcer installed and have the group policy management console available. @@ -91,8 +91,11 @@ Windows 10 and 11. **Step 1 –** Use the **Group Policy Management Console** (gpmc.msc) to display the GPOs linked at the domain level. -**NOTE:** If you are not using Active Directory, then open the Local Group Policy Editor +:::note +If you are not using Active Directory, then open the Local Group Policy Editor (gpedit.msc) and skip step 2. +::: + **Step 2 –** Right-click the **Password Policy Client GPO**, then click the **Edit...** button. @@ -103,4 +106,7 @@ Templates**, **Classic Administrative Templates** (**ADM**), **Password Policy E **Step 4 –** Double-click the **Display settings (Windows 10)** setting in the right pane of the Group Policy Management Editor. -**NOTE:** Information about each option is shown in the Help box. +:::note +Information about each option is shown in the Help box. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_message_templates.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_message_templates.md index 26e49f485e..cbf4ae7470 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_message_templates.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_message_templates.md @@ -70,7 +70,10 @@ the policy set by the organization. The image below illustrates an example of a ![livepolicymessageexample](/img/product_docs/passwordpolicyenforcer/10.2/administration/livepolicymessageexample.webp) -**NOTE:** The password client needs to be at version 10.2+ to support this capability. +:::note +The password client needs to be at version 10.2+ to support this capability. +::: + To support password live messages the password policy message must include the [Live_Policy] declaration in the Password Policy Message. diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_rule_inserts.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_rule_inserts.md index 07c9ffeda6..7a4f1d9ee3 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_rule_inserts.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/customizing_rule_inserts.md @@ -37,9 +37,12 @@ it is a **Step 6 –** Edit the rule inserts in the Policy and Reason text boxes. -**NOTE:** Use the \n escape sequence to start a new line in a message template or rule insert +:::note +Use the \n escape sequence to start a new line in a message template or rule insert (Password Policy Client V5.1 and later). Inserts and lines starting with two or more spaces, a minus, and a space are shown with a bullet to the left (Password Policy Client V8.0 and later). +::: + ## Customizing Password Policy Client Messages diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/installing_password_policy_client.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/installing_password_policy_client.md index 3ec73128ce..53cf735207 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/installing_password_policy_client.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/installing_password_policy_client.md @@ -10,8 +10,11 @@ The Password Policy Client is compatible with Windows 8, 8.1, 10, or 11. It is a Windows Server 2016, 2019, and 2022. The Password Policy Client can be used with Remote Desktop Services on these operating systems. -**NOTE:** The Password Policy Client is also compatible with Windows XP, Vista, and 7. However, +:::note +The Password Policy Client is also compatible with Windows XP, Vista, and 7. However, Netwrix no longer provides technical support for these versions. +::: + ## System Requirements @@ -59,7 +62,7 @@ and conditions. **Step 4 –** Right-click the **PPEClt10.2.msi** icon, click **Copy**, and then paste the file into the distribution point. -![the_password_policy_client](/img/product_docs/passwordpolicyenforcer/10.2/administration/the_password_policy_client.webp) +![the_password_policy_client](/img/product_docs/passwordpolicyenforcer/10.2/administration/installing_ppe.webp) **Step 5 –** Give the **Domain Computers** security group read access to the PPEClt10.2.msi file in the distribution point. @@ -79,7 +82,7 @@ this domain, and Link it here...**. **Step 4 –** Enter **Password Policy Client** in the provided field, then press **ENTER**. -![the_password_policy_client_1](/img/product_docs/passwordpolicyenforcer/10.2/administration/the_password_policy_client_1.webp) +![the_password_policy_client_1](/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe1.webp) ## Edit the Group Policy Object @@ -94,14 +97,17 @@ the left pane. **Step 4 –** Enter the full **UNC path to PPEClt10.2.msi** in the Open dialog box. -**NOTE:** You must enter a UNC path so that other computers can access this file over the network. +:::note +You must enter a UNC path so that other computers can access this file over the network. For example, `\\file server\distribution point share\PPEClt10.2.msi` +::: + **Step 5 –** Click **Open**. **Step 6 –** Select the **Assigned deployment method**, then click **OK**. -![the_password_policy_client_2](/img/product_docs/passwordpolicyenforcer/10.2/administration/the_password_policy_client_2.webp) +![the_password_policy_client_2](/img/product_docs/passwordpolicyenforcer/10.2/administration/installing_ppe_2.webp) **Step 7 –** Close the **Group Policy Management Editor**. @@ -117,9 +123,12 @@ and clicking the **Change a password** item. If you do not see the password poli because a Password Policy Enforcer policy has not been assigned to you, or because the firewall rules have not been created. -**NOTE:** The Password Policy Client does not store or send passwords or password hashes over the +:::note +The Password Policy Client does not store or send passwords or password hashes over the network. An attacker cannot determine user passwords by sniffing the communication protocol. The protocol is also encrypted by default for additional protection. +::: + ## Creating Firewall Rules for the Password Policy Client @@ -141,7 +150,10 @@ the Domain Controllers OU. **Step 2 –** Right-click the **Password Policy Enforcer GPO**, and then click **Edit...**. -**NOTE:** You need to create the GPO if you chose the Express Setup option. +:::note +You need to create the GPO if you chose the Express Setup option. +::: + **Step 3 –** Expand the **Computer Configuration**, **Policies**, **Administrative Templates**, **Network**, **Network Connections**, and **Windows Firewall** items. @@ -149,7 +161,7 @@ the Domain Controllers OU. **Step 4 –** Click **Domain Profile** in the left pane then double-click **Windows Firewall: Define inbound port exceptions** in the right pane. -![the_password_policy_client_3](/img/product_docs/passwordpolicyenforcer/10.2/administration/the_password_policy_client_3.webp) +![the_password_policy_client_3](/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe2.webp) **Step 5 –** Select the **Enabled** option, and then click **Show...**. @@ -190,5 +202,8 @@ Password Policy Client: | Destination address | Client Computer IP address | | Destination port | Any | -**NOTE:** If your firewall performs Stateful Packet Inspection, then only create a rule for the +:::note +If your firewall performs Stateful Packet Inspection, then only create a rule for the request datagram as the firewall will automatically recognize and allow the response datagram. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/multilingual_messages.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/multilingual_messages.md index 40dcebac91..26f1185295 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/multilingual_messages.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/multilingual_messages.md @@ -23,5 +23,8 @@ above). The Password Policy Client uses the Windows client language settings to determine which language to display. -**NOTE:** You do not have to create a Password Policy Enforcer policy for each language. Each policy +:::note +You do not have to create a Password Policy Enforcer policy for each language. Each policy can have messages defined in multiple languages. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md index 493d8efa13..cb8e9f6c27 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md +++ b/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md @@ -24,5 +24,8 @@ The Password Policy Client displays the password policy during a password change see the policy while they choose their password. The Password Policy Client also displays a detailed rejection message to explain why a password was rejected. Both these messages are customizable. -**NOTE:** The Password Policy Client does not modify any Windows system files. It also does not send +:::note +The Password Policy Client does not modify any Windows system files. It also does not send passwords or password hashes over the network. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/ppe_tool.md b/docs/passwordpolicyenforcer/10.2/administration/ppe_tool.md index c979ea253c..aa35a8a63f 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/ppe_tool.md +++ b/docs/passwordpolicyenforcer/10.2/administration/ppe_tool.md @@ -26,32 +26,40 @@ The PPE Tool installs with the default installation of Password Policy Enforcer allows users to perform a number of operations related to Password Policy Enforcer functionality which are described in the table below. -**NOTE:** All PPE Tool operations can be executed from the Command Prompt, if run with administrator +:::note +All PPE Tool operations can be executed from the Command Prompt, if run with administrator rights. +::: + ### PPE Tool Operations -**_RECOMMENDED:_** PPE Tool operations should only be executed one at a time. For example, you +:::info +PPE Tool operations should only be executed one at a time. For example, you should not execute the /e (Export) and /i (Import) operations simultaneously; you should not run /e (Export) and /r (Report) operations simultaneously. +::: + + +**Common PPE Tool Operations** -Common PPE Tool Operations +| Operation | Operation Name | Operation Description | +| --------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| /? | help | | +| /m | minimal | | +| /d | domain [in controller] | | +| /c | config [in file name] | | -| Operation | Operation Name | Operation Description | -| --------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| /? | help | - Displays Help and exits the application. All other options are ignored. | -| /m | minimal | - Configures the PPE Tool to operate in Minimal mode. - This operation strips away all extraneous information (e.g., policy messages, license information, etc.) while importing or exporting to the PPE Tool. - By default, the PPE Tool imports and exports all information available (e.g., policy messages, license information, etc.). | -| /d | domain [in controller] | - Configures the PPE Tool to operate in Domain mode. - The default controller is localhost. - This operation will make PPE Tool work with the LDAP Password Policy Enforcer instance. PPE Tool imports or exports configurations from the local registry. - To use this operation , you must run PPE Tool as a domain administrator user. However, this operation can be used on both the domain controller and on any member. If an invalid domain controller is provided as an argument, then the PPE Tool will fail at the import / export stage. - This operation is ignored when used to create reports from the file source (present with the /c (Config [in file name]) option). When the PPE Tool starts in a domain environment without the /d (Domain [in controller]) operation, a warning message will appear. However, this will not prevent the PPE Tool from operating on a local environment. | -| /c | config [in file name] | - Uses a config file instead of Password Policy Enforcer export when exporting reports (in the case of /i (Import), /h (Human [out file name]), and /r (Report [out file name]). - The default file is `config.xml`. - This operation defines the input file for the i/ (Import) operation, and thus is necessary for importing files to the PPE Tool. An error message will appear if the /c (Config [in file name]) option is omitted. - By default, the /h (Human [out file name]) and /r (Report [out file name]) operations use the Password Policy Enforcer instance as the reporting source. The /c (Config [in file name]) operation should provide the source configuration file as an argument to create reports. If an invalid file name is provided as an argument in this operation, the PPE Tool will display the appropriate error message and will fail. | Operations PPE Tool options are as follows: -| Task | Task Name | Task Description | -| ---- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| /e | export [out file name] | - Exports config data (default) from the Password Policy Enforcer instance to the file. - This operations is enabled by default. - This operation can not be used with /c (Config [in file name]) or i/ (Import) operations, but can be combined with /h (Human [out file name]). | -| /i | import | - Imports the config file. - Imports existing configuration using the input configuration file defined by the /d (Domain [in controller]) . If the /c (Config [in file name]) operation is omitted, the PPE Tool will display an error message and exit the application. - When i/ (Import) is used with the /h (Human [out file name]) or /r (Report [out file name]) operations, the latter will be ignored. - /d (Domain [in controller]) and /m (Minimal) operations my affect the result of the import. | -| /h | human [out file name] | - Converts the config file to a human-readable format and produces a human-readable report based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]). - If no custom file name is provided, the default file name will be `config_human_readable.xml`. | -| /r | report [out file name] | - Converts the config file to HTML and produces an HTML report file based on the current Password Policy Enforcer instance configuration or the configuration provided by the /d (Domain [in controller]). - Generates the HTML report into `C:\Program Files (x86)\Password Policy Enforcer\Report` alongside the .css file. - The default files name is `report.html`. | +| Task | Task Name | Task Description | +| ---- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| /e | export [out file name] | | +| /i | import | | +| /h | human [out file name] | | +| /r | report [out file name] | | + ### PPE Usage Samples @@ -66,12 +74,13 @@ C:\Windows/system32>cd.. Once this location has been accessed in the Command console, enter one of the following commands in the [operation] variable above to execute a PPE Tool operation in the Command console. -| Action | Operation | Message | -| -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Simple Config export operation | - ppetool | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. | -| Simple Config export in domain environment with DC %Full computer name of Domain Controller% | - ppetool /d localhost - ppetool /d %Full computer name of Domain Controller% | Config successfully exported. | -| Export local config into local.xml and create it from the HR.xml and report.html reports | - ppetool /e local.xml /h HR.xml /r Report.html | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. Human readable config representation successfully exported. HTML config representation exported successfully. | -| Import Config from config.xml | - ppetool /c config.xml /i | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config import successful. | +| Action | Operation | Message | +| -------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Simple Config export operation | | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. | +| Simple Config export in domain environment with DC %Full computer name of Domain Controller% | | Config successfully exported. | +| Export local config into local.xml and create it from the HR.xml and report.html reports | | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config successfully exported. Human readable config representation successfully exported. HTML config representation exported successfully. | +| Import Config from config.xml | | Warning: PPETool started in domain environment without /d option. Using local source. Hope you know what are you doing. Config import successful. | + ### Generating Reports with Custom Descriptions @@ -96,13 +105,13 @@ The `` tag can also contain the child `` tag. This tag can have an o #### Example of 'value' mode -Original configuration +**Original configuration** ```xml 1 ``` -Transform configuration +**Transform configuration** ```xml @@ -114,7 +123,7 @@ Transform configuration ``` -Transformation result +**Transformation result** ```xml @@ -128,13 +137,13 @@ Transformation result #### Example of 'combined' mode -Original configuration +**Original configuration** ```xml 25 ``` -Transformation configuration +**Transformation configuration** ```xml @@ -150,7 +159,7 @@ Transformation configuration ``` -Result human-readable report +**Result human-readable report** ```xml diff --git a/docs/passwordpolicyenforcer/10.2/administration/properties/properties.md b/docs/passwordpolicyenforcer/10.2/administration/properties/properties.md index 074b4466ab..566b86294d 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/properties/properties.md +++ b/docs/passwordpolicyenforcer/10.2/administration/properties/properties.md @@ -60,8 +60,11 @@ The General tab provides options to enable or disable policy enforcement and log - Source (client or server) - The rules the password did not comply with. - **NOTE:** Password Policy Enforcer does not send passwords or password hashes over the + :::note + Password Policy Enforcer does not send passwords or password hashes over the network, even when logging rejections by the Password Policy Client. + ::: + Most Password Policy Enforcer rules are enforced by both the Password Policy Client and Password Policy Server. If the Password Policy Enforcer Client is installed, then it will often reject a @@ -107,7 +110,10 @@ The General tab provides options to enable or disable policy enforcement and log Password Reset V3.x, or PPE/Web V7.x (or earlier). Password Policy Enforcer accepts both encrypted and unencrypted requests if this option is not selected. - **NOTE:** For versions v9.x and above, this option will be selected by default. + :::note + For versions v9.x and above, this option will be selected by default. + ::: + Choose a password policy from the Default Policy drop-down list. Users must comply with the default policy if no other policy is assigned to them. See the @@ -135,8 +141,11 @@ for a particular user. See the [Managing Policies](/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/managing_policies.md) topic for additional information. -**CAUTION:** If Password Policy Enforcer has only one policy and that policy is also the default +:::warning +If Password Policy Enforcer has only one policy and that policy is also the default policy, then Password Policy Enforcer enforces the policy for all users. +::: + The Password Policy Client and Password Policy Server communicate over UDP port 1333 by default. If you need to change the default port, then type the new port number in the **Password Policy Server @@ -180,7 +189,8 @@ Follow the steps below to re-enable Password Policy Enforcer. **Step 4 –** Click **OK** to close the PPS Properties page. -**NOTE:** Password Policy Enforcer is disabled or enabled immediately, but if the management console +:::note +Password Policy Enforcer is disabled or enabled immediately, but if the management console is connected to a domain configuration, there will be some delay while Active Directory propagates the change to the other domain controllers. See the [Connect to a Configuration](/docs/passwordpolicyenforcer/10.2/administration/connecting.md) @@ -188,6 +198,8 @@ topic for additional information. A user's password history may be updated even Enforcer is disabled. See the [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md) topic for additional information. +::: + ## Email Tab diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/character_rules.md b/docs/passwordpolicyenforcer/10.2/administration/rules/character_rules.md index abd4db977a..239c936cdd 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/character_rules.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/character_rules.md @@ -19,21 +19,25 @@ Password Policy Enforcer will select the Password Policy Enforcer character on t [Policy Priorities](/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/policy_priorities.md) page. -**NOTE:** Only Password Policy Enforcer 10.2 and higher will contain the Windows character set. +:::note +Only Password Policy Enforcer 10.2 and higher will contain the Windows character set. Password Policy Enforcer 9, Netwrix Password Reset3 and Password Policy Enforcer/Web 7 (and older for all products) will always use the Password Policy Enforcer character set. +::: + This default character set contains the following: -| Rule | Default character set | -| ----------- | -------------------------------------------------- | -| Alpha Lower | Lowercase alphabetic (a - z) | -| Alpha Upper | Uppercase alphabetic (A - Z) | -| Alpha | Uppercase and lowercase alphabetic (a - z & A - Z) | -| Numeric | Numerals (0 - 9) | -| Special | All characters not included above | -| High | All characters above ANSI 126 | -| Custom | No default characters | +| Rule | Default character set | +| ----------- | ------------------------------------------------------------------------ | +| Alpha Lower | Lowercase alphabetic (a-z) | +| Alpha Upper | Uppercase alphabetic (A-Z) | +| Alpha | Uppercase and lowercase alphabetic (a-z & A-Z) | +| Numeric | Numerals (0-9) | +| Special | All characters not included above | +| High | All characters above ANSI 126 | +| Custom | No default characters | + Select the **Enabled** check box to enable the Character rule. @@ -64,9 +68,12 @@ set to replace the default. For example, enter "AaEeIiOoUu" to create a vowel ch Click the **Messages** tab to customize the Password Policy Client rule inserts. -**NOTE:** The First Character, Last Character, and Complexity rules are easier to configure, and +:::note +The First Character, Last Character, and Complexity rules are easier to configure, and easier for users to understand. Use these rules instead of the Character rules if they can enforce your desired policy. +::: + ### Enforcing Complex Character Requirements diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/complexity_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/complexity_rule.md index 9d13f7a534..8bc2334d98 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/complexity_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/complexity_rule.md @@ -29,5 +29,8 @@ topic for additional information. Click the Messages tab to customize the Password Policy Client rule inserts. -**NOTE:** The Complexity rule uses custom character set definitions from the Character rules, even +:::note +The Complexity rule uses custom character set definitions from the Character rules, even if the Character rules are disabled. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md index 63a41a724b..b9368919de 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md @@ -16,8 +16,11 @@ Select the **Enabled** check box to enable the Compromised rule. Click the **...** (ellipsis) button beside each text box to select a hash file. You can also type a path into the text box. The path can contain environment variables like -**CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files +:::warning +%SystemRoot%. hash files should only be read from a local disk. Using shared hash files degrades performance, and could jeopardize security. +::: + Click the **Messages** tab to customize the Password Policy Client rule inserts. diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/dictionary_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/dictionary_rule.md index 3c8da9dfc4..8aa04fdcf1 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/dictionary_rule.md @@ -35,10 +35,55 @@ templates in the dictionary file. Wildcard templates are specially formatted dic Password Policy Enforcer uses to reject a range of passwords. The Dictionary rule supports two wildcard template formats: -| Format | Example | Description | -| ------ | --------- | -------------------------------------------------------------------------------- | --- | --- | --- | --------- | --- | ------- | --- | --- | --- | --- | --- | --- | --------------------------------------------------------------------------------- | --- | ---------------------------------------------------------------------------------------- | --- | -| Prefix | | | | --- | | !!BAN\*!! | | !!2\*!! | | | | | --- | | Rejects passwords that start with BAN. For example: band, banish, ban, bank, etc. | | Rejects passwords that start with the numeric character 2. For example: 2ABC, 2123, etc. | | -| Suffix | !!\*ING!! | Rejects passwords that end with ING. For example: pushing, howling, trying, etc. | + + + + + + + + + + + + + + + + + + + + +
FormatExampleDescription
Prefix + + + + + + + + + +
!!BAN*!!
!!2*!!
+ 		+ + + + + + + + + +
Rejects passwords that start with BAN. For example: band, banish, ban, bank, etc.
Rejects passwords that start with the numeric character 2. For example: 2ABC, 2123, etc.
+
+ Suffix + + !!*ING!! + + Rejects passwords that end with ING. For example: pushing, howling, trying, etc. +
Partial matching is performed even if Wildcard analysis is disabled. For example, the dictionary word "password" will reject the passwords "My**Password**$", "**Password**100", and @@ -62,9 +107,12 @@ can contain environment variables like %SystemRoot%. A sample dictionary is inst \Program Files (x86)\Password Policy Enforcer\ folder. The dictionary file should be read from a local disk. Using a shared dictionary degrades performance, and could jeopardize security. -**NOTE:** The `\Program Files (x86)\` folder does not exist on 32-bit Windows, so move the +:::note +The `\Program Files (x86)\` folder does not exist on 32-bit Windows, so move the dictionary into the `\Program Files\Password Policy Enforcer\` folder if you have 32-bit and 64-bit computers sharing a common Password Policy Enforcer configuration. +::: + Click the **Sort** button if the dictionary file is being used with Password Policy Enforcer for the first time, or if words have been added to the file since it was last sorted. The Password Policy @@ -94,8 +142,11 @@ The custom dictionary should meet the following requirements: 2. All words are capitalized. 3. The sort button is pressed after pointing to a file in the dictionary rule. -**NOTE:** If you are using a custom dictionary, please provide a different filename. The default +:::note +If you are using a custom dictionary, please provide a different filename. The default dictionary file (dict.txt) may be replaced during an upgrade. +::: + ## Dictionary File Replication diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/first_and_last.md b/docs/passwordpolicyenforcer/10.2/administration/rules/first_and_last.md index 0d0fc02605..e723b113c1 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/first_and_last.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/first_and_last.md @@ -23,6 +23,9 @@ want to specify the **unacceptable** character. Choose one or more character sets by selecting the check boxes beside the character set names. -**NOTE:** Click the Messages tab to customize the Password Policy Client rule inserts. The First and +:::note +Click the Messages tab to customize the Password Policy Client rule inserts. The First and Last Character rules use custom character set definitions from the Character rules, even if the Character rules are disabled. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/history_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/history_rule.md index c708ffb396..bd6375eae1 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/history_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/history_rule.md @@ -28,10 +28,13 @@ so a domain controller that can handle 1,000 password changes a minute with SHA- to handle 250 password changes a minute with Argon2. All numbers are approximate. Use Argon2 if your domain controllers can handle the load. -**NOTE:** Changing the **Hash function** does not modify existing history records. It sets the +:::note +Changing the **Hash function** does not modify existing history records. It sets the function to be used for new password history records. If a user has Argon2 and SHA-256 hashes in their password history, then Password Policy Enforcer calculates both the Argon2 and SHA-256 hashes during a password change to ensure the new password is not in the password history. +::: + The History rule is normally not enforced when a password is reset. Select the **Enforce this rule when a password is reset** check box to override the default behavior. You must also select the @@ -40,7 +43,10 @@ when a password is reset. Click the **Messages** tab to customize the Password Policy Client rule inserts. -**NOTE:** The History rule is not enforced when testing passwords from the Test Policies page. +:::note +The History rule is not enforced when testing passwords from the Test Policies page. +::: + Password Policy Enforcer updates a user's password history whenever their password changes. The password history is updated even if Password Policy Enforcer or the assigned policy is disabled. A @@ -54,11 +60,14 @@ password history, or configure Password Policy Enforcer to use an existing attri Disable Password Policy Enforcer's History rule if you do not want Password Policy Enforcer to store the password history. -**NOTE:** Password Policy Enforcer does not store passwords in the password history, it only stores +:::note +Password Policy Enforcer does not store passwords in the password history, it only stores the Argon2 or SHA-256 hashes. A salt protects the hashes from precomputed attacks, including rainbow tables. If you do not want Password Policy Enforcer to store a password history, then leave the History rule disabled. You can use the Windows History rule together with Password Policy Enforcer's other rules to enforce your password policy. +::: + Password Policy Enforcer can store up to 100 password hashes for each user, but it only stores the minimum needed to enforce the current password policy. For example, if Password Policy Enforcer is @@ -87,13 +96,16 @@ history in a new or existing attribute. A new attribute is recommended, but you attribute if you do not want to extend the AD schema. An AD attribute is only needed for domain user accounts because the password history for local user accounts is stored in the registry. -**CAUTION:** Password Policy Enforcer's password history attribute is confidential to stop +:::warning +Password Policy Enforcer's password history attribute is confidential to stop authenticated users from accessing the password history of other users. See the Microsoft Article [Mark an attribute as confidential in Windows Server 2003 Service Pack 1](http://support.microsoft.com/kb/922836) Microsoft article for additional information. Confidential attributes have additional protection in Active Directory, but they are not as well protected as the Windows password history attributes. There is a higher risk of unauthorized access to the password history if it is stored outside the Windows password history attributes. +::: + Follow the steps below to create a new Active Directory attribute for the password history. @@ -102,11 +114,11 @@ a member of the Schema Admins group. **Step 2 –** Open a Command Prompt window to the Password Policy Enforcer installation folder. -(\Program Files (x86)\Password Policy Enforcer\) +**(\Program Files (x86)\Password Policy Enforcer\)** **Step 3 –** Type the following command: -: ldifde -i -f History.ldf -c "DC=X" "DC=yourdomain,DC=yourdomain" +**: ldifde -i -f History.ldf -c "DC=X" "DC=yourdomain,DC=yourdomain"** Replacing the last parameter with your domain's DN. @@ -131,7 +143,8 @@ administrator accesses the password history they might be able to extract the ha but they cannot extract the passwords directly because the password history does not contain any passwords. -**CAUTION:** The password history of a local user account is not automatically deleted when the user +:::warning +The password history of a local user account is not automatically deleted when the user account is deleted. If a local user account is deleted, then another local user account is created on the same computer with the same username, the new user will inherit the deleted user's password history. The default registry permissions stop users from accessing their own password history, so @@ -142,3 +155,5 @@ user's current password is validated, and the Windows Minimum Age rule is enforc password history is checked, so every compliant and incorrect password guessed will overwrite one hash in the password history. This information applies only to local user accounts. The password history for domain user accounts is deleted when users are deleted. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/keyboard_pattern.md b/docs/passwordpolicyenforcer/10.2/administration/rules/keyboard_pattern.md index f497f2ec1c..07bd7bf927 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/keyboard_pattern.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/keyboard_pattern.md @@ -24,10 +24,13 @@ other keyboard layouts. keyboard patterns that contain direction changes. For example, "qwewq" and "4rfr4" are both recognized as five-character keyboard patterns if direction change detection is enabled. -**NOTE:** Password Policy Enforcer detects direction changes in both axes if the pattern detection +:::note +Password Policy Enforcer detects direction changes in both axes if the pattern detection mode is set to "Horizontal or vertical". For example, "qawsed", "qwedsa", "qwedcv", and "qwsazx" are all recognized as six-character keyboard patterns if direction change detection is enabled and the pattern detection mode is set to "Horizontal or vertical". +::: + - Select the **Detect key repeat** check box if Password Policy Enforcer should detect keyboard patterns that contain repeated keystrokes. For example, "qwwert" and "qwwwer" are both recognized @@ -48,7 +51,10 @@ pattern detection mode is set to "Horizontal or vertical". Click the **Messages** tab to customize the Password Policy Client rule inserts. -**NOTE:** Modifier keys such as Shift and AltGr will not evade pattern detection. Key positions can +:::note +Modifier keys such as Shift and AltGr will not evade pattern detection. Key positions can differ, even in keyboards with matching layouts. The Keyboard Pattern rule may not detect some patterns because of these differences. Please report any missed patterns to [Netwrix Support](https://www.netwrix.com/support.html). + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/maximum_age_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/maximum_age_rule.md index c751b07cb2..51c88bb6dc 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/maximum_age_rule.md @@ -29,7 +29,8 @@ required number of characters will not expire until the second (higher) days val values are identical, then passwords will expire after the specified number of days, irrespective of length. -**NOTE:** When the Maximum Age rule is configured to delay the expiry of longer passwords, it +:::note +When the Maximum Age rule is configured to delay the expiry of longer passwords, it creates an Active Directory security group called "PPE Extended Maximum Age Users". Password Policy Enforcer uses this group to identify which users are eligible for a delayed password expiry. Users are added and removed from the group automatically. You can move and rename this group, but do not @@ -38,6 +39,8 @@ name. Change a Password Policy Enforcer configuration setting (any setting) afte the group to trigger a cache update in Password Policy Enforcer. Password Policy Enforcer recreates this group if you delete it. To stop creating a group, make the two days values equal in all policies. +::: + Optionally, check the **Log Event...** box to have Password Policy Enforcer log an event each time a password expires. Password Policy Enforcer expires passwords 1:00 AM daily on the server holding the @@ -70,12 +73,15 @@ Users with expired passwords are always prompted to change their password, even and Warning modes. Users can ignore the prompt to change their password unless they are being forced to change it. -**NOTE:** The password expiry prompt is a Windows client feature, and is displayed even if the +:::note +The password expiry prompt is a Windows client feature, and is displayed even if the Password Policy Client is not installed. Windows clients display the prompt 5 days before passwords expire by default. You can alter this behavior in the Windows Group Policy security settings. See the [Interactive logon: Prompt user to change password before expiration](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration) Microsoft article for additional information. +::: + Password Policy Enforcer expires passwords at 1:00 AM every day on the domain controller holding the PDC emulator operations master role. It sets "User must change password at next logon" for users diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/minimum_age_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/minimum_age_rule.md index 45049ee81c..ccde3780b9 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/minimum_age_rule.md @@ -19,7 +19,8 @@ changing their password. Click the **Messages** tab to customize the Password Policy Client. Only the Reason insert is shown because minimum age requirements are not included in the Password Policy message. -**NOTE:** The Minimum Age rule is unique because users cannot comply with it by choosing a different +:::note +The Minimum Age rule is unique because users cannot comply with it by choosing a different password; they must wait until the required number of days has elapsed. The Password Policy Client consequently handles rejections by this rule differently to other rules. Rather than displaying the usual message components, the Password Policy Client only displays the Minimum Age rule's Reason @@ -27,6 +28,8 @@ insert. See [Password Policy Client](/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md) topic for additional information. The Rejection Reason template, macros, and inserts from other rules are not displayed when a password change is denied by the Minimum Age rule. +::: + The Minimum Age rule is not enforced during policy testing, but the test log does show the user's password age. A log entry is also added if the Minimum Age rule would have rejected the password diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md b/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md index 334fc755d4..1628b441ac 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md @@ -29,19 +29,170 @@ box is selected, Password Policy Enforcer tests passwords with, and without char This stops users from circumventing the rule by substituting some characters. Password Policy Enforcer detects these common character substitutions: -| Original | | Substituted | -| -------- | --- | ----------------- | -| A | a | ^ @ | -| B | b | 8 | -| C | c | ( or \{ or < or [ | -| D | d | ) or \} or > or ] | -| E | e | 3 | -| G | g | 6 or 9 | -| I | i | ! or \| or 1 | -| O | o | 0 or (zero) | -| S | s | $ or 5 | -| T | t | + or 7 | -| Z | z | 2 | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Original + + Substituted +
+ A + + a + + ^ @ +
+ B + + b + + 8 +
+ C + + c + + + + + + + + + +
+ ( or { + <[
+
+ D + + d + + + + + + + + + +
+ ) or } + >]
+
+ E + + e + + 3 +
+ G + + g + + 6 or 9 +
+ I + + i + + + + + + + + +
+ ! or | +   1
+
+ O + + o + + 0 or (zero) +
+ S + + s + +

$ or 5

+
+ T + + t + + + or 7 +
+ Z + + z + + 2 +
## Tolerance diff --git a/docs/passwordpolicyenforcer/10.2/administration/rules/similarity_rule.md b/docs/passwordpolicyenforcer/10.2/administration/rules/similarity_rule.md index 47a3567251..8b511441a0 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/rules/similarity_rule.md +++ b/docs/passwordpolicyenforcer/10.2/administration/rules/similarity_rule.md @@ -28,6 +28,9 @@ Select the **Enabled** check box to enable the Similarity rule. tolerance is five (or lower), and accept it if the tolerance is six (or higher). Choose the **Auto** value to reject passwords that contain the user's entire current password. -**NOTE:** Click the Messages tab to customize the Password Policy Client rule inserts. This rule is +:::note +Click the Messages tab to customize the Password Policy Client rule inserts. This rule is only enforced if the Password Policy Client is installed. It does not store or transmit passwords or password hashes. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/administration/support_tools.md b/docs/passwordpolicyenforcer/10.2/administration/support_tools.md index 2af21b3763..f541a4e890 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/support_tools.md +++ b/docs/passwordpolicyenforcer/10.2/administration/support_tools.md @@ -63,7 +63,7 @@ Policy Enforcer 10.0,CN=System). **Step 8 –** Import configuration with the following command: -ldifde -i -f PPE10.1.txt +**ldifde -i -f PPE10.1.txt** Check **URL** and **wWWHomePage** attributes in ADSIEdit or AD Users and Computers before opening PPE Management Console to ensure that configuration has been maintained. @@ -73,8 +73,11 @@ PPE Management Console to ensure that configuration has been maintained. The Property Editor allows you to directly edit the Password Policy Enforcer configuration. You should only use the Property Editor if instructed to by Netwrix Support. -**CAUTION:** Only configure the settings on the Property Editor tab if instructed to do so by +:::warning +Only configure the settings on the Property Editor tab if instructed to do so by [Netwrix Support](https://www.netwrix.com/support.html). +::: + Follow the steps below to open and configure the Property Editor. diff --git a/docs/passwordpolicyenforcer/10.2/administration/uninstall.md b/docs/passwordpolicyenforcer/10.2/administration/uninstall.md index ae0e67cce9..ed178f90f3 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/uninstall.md +++ b/docs/passwordpolicyenforcer/10.2/administration/uninstall.md @@ -6,9 +6,12 @@ sidebar_position: 40 # Uninstall Netwrix Password Policy Enforcer -**NOTE:** Uninstalling the product does not remove system files as the PPE.DLL from the System32 +:::note +Uninstalling the product does not remove system files as the PPE.DLL from the System32 folder. Before rebooting the Domain Controller, Windows has a lock on the system files. You can delete system files after rebooting the Domain Controller. +::: + Follow the steps to uninstall Password Policy Enforcer. diff --git a/docs/passwordpolicyenforcer/10.2/administration/upgrading.md b/docs/passwordpolicyenforcer/10.2/administration/upgrading.md index 8932172e21..ca89b8381b 100644 --- a/docs/passwordpolicyenforcer/10.2/administration/upgrading.md +++ b/docs/passwordpolicyenforcer/10.2/administration/upgrading.md @@ -43,7 +43,7 @@ topic for additional information. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V8.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](/docs/passwordpolicyenforcer/10.2/overview/whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server @@ -71,11 +71,14 @@ You can run a combination of V8.x and 10.2 Password Policy Servers, but extended versions is not recommended as it adds administrative overhead. Maintain both versions only for a short time while you roll out Password Policy Enforcer V9.x. -**NOTE:** Any configuration changes made from the 10.2 management console will only affect 10.2 +:::note +Any configuration changes made from the 10.2 management console will only affect 10.2 domain controllers. Likewise, any changes made from the V8.x management console will only affect V8.x domain controllers. You must make configuration changes in both management consoles until all domain controllers are upgraded to 10.2. Failure to do so may lead to inconsistent enforcement of the password policy. +::: + Older versions of the Password Policy Enforcer Client (prior to V6.0) cannot detect passphrases. Users must comply with the policy's compliance level when these older clients are installed. See the @@ -102,11 +105,14 @@ topic for additional information. PPE/Web V3.x and Netwrix Password Reset V1.x use the Password Policy Enforcer V3.x communication protocol. These clients are not compatible with the 10.2 server. -**CAUTION:** Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. +:::warning +Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. These clients will enforce an extremely restrictive password policy if this option is enabled. They will reject any password that contains a character found in the comparison parameter. See the [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md) topic for additional information. +::: + ### Upgrading the Password Policy Client @@ -127,7 +133,7 @@ topic for additional information. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V7.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](/docs/passwordpolicyenforcer/10.2/overview/whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server @@ -153,11 +159,14 @@ You can run a combination of V7.x and V9.x Password Policy Servers, but extended versions is not recommended as it adds administrative overhead. Maintain both versions only for a short time while you roll out PPE V9.x. -**NOTE:** Any configuration changes made from the V10.2 management console will only affect V10.x +:::note +Any configuration changes made from the V10.2 management console will only affect V10.x domain controllers. Likewise, any changes made from the V7.x management console will only affect V7.x domain controllers. You must make configuration changes in both management consoles until all domain controllers are upgraded to V10.x. Failure to do so may lead to inconsistent enforcement of the password policy. +::: + Older versions of the PPE Client (prior to V6.0) cannot detect passphrases. Users must comply with the policy's compliance level when these older clients are installed. @@ -178,9 +187,12 @@ Netwrix Password Reset V2.x may truncate messages with long inserts. Password Policy Enforcer Web V3.x and Netwrix Password Reset V1.x use the Password Policy Enforcer V3.x communication protocol. These clients are not compatible with the V10.x server. -**CAUTION:** Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. +:::warning +Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. These clients will enforce an extremely restrictive password policy if this option is enabled. They will reject any password that contains a character found in the comparison parameter. +::: + The PPE Client for Windows 8, 10, Server 2012, Server 2016, and Server 2019 displays messages in a smaller area than previous versions of Windows. Some of the default message components were @@ -214,7 +226,7 @@ topic for complete installation instructions. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V6.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](/docs/passwordpolicyenforcer/10.2/overview/whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server @@ -247,11 +259,14 @@ master role to Password Policy Enforcer V910x. See the [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md) topic for additional information. -**NOTE:** Any configuration changes made from the 10.2 management console will only affect 10.2 +:::note +Any configuration changes made from the 10.2 management console will only affect 10.2 domain controllers. Likewise, any changes made from the V6.x management console will only affect V6.x domain controllers. You must make configuration changes in both management consoles until all domain controllers are upgraded to 10.2. Failure to do so may lead to inconsistent enforcement of the password policy. +::: + The **Do not check admin/helpdesk password resets** property in the PPS Properties page was renamed to **Enforce policy when password is reset**. The check box value changes after upgrading, but @@ -293,11 +308,14 @@ inserts. PPE/Web V3.x and Netwrix Password Reset V1.x use the Password Policy Enforcer V3.x communication protocol. These clients are not compatible with the 10.2 server. -**CAUTION:** Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. +:::warning +Do not use the automatic tolerance option with Password Policy Enforcer V4.x clients. These clients will enforce an extremely restrictive password policy if this option is enabled. They will reject any password that contains a character found in the comparison parameter. See the [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md) topic for additional information. +::: + The Password Policy Enforcer Client for Windows 2016, 2019, and 2022 displays messages in a smaller area than previous versions of Windows. Some of the default message components were shortened to fit diff --git a/docs/passwordpolicyenforcer/10.2/evaluation/configuring_policy_rules.md b/docs/passwordpolicyenforcer/10.2/evaluation/configuring_policy_rules.md index c0284103ca..d72afdefe2 100644 --- a/docs/passwordpolicyenforcer/10.2/evaluation/configuring_policy_rules.md +++ b/docs/passwordpolicyenforcer/10.2/evaluation/configuring_policy_rules.md @@ -43,5 +43,8 @@ Enforcer** folder. **Step 12 –** Click **Open**, then click **OK**. -**NOTE:** Press F1 while using the management console to display help information for the current +:::note +Press F1 while using the management console to display help information for the current window. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/evaluation/enforcing_multiple_policies.md b/docs/passwordpolicyenforcer/10.2/evaluation/enforcing_multiple_policies.md index dae98ea326..a78b2918bd 100644 --- a/docs/passwordpolicyenforcer/10.2/evaluation/enforcing_multiple_policies.md +++ b/docs/passwordpolicyenforcer/10.2/evaluation/enforcing_multiple_policies.md @@ -62,7 +62,10 @@ Directory Users and Computers console, or the Local Users and Groups console to changes and resets for the PPETestUser and PPETestAdmin accounts. Password Policy Enforcer should enforce the Users policy for PPETestUser, and the Admins policy for PPETestAdmin. -**NOTE:** The +:::note +The [Administration](/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md) topic contains more information about policy assignments, and how Password Policy Enforcer resolves policy assignment conflicts that occur when more than one policy is assigned to a user. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md b/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md index 69e409d856..ca5a40f7e2 100644 --- a/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md +++ b/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md @@ -18,8 +18,11 @@ Unlike password cracking products that check passwords after they are accepted b system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do not jeopardize system security. -**NOTE:** You can also use Password Policy Enforcer to ensure that passwords are compatible with +:::note +You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other systems and applications. +::: + The [Administration](/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md) diff --git a/docs/passwordpolicyenforcer/10.2/evaluation/installation.md b/docs/passwordpolicyenforcer/10.2/evaluation/installation.md index 3e3cfdc630..dbe4a58821 100644 --- a/docs/passwordpolicyenforcer/10.2/evaluation/installation.md +++ b/docs/passwordpolicyenforcer/10.2/evaluation/installation.md @@ -10,11 +10,14 @@ You can install Password Policy Enforcer manually, or you can automate the insta software distribution tool. Installing Password Policy Enforcer does not extend the Active Directory schema. -**NOTE:** Refer to the +:::note +Refer to the [Administration](/docs/passwordpolicyenforcer/10.2/administration/administration_overview.md) topic to learn how to install Password Policy Enforcer with Group Policy. You can also use other software distribution tools like Microsoft's System Center Configuration Manager to install Password Policy Enforcer. +::: + Follow the steps below to manually install Password Policy Enforcer. @@ -47,5 +50,8 @@ Password Policy Client on a domain with client computers. See the [Password Policy Client](/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md) topic for additional information. -**NOTE:** The Password Policy Client does not replace or modify any Windows system files. You can +:::note +The Password Policy Client does not replace or modify any Windows system files. You can install it with Group Policy, or some other software distribution tool in your production network. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/evaluation/testing_the_password_policy.md b/docs/passwordpolicyenforcer/10.2/evaluation/testing_the_password_policy.md index 07733dc12e..8b5a61e932 100644 --- a/docs/passwordpolicyenforcer/10.2/evaluation/testing_the_password_policy.md +++ b/docs/passwordpolicyenforcer/10.2/evaluation/testing_the_password_policy.md @@ -42,10 +42,13 @@ password complied with. Click the Log tab to view Password Policy Enforcer's internal event log. The information in the event log can help you to understand why Password Policy Enforcer accepted or rejected a password. -**NOTE:** Policy testing simulates a password change, but it may not always reflect what happens +:::note +Policy testing simulates a password change, but it may not always reflect what happens when a user changes their password. See the [Managing Policies](/docs/passwordpolicyenforcer/10.2/administration/managingpolicies/managing_policies.md) topic for more information. +::: + ## Windows Change Password Screen @@ -74,12 +77,7 @@ these messages are customizable. The Password Policy Client does not modify any Windows system files, and you do not have to install it to enforce a Password Policy Enforcer password policy. Web browser based versions of the Password -Policy Enforcer Client are also available. See the -[Administration](/docs/passwordpolicyenforcer/10.2/password_reset/administration/administration_overview.md) -and -[](http://www.anixis.com/products/ppeweb/)[Web](/docs/passwordpolicyenforcer/10.2/web/web_overview.md) -topics for more information. Password Reset and Password Policy Enforcer/Web are licensed -separately. +Policy Enforcer Client are also available. ## Active Directory Users / Computers Console and local Users and Groups Console @@ -108,9 +106,12 @@ Follow the steps below to test password policies from these consoles. **Step 4 –** Click **OK**. -**NOTE:** These consoles do not explain why a password was rejected. Use the Password Policy +:::note +These consoles do not explain why a password was rejected. Use the Password Policy Enforcer management console, or the Change Password screen with the Password Policy Enforcer Client installed to see this information. +::: + The table below contains some sample passwords and expected test results when the Users policy is enforced. Try to change the password for the PPETestUser account to confirm that Password Policy @@ -138,5 +139,8 @@ These three passwords are only marginally stronger than the rejected passwords. shows you how to improve the password policy so Password Policy Enforcer will reject these passwords. -**NOTE:** Contact Netwrix support[ ](mailto:support@anixis.com)if Password Policy Enforcer is not +:::note +Contact Netwrix support[ ](mailto:support@anixis.com)if Password Policy Enforcer is not working as expected, and we will help you to resolve the problem. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/index.md b/docs/passwordpolicyenforcer/10.2/index.md index 0df6468dc5..44e3aaddaa 100644 --- a/docs/passwordpolicyenforcer/10.2/index.md +++ b/docs/passwordpolicyenforcer/10.2/index.md @@ -1 +1,12 @@ -# Password Policy Enforcer 10.2 +--- +title: "Netwrix Password Policy Enforcer v10.2" +description: "Netwrix Password Policy Enforcer v10.2" +sidebar_position: 1 +--- + +# Netwrix Password Policy Enforcer v10.2 + +Netwrix Password Policy Enforcer helps you to secure your network by ensuring that users choose +strong passwords. When a user chooses a password that does not comply with the password policy, +Password Policy Enforcer immediately rejects the password and tells them why their password was +rejected. diff --git a/docs/passwordpolicyenforcer/10.2/overview/_category_.json b/docs/passwordpolicyenforcer/10.2/overview/_category_.json deleted file mode 100644 index b2756858b8..0000000000 --- a/docs/passwordpolicyenforcer/10.2/overview/_category_.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "label": "Netwrix Password Policy Enforcer v10.2", - "position": 10, - "collapsed": true, - "collapsible": true, - "link": { - "type": "doc", - "id": "overview" - } -} \ No newline at end of file diff --git a/docs/passwordpolicyenforcer/10.2/overview/overview.md b/docs/passwordpolicyenforcer/10.2/overview/overview.md deleted file mode 100644 index e366c2efa7..0000000000 --- a/docs/passwordpolicyenforcer/10.2/overview/overview.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: "Netwrix Password Policy Enforcer v10.2" -description: "Netwrix Password Policy Enforcer v10.2" -sidebar_position: 10 ---- - -# Netwrix Password Policy Enforcer v10.2 - -Netwrix Password Policy Enforcer helps you to secure your network by ensuring that users choose -strong passwords. When a user chooses a password that does not comply with the password policy, -Password Policy Enforcer immediately rejects the password and tells them why their password was -rejected. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/about_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/about_tab.md deleted file mode 100644 index 0c44110236..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/about_tab.md +++ /dev/null @@ -1,13 +0,0 @@ -# About Tab - -Use the **About** tab to check the version and license information, and to install a new license -key. - -![configuring_npr_10](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_10.webp) - -To install a new license key, copy the entire license e-mail to the clipboard, and then click Get -license from clipboard. - -**NOTE:** Password Reset includes a 30-day evaluation license for up to 50 users. Please -[contact Netwrix support](mailto:support@netwrix.com)[](mailto:support@anixis.com) if you would like -to evaluate Password Reset with more than 50 users. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/administration_overview.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/administration_overview.md deleted file mode 100644 index 982e30de77..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/administration_overview.md +++ /dev/null @@ -1,37 +0,0 @@ -# Administration - -Netwrix Password Reset is a self-service password management system that helps you to reduce the -number of password related help desk calls. Password Reset allows users to securely change their -password and unlock their account, even if they have forgotten their password. This section details -the different benefits of using Password Reset. - -## Reduced Costs - -Studies into the costs of password management show that between 20% and 40% of help desk calls are -password related. Password Reset helps you to reduce the number of these calls. - -## Increased Productivity - -Employee productivity plummets while they wait in the help desk queue to have their password reset. -With Password Reset, users can reset their own password in less than two minutes. Users can reset -their password from the Windows logon screen, or a mobile device. This frees the help desk to handle -more important issues. - -## Improved Security - -Identifying staff over the phone can be difficult, especially in large organizations. Password Reset -identifies users by asking them to answer some questions about themselves, and optionally by sending -a verification code to their mobile phone. Incorrect answers are logged, and you can configure -Password Reset to automatically lock out users who give too many incorrect answers. See the -[Configuring Password Reset](/docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_password_reset.md) -topic for additional information. - -## Higher Availability - -Password Reset is ready to respond to password management requests at any hour of the day and night. -It takes only minutes to install, and can handle thousands of requests every hour. - -The -[Evaluation](/docs/passwordpolicyenforcer/10.2/password_reset/evaluation/evaluation_overview.md) -topic contains step-by-step instructions to help you quickly install, configure, and evaluate -Password Reset. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_password_reset.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_password_reset.md deleted file mode 100644 index 6bece39785..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_password_reset.md +++ /dev/null @@ -1,18 +0,0 @@ -# Configuring Password Reset - -In the previous section, you used Password Reset with a default configuration. You can use the -Configuration Console to edit the configuration settings. Click **Start** > **Netwrix Password -Reset** > **NPR Configuration Console**on the Password Reset Server computer to open the -Configuration Console. - -![configuring_npr](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr.webp) - -Information about the configuration console tabs can be found in the following topics: - -- [General Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/general_tab.md) -- [Enroll Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md) -- [E-mail Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/email_tab.md) -- [Verification Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md) -- [Security Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/security_tab.md) -- [Permissions Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/permissions_tab.md) -- [About Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/about_tab.md) diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md deleted file mode 100644 index c532fcfd78..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md +++ /dev/null @@ -1,246 +0,0 @@ -# Editing the HTML Templates - -Password Reset's user interface is built with customizable templates. You can easily modify the user -interface by editing the templates. The templates are written in HTML5 and formatted with CSS3, so -they work with all modern web browsers. Older browsers such as Internet Explorer 8 may work, but the -pages may be badly formatted. Please [contact Netwrix support](mailto:support@netwrix.com) if you -need to use Password Reset with older web browsers. - -## User Interface Files - -Password Reset installs seven `.htm` files for every language. Each filename starts with a language -code. The files for the US English language are: - -| Filename | Content | -| ----------------- | ------------------------------------ | -| `en_default.htm` | Static HTML for the menu page | -| `en_enroll.htm` | Template for the Enroll page | -| `en_reset.htm` | Template for the Reset pages | -| `en_unlock.htm` | Template for the Unlock pages | -| `en_change.htm` | Template for the Change pages | -| `en_finished.htm` | Template for the Finished page | -| `en_error.htm` | Template for the Critical Error page | - -The formatting information is in `apr.css`, and the image files are in the images folder. These -files are installed into the `\Inetpub\wwwroot\pwreset\` folder by default. - -**NOTE:** Always backup the user interface files before and after editing them. Your changes may be -overwritten when Password Reset is upgraded, and some changes could stop Password Reset from working -correctly. Having a backup allows you to quickly revert to a working setup. -Web browsers display pages differently, so test your changes with several versions of the most -popular browsers to ensure compatibility. - -### Ranges and Fields - -`en_default.htm` contains static HTML, but the other .htm files contain special comment tags that -are used to prepare the pages. Some of these comments define ranges. A range looks like this: - -Some text or HTML - -The Web Interface deletes ranges (and the text inside them) when they are not needed. Some ranges -span only one word, while others span several lines. The other type of comment tag is called a -field. - - - -Fields are replaced by some other information. For example, the field above is replaced with a -username. - -### Resource Strings - -Each template ends with a resource string section. - - - -Resource strings are mostly validation error messages, but they can contain any text Password Reset -may need to build the page. Do not modify the identifiers on the left, only edit the text on the -right. Resource strings are always inside a range called RESOURCE_STRINGS. Password Reset deletes -this range before sending the page to the user's web browser. See the -[Error Messages](/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_password_reset.md#error-messages) topic -for additional information. - -### Responsive Content - -Password Reset's templates are responsive. The page layout and content changes to suit the user's -screen size. The layout is defined in the CSS file, and the content in the HTML files. The -text_short and text_long classes are used to display different content depending on the screen size. -text_short elements are shown on small screens (up to 420 pixels wide). text_long elements are shown -on larger screens. - -**CAUTION:** You may rebrand the Password Reset user interface, but it is a violation of the License -Agreement to modify, remove or obscure any copyright notice. - -## Examples - -This section contains examples of common customizations. Use these examples to gain a better -understanding of Password Reset's templates. You don't need to be an expert in HTML to follow these -examples, but a basic understanding of HTML will help. - -Work through them carefully, and backup files before you edit them. The examples in this section are -from the US English files, but the format is the same for all languages. - -### Replace the Netwrix Logo - -The Netwrix logo is shown at the top of the page. The logo is installed into the -`\Inetpub\wwwroot\pwreset\images\` folder by default, and it is called logo.svg. You can replace -this file with one containing your organization's logo. - -You will also need to edit the HTML files if your logo is not in SVG format, or if it has a -different aspect ratio to the Netwrix logo. Open every HTML file in a text editor such as Notepad, -and search for the line shown below. Change the filename (logo.svg), height (70 pixels) and width -(116 pixels) to suit your logo. - -`` - -### Edit Page Instructions - -Instructions appear at the top of each page. You can edit the instructions by opening the relevant -.htm file and searching for the text you wish to modify. - -Instructions are often inside a range called SECTION_A, SECTION_B, SECTION_C, or SECTION_D. Each -section contains instructions for the different pages in the template. Make sure you edit the -instructions in the correct section, or they may be displayed on the wrong page. The text_long and -text_short classes are used in page instructions to tailor content to the screen size. - -```html - -

Enter your username and domain, and then click Next to continue…

-

Use the reset feature if you have forgotten y…

- -``` - -```html - -

Answer the question below to confirm your identity. Your answer…

-

You may need to answer additional questions b…

- -``` - -### Edit Validation Error Messages - -Validation error messages are shown in a red box below the page instructions. Validation errors are -normally caused by invalid user input. - -![using_npr_12](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_12.webp) - -Validation error messages are defined in the relevant template (en_enroll.htm, en_reset.htm, -en_unlock.htm, or en_change.htm). The error messages are in the resource strings section near the -end of the file. Some messages are defined in more than one file, so you may need to edit several -files to change all instances of a message. See the [Resource Strings](#resource-strings) topic for -more information. - -You may see placeholders like %1 and %2 in some error messages. These are replaced with more -information about the error. You should keep these, but you can delete them if you do not want them. - -| String | Message | -| --------------------------- | ----------------------------------------------- | -| `@RES_EMPTY_FIELD_EMAIL` | `Enter your e-mail address in the E-mail box.` | -| `@RES_EMPTY_FIELD_QUESTION` | `Select a question from the Question %1 list.` | -| `@RES_IDENTICAL_QUESTIONS` | `Question %1 and %2 are the same. Select a di…` | - -### Edit Critical Error Messages - -All the critical error messages are defined in en_error.htm. The messages are in the resource -strings section near the end of the file. See the [Resource Strings](#resource-strings) topic for -more information. - -![using_npr_13](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_13.webp) - -You may see placeholders like %1 and %2 in some error messages. These are replaced with more -information about the error. You should keep these, but you can delete them if you do not want them. - -| String | Message | -| --------------------- | ----------------------------------------------------- | -| `@RES_LOCKED_OUT` | `This feature has been disabled because too many qu…` | -| `@RES_LOCKED_OUT_AD` | `Your account is locked because an incorrect passwo…` | -| `@RES_REQUEST_FAILED` | `The server %1 could not handle your request. Pleas…` | - -If you want to display some text for all error messages, then insert your text above or below the -`

{/*ERROR*/}

` line. For example: - -

{/*ERROR*/}

-

The help desk phone number is 555-555-5555.

- -### Edit Finished Messages - -Finished messages are shown after users successfully complete an enroll, reset, unlock, or change. -These messages are defined in the Resource Strings section near the end of `en_finished.htm`. See -the [Resource Strings](#resource-strings) topic for more information. - -![using_npr_9](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_9.webp) - -`en_finished.htm` has two resource strings for password changes (RES_FINISHED_CHANGE and -RES_FINISHED_CHANGE_INVITE). The first is shown when a user who has enrolled into NPR changes their -password. The second is shown when a user who has not enrolled changes their password. The second -message invites the user to enroll so they can also use the reset and unlock features in future. - -### Replace Enroll Question Lists with Text Boxes - -When users enroll into Password Reset, they choose their questions from the Question List. You can -replace some or all of the question lists with text boxes so users can enter their own questions. -See the -[Question List](/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md#question-list) -topic for additional information. - -The lines you need to edit in en_enroll.htm look like this: - -```html - -``` - -There are ten of these lines in en_enroll.htm, each with their own question number (the number after -the q). You do not have to edit all ten lines. If users will be allowed to enter two questions, then -only edit the q1 and q2 lines. Replace these lines with a line like this: - -```html - -``` - -Change the three question numbers on each line so they match the original numbers, otherwise -Password Reset will not work correctly. You should also edit the validation error messages in -`en_enroll.htm` as some of them make reference to selecting questions from a list. - -**NOTE:** Users may not choose appropriate security questions, so it is advisable to leave the -question lists for some of the enrollment questions. - -### Change Font Sizes and Colors - -apr.css contains the user interface formatting information. You can change font sizes and colors by -editing this file. You can even reposition and resize items, but you will need some understanding of -CSS to do this. For example, this is the CSS for the validation error box: - -```css -.apr_form .error { - background-color: #ce482f; - border-radius: 5px; - color: #fff; - margin: 0 15px 15px; - padding: 10px 13px; -} -``` - -Edit these properties to change the appearance of the error box. You may need to clear your web -browser's cache to see the changes. - -### Change Icon Colors - -The Web Interface icons are in Scalable Vector Graphics (SVG) format. Vector graphics maintain their -sharpness when resized. You can easily change the colors of the icons with a text editor. Open the -SVG file with a text editor like Notepad, and edit this section of the file: - -fill="#FF7F00" - -Replace the hexadecimal color code with your desired color code. You can use a color picker like -this one to generate the color code: -[https://www.w3schools.com/colors/colors_picker.asp](https://www.w3schools.com/colors/colors_picker.asp) - -**NOTE:** Some old web browsers with basic HTML5 support cannot display SVG images. Password Reset -works with these browsers, but the SVG images are not shown. You can convert the icons to GIF or PNG -format if you want them shown on these older browsers. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/email_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/email_tab.md deleted file mode 100644 index e164ee955c..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/email_tab.md +++ /dev/null @@ -1,81 +0,0 @@ -# E-mail Tab - -Use the **E-mail** tab to configure how e-mail is sent to users, when it is sent, and also to edit -the e-mail templates. - -![configuring_npr_3_709x772](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_3_709x772.webp) - -### E-mail Delivery - -Password Reset can send e-mail alerts directly to an SMTP server, or save them to a pickup folder. -Select the **Send e-mail to an SMTP server** option if Password Reset should send e-mails directly -to an SMTP server. Type the name or IP address of an SMTP server in the **Server** text box, and the -SMTP port number in the **Port** text box. -Select the **Save e-mail to a pickup folder** option if NPR should save e-mails to a folder for -delivery by a mail server. Click **Browse...** to select a folder. The mail server must monitor this -folder for new e-mail. - -**NOTE:** Saving e-mail to a pickup folder is the fastest and most reliable delivery method. Use -this option if your mail server supports pickup folders. - -### Triggers - -Triggers define when e-mails are sent. If the trigger for an event is enabled, then Password Reset -sends an e-mail when the event occurs. Enabled triggers are underlined. - -Click the name of an enabled trigger to edit the trigger's e-mail template. - -![configuring_npr_4](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_4.webp) - -Type the name and e-mail address you wish to appear in the e-mail's From field in the **From** text -box. The correct format is `"Display Name" ` -Type the recipient's e-mail address in the **To** text box. The correct format is -`"Display Name" `. Separate multiple recipients with a semicolon. You can also -use these macros. - -| Macro | Replace with | -| ----------------- | --------------------------------------------------------------------------------------------- | -| [AD_EMAIL] | The e-mail address in Active Directory | -| [NPR_EMAIL] | The e-mail address in Password Reset's database | -| [AD_OR_NPR_EMAIL] | The e-mail address in AD, or the e-mail address in Password Resetif the AD address is blank | -| [NPR_OR_AD_EMAIL] | The e-mail address in NPR, or the e-mail address in AD if the Password Reset address is blank | - -**NOTE:** Use [NPR_OR_AD_EMAIL] with caution as Password Reset does not check the validity of e-mail -addresses. If the e-mail address in Password Reset's database is no longer valid, then the alert is -only sent to the invalid address. - -Type additional recipient e-mail addresses in the **Bcc** text box if you want to send any blind -carbon copies. Separate multiple recipients with a semicolon. - -Type the e-mail's subject in the **Subject** text box. - -Type the e-mail's body in the large text box. The e-mail is sent as plain text unless the body -contains the `` tag. Include the entire HTML document when sending e-mail as HTML. You can -also use these macros. - -| Macro | Replaced with | -| ----------- | --------------------------------------- | -| [AD_DOMAIN] | The user's Active Directory domain name | -| [AD_USER] | The user's Active Directory logon name | - -Password Reset stores the user's preferred language every time they successfully complete an Enroll, -Reset, Unlock, or Change. E-mail alerts are sent in the user's preferred language, or in the current -Web Interface language if the user's preferred language is not known. If an e-mail template is not -defined for the user's preferred language, then the alert is sent in English. - -Use the drop-down list at the bottom of the E-mail template editor to switch between template -languages. Changes are preserved as you switch between languages. The **From**, **To**, and **Bcc** -are the same for all languages. -A warning icon is shown beside the language drop-down list if an e-mail template is not defined for -every language. You should define an e-mail template for every language to ensure that users can -understand their e-mail alerts. - -![configuring_npr_5](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_5.webp) - -**CAUTION:** An attacker may choose a specific language to avoid detection. E-mail alerts are sent -in the Web Interface language chosen by the attacker if the target user has not enrolled or changed -their password with Password Reset. The target user will receive the e-mail alerts, but they may not -understand them. Use the Rest API to remind new users to enroll so their preferred language is known -to Password Reset. See the -[Enabling the API](/docs/passwordpolicyenforcer/10.2/password_reset/administration/persuading_users_to_enroll.md#enabling-the-api) -topic for additional information. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md deleted file mode 100644 index 9c2ddffc26..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md +++ /dev/null @@ -1,53 +0,0 @@ -# Enroll Tab - -Use the **Enroll** tab to maintain the list of enrollment questions and options. - -![configuring_npr_2](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_2.webp) - -### Question List - -Users must answer some questions about themselves when they manually enroll. They choose their -questions from the Question List. - -Add a question - -Follow the steps below to add a question to the list. - -**Step 1 –** Select a language from the drop-down list above the Question List. - -**Step 2 –** Click **Add...** - -**Step 3 –** Type the new question, including the question mark. - -**Step 4 –** Click **OK**, and then click **Apply**. - -Remove a question - -Follow the steps below to remove a question from the list. - -**Step 1 –** Select a language from the drop-down list above the Question List. - -**Step 2 –** Select the question in the Question List. - -**Step 3 –** Click **Remove**, and then click **Yes** when asked to confirm. - -**Step 4 –** Click **Apply**. - -**NOTE:** You can rearrange questions by dragging them. You can also replace question lists with -text boxes so users can enter their own questions. See the -[Editing the HTML Templates](/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md) -document for more information - -### Options - -Password Reset can send e-mail alerts to users when a request is submitted for their account. These -alerts can be sent to the user's Active Directory e-mail address and/or to an e-mail address in -Password Reset's database. Select the **Users must enter an e-mail address to enroll** check box if -users should enter an e-mail address during enrollment. - -The number of questions that users must answer to enroll is configurable, and is set to three by -default. Select the desired number of questions from the **Users must answer...** drop-down list. - -You can also set a minimum length for each answer. Only alphanumeric characters are counted because -Password Reset only checks alphanumeric characters. Select the minimum number of alphanumeric -characters in each answer from the **Answers must contain at least...** drop-down list. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/filter_editor.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/filter_editor.md deleted file mode 100644 index 49e2500822..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/filter_editor.md +++ /dev/null @@ -1,33 +0,0 @@ -# Filter Editor - -Use the Filter Editor to create complex filters, filters for hidden columns, or to save and open -regularly used filters. Press **CTRL** + **F** to open the Filter Editor, or click the **Filter -Editor** button in the lower right corner of the Data Console. - -![using_the_data_console_9](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_9.webp) - -A filter may contain several conditions. Conditions start with a column name, followed by an -operator, and sometimes a value. Column names are shown in green, operators in maroon, and values in -blue. - -A filter also contains a root node and optionally one or more groups. These are used to include -Boolean operators in the filter. Boolean operators are shown in red. Grouped conditions are -indented. - -The filter in the image above contains the root node, one group, and four conditions. It will show -all reset requests in the last fourteen days originating from IP addresses starting with 192.168.115 -or 192.168.119. - -Click the **Click here to add a new condition** button to add a new condition to the filter. Click -the ellipsis button on the left of each line to add or remove conditions and groups. Click column -names, operators, and values to edit them. Most can be selected from a list. Values can also contain -the ? and \* wildcard characters. - -Click **Save As...** to save a filter to a file, or **Open...** to use a saved filter. Click **OK** -to close the Filter Editor and apply the filter. - -Some columns are hidden in the Data Console. You can use the Filter Editor to create filters for -these columns. For example, the filter in the image below shows all users with an NPR v1 enrollment -record. - -![using_the_data_console_10](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_10.webp) diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/filtering_data.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/filtering_data.md deleted file mode 100644 index 19a948f35b..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/filtering_data.md +++ /dev/null @@ -1,132 +0,0 @@ -# Filtering Data - -The Data Console can show thousands of records, but only some of them will be of interest to you at -any time. Filters let you focus on the important information. - -You can create simple filters by typing values directly into the filter row, or by selecting values -from [Filtering by Column Values](#filtering-by-column-values). More complex filters are created -with the [Custom Filters](#custom-filters) and -[Filter Editor](/docs/passwordpolicyenforcer/10.2/password_reset/administration/filter_editor.md) -windows. - -### The Filter Row - -The top row in the **Audit Log** and **Users** tabs is called the Filter Row. You can type filter -values directly into this row. - -![using_the_data_console_3](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_3.webp) - -The Filter Row is empty when you first open the Data Console. To create a filter, click the **Filter -Row** in the column you wish to filter. A cursor will appear. Type a value, and then press **ENTER** -or **TAB**. - -Click the button to shown an editor or selector that helps you enter a value. Values can include -wildcard characters. Use a ? to match any single character, or a \* to match more than one -character. - -![using_the_data_console_4](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_4.webp) - -The image above shows a filter on the Date, Source, and Source IP columns. Only password reset -events on 2/5/2015 originating from IP addresses starting with 192.168.115 are shown. The small blue -icons in the column headers show which columns have active filters. - -**NOTE:** Rows are shown only if they match all filter values (logical AND). Use the custom filter -or the filter editor windows for a logical OR filter. - -### Filtering by Column Values - -You can also create a filter by selecting values from a list in the column headers. - -![using_the_data_console_5](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_5.webp) - -Hover the mouse pointer over a column header until a small button appears on the right side of the -header. - -![using_the_data_console_6](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_6.webp) - -Click the button to show a list of values in the column. - -Select one or more values from the list. Rows that do not match one of the selected values are -hidden. - -![using_the_data_console_7](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_7.webp) - -The list of values for date and date/time columns also includes date ranges such as **Last 7 days**, -**Today**, **Yesterday**, etc. - -Click **(All)** to clear the filter and display all values. Click **(Custom...)** to create a custom -filter. - -### Custom Filters - -Use custom filters to search for partial matches, find a range of values, or to create more complex -filters. Click **(Custom...)** in a column header's value list to create a custom filter. - -![using_the_data_console_8](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_8.webp) - -Custom filters can contain one or two conditions for each column. Select an operator for the first -condition from the drop-down list below the column name. Only relevant operators are shown for each -column. - -Type a value for the condition in the text box beside the operator. The text box may have a button -on the right. Click the button to shown an editor or selector that will help you enter a value. -Values can include wildcard characters. Use a ? to match any single character, or a \* to match more -than one character. - -Select the **AND** or **OR** operator if the filter will have two conditions. Select **AND** if the -filter should only show rows that meet both conditions. Select **OR** if the filter should show rows -that meet either condition. - -Select an operator and value for the second condition, or leave them blank if your filter only has -one condition. Click **OK** to close the Custom Filter window and apply the filter. - -**NOTE:** The Filter Editor is shown instead of the Custom Filter window if the current filter is -too complex for the Custom Filter window. - -### The Filter and Status Bars - -The Status Bar appears at the very bottom of the Data Console. It shows the number of visible -records and the total record count. The Filter Bar appears above the Status Bar, and it shows the -active filter. The button on the right side of the Filter Bar opens the Filter Editor. - -![using_the_data_console_11](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_11.webp) - -A button and a check box appear on the left side of the Filter Bar when a filter is active. Click -the button to clear the filter. Toggle the check box to disable or enable the filter. - -![using_the_data_console_12](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_12.webp) - -A drop-down button appears to the right of the filter. Click it to select a recently used filter. - -![using_the_data_console_13](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_13.webp) - -## Exporting Data - -You can export the visible rows to Microsoft Excel, HTML, text, and XML formats. - -Follow the steps below to export the visible rows in the current tab. - -**Step 1 –** Click the **Audit Log** or **Users** tab. - -**Step 2 –** Click the **File** menu, and then click one of the export menu items. - -**Step 3 –** Type a filename, and then click **Save**. - -**NOTE:** When exporting to Excel, you can choose the file type from the **Export to Excel** window. -The default file type is .xlsx. - -## Deleting Users - -Users are automatically deleted from Password Reset's database approximately one week after they are -deleted from Active Directory. You can also manually delete users from the Data Console. - -Follow the steps below to delete a user. - -**Step 1 –** Click the **Users** tab. - -**Step 2 –** Select the user(s) you wish to delete. - -**Step 3 –** Press the **DELETE** key, and then click **OK**. - -**NOTE:** You can still view a user's event history in the **Audit Log** tab after they are deleted -from the **Users** tab. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/general_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/general_tab.md deleted file mode 100644 index 0ba9e38b95..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/general_tab.md +++ /dev/null @@ -1,120 +0,0 @@ -# General Tab - -Use the General tab to maintain the list of managed domains, set the database options, and enable -the Password Policy Enforcer integration. See the -[Netwrix Password Policy Enforcer](#netwrix-password-policy-enforcer) topic for additional -information. - -![configuring_npr](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr.webp) - -### Domain List - -The Domain List is empty when Password Reset is first installed, and users must type their domain -name. You can configure Password Reset to display a list of domains instead of an empty text box. - -Add a Domain to the list - -Follow the steps below to add a domain to the list. - -**Step 1 –** Click **Add...** - -**Step 2 –** Type a NetBIOS (NT Compatible) or DNS domain name. - -**Step 3 –** Click **OK**, and then click **Apply**. - -**NOTE:** The most frequently used domain should be first in the list as it will be the default. You -can rearrange the domains by dragging them to another position. You can also click Sort to sort them -alphabetically. - -Remove a Domain from the list - -Follow the steps below to remove a domain from the list: - -**Step 1 –** Select the domain name in the Domain List. - -**Step 2 –** Click **Remove**, and then click **Yes** when asked to confirm. - -**Step 3 –** Click **Apply**. - -### Database - -Password Reset uses an SQL Server Compact database by default. It creates two database files -(apr.sdf and aprlog.sdf) in the Password Reset installation folder. - -Follow the steps below to move these files to another folder. - -**Step 1 –** Close the Data Console if it is open. - -**Step 2 –** Stop the Password Reset service. - -**Step 3 –** Move apr.sdf and aprlog.sdf to their new location. The database files should remain on -a local disk. - -**Step 4 –** Give the Password Reset service account read and write permissions to the database -files in their new location. - -**Step 5 –** Open the Password Reset Configuration Console, and click **Change...** in the -**General** tab. - -**Step 6 –** Click **Browse...** and select the new database path. - -**Step 7 –** Click **OK** twice, and then click **Apply**. - -**Step 8 –** Start the Password Reset service. - -**Step 9 –** Update the backup script to copy from the new folder. See the -[Working with the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md) -topic for additional information. - -You can also move the database from SQL Server Compact to SQL Server. See the -[Working with the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md) -topic for more information. - -### Netwrix Password Policy Enforcer - -Password Reset is a configurable password filter that enforces granular password policies with many -advanced features. Password Reset can integrate with Password Policy Enforcer to help users choose a -compliant password. - -![configuring_npr_1](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_1.webp) - -Password Reset displays the Password Policy Enforcer policy message when users are prompted for -their new password, and the Password Policy Enforcer rejection message if the new password does not -comply with the password policy. Select the **Password Policy Enforcer integration** check box if -you have installed and configured Password Policy Enforcer on your domain controllers. - -Password Reset locates and queries a domain controller in the user's domain when Password Policy -Enforcer integration is enabled. You can override this behavior and send all Password Policy -Enforcer queries to a specific IP address by setting the `PPEIPAddress` registry value to the IP -address of a Password Policy Server. The `PPEIPAddress` value is in -`HKEY_LOCAL_MACHINE\SOFTWARE\ANIXIS\ANIXIS Password Reset\3.0`. - -**NOTE:** Due to a protocol upgrade, Netwrix Password Reset v3.3 is not compatible with Netwrix -Password Policy Enforcer v8.x and earlier versions. If you are using Netwrix Password Reset with any -of those older Netwrix Password Policy Enforcer versions, please consider upgrading Netwrix Password -Policy Enforcer first to a current version, and only then upgrade Netwrix Password Reset to v3.3 (or -later). - -Users are more likely to see the Password Policy Enforcer Generic Rejection message rather than the -more detailed Rejection message when this registry value is set. Users may also have the wrong -policy, or no policy enforced if the queried server is not a domain controller in the user's -domain. -Queries to the Password Policy Server are sent to UDP port 1333 by default. You may need to create -firewall rules to open this port. See the -[Password Policy Client](/docs/passwordpolicyenforcer/10.2/administration/passwordpolicyclient/password_policy_client.md) -topic for more information. - -**NOTE:** Due to a protocol upgrade, it is now recommended to enable protocol encryption for -clients. To do so, please navigate to the PPS Properties in your Netwrix Password Policy Enforcer -server configuration, and enable "Only accept encrypted client request". - -![using_ppe_with_npr](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_ppe_with_npr.webp) - -Please do not enable this option if you are using Netwrix Password Reset v3.3 with Netwrix Password -Policy Enforcer v8.x or earlier versions, or with Netwrix Password Policy Enforcer/Web. If you are -using Netwrix Password Reset v3.3 with any of those older versions of Netwrix Password Policy -Enforcer, please consider upgrading first to a current and supported version. - -**NOTE:** Password Policy Enforcer is not included with Password Reset. Go to -[www.netwrix.com/password_policy_enforcer](https://www.netwrix.com/password_policy_enforcer.html) to -learn more about Password Policy Enforcer. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/installation.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/installation.md deleted file mode 100644 index df350b5ac8..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/installation.md +++ /dev/null @@ -1,364 +0,0 @@ -# Installation - -Netwrix Password Reset V3.30 is designed to run on Windows 2008 to 2019. Users access Password Reset -from a web browser, or from the Password Reset console. - -## System Requirements - -- Windows 2008\*, 2008 R2, 2012, 2012 R2, 2016, or 2019. - - \*x64 only for NPR Server and Web Interface. - -- 20 Megabytes free disk space. -- 20 Megabytes free RAM. - -## System Components - -Password Reset has two server components, and an optional client. Both server components can be -installed on one server, or they may be installed on separate servers if your web server is in a -DMZ. - -### The Web Interface - -The Web Interface is the component that users interact with. It accepts user requests, encrypts -them, and sends them to the Password Reset Server. The Web Interface must be installed on a server -running IIS 7 or later. - -### The Netwrix Password Reset Server - -The Password Reset Server is the component that performs requests on behalf of users. It receives -requests from the Web Interface, checks the user's credentials, and performs the requested task if -the credentials are valid. - -![installing_npr_624x193](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/installing_npr_624x193.webp) - -**NOTE:** Microsoft SQL Server Compact is installed with the Password Reset Server. SQL Server -Compact is free to use, and should only be removed if you move the database to SQL Server. SQL -Server Compact is an embedded database. Unlike SQL Server, you do not need to configure or manage -it. See the -[Working with the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md) -topic for additional information. - -## Installation Types - -A single server installation is recommended where users will only access Password Reset from a -trusted network, including a VPN. In this installation type, the Web Interface and Password Reset -Server are both installed on the same server. The server must have access to a domain controller in -each managed domain. - -If Password Reset will be accessible from the Internet without a VPN, then it is likely that you -will want to run the Web Interface in a DMZ. A multiple server installation is recommended for this -scenario. In this installation type, the Web Interface is installed on an server in the DMZ and the -Password Reset Server is installed on another server in the internal network. A firewall rule allows -the two servers to communicate. - -You choose the installation type when installing Password Reset, but you can change it later. - -**NOTE:** An Password Reset Server can accept requests from more than one Web Interface. Having -multiple Web Interfaces allows for load balancing and failover, but you should only consider this -option if you already have redundant web servers. Most organizations only need one Web Interface. - -Password Reset can share server resources with other applications. It is normally not necessary to -dedicate a server exclusively to Password Reset. The Web Interface can be installed on an existing -web server as long as it is well secured and not overloaded. The Password Reset Server can run on an -existing member server or domain controller. - -### Single Server Installation - -Follow the steps below to install the Web Interface and Password Reset Server on a single server. - -**Step 1 –** Start the Password Reset Setup wizard (APR330.exe). - -**Step 2 –** The Setup wizard may ask you to backup some files if an older version of Password Reset -is detected. Backup the files, and then click **Next**. - -**Step 3 –** Click **Next**. - -**Step 4 –** Read the License Agreement. Click **I accept the terms of the license agreement**, and -then click **Next** if you accept all the terms. - -**Step 5 –** Select the **All Components** option, and then click **Next**. - -**Step 6 –** The Setup wizard may offer to install IIS. Click **OK** to install IIS. - -**Step 7 –** Enter a **User Name**, **Domain**, and **Password** for the Password Reset service -account. The account will be created and added to the Domain Admins group if it does not exist. - -**NOTE:** You can remove the account from the Domain Admins group later. If using an existing -account, make sure it has the required permissions. See the -[Securing Password Reset](/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md) -topic for additional information. - -**Step 8 –** Click **Next**. - -**Step 9 –** Select an **IIS Web Site** from the drop-down list, and optionally change the default -**Virtual Directory** for the Web Interface. - -**NOTE:** The Web Interface should be installed in its own virtual directory. - -**Step 10 –** Click **Next** twice. - -**Step 11 –** Wait for Password Reset to install, and then click **Finish**. - -**NOTE:** The Password Reset Setup wizard installs the Password Reset Server and associated files -into the `\Program Files\NetwrixPassword Reset\` folder by default. Use the SERVERDIR parameter to -install the Password Reset Server to a different folder. For example, APR330.exe -SERVERDIR="D:\Programs\NPR\" - -### Multiple Server Installation - -Create firewall rules to allow the Web Interface and Password Reset Server to communicate if there -is a DMZ firewall between them. The Web Interface initiates a request by sending a datagram with the -following properties: - -| Web Interface Datagram | | -| ---------------------- | ---------------------------------- | -| Protocol | UDP | -| Source Address | Web Interface server's IP address | -| Source Port | Any | -| Destination address | Password Reset Server's IP address | -| Destination Port | 5100 | - -The Password Reset Server responds with a datagram that has the following properties: - -| NPR Server Datagram | | -| ------------------- | ---------------------------------- | -| Protocol | UDP | -| Source Address | Password Reset Server's IP address | -| Source Port | 5100 | -| Destination address | Web Interface server's IP address | -| Destination Port | Any | - -Install Password Reset Server on an Internal Network - -Follow the steps below to install the Password Reset Server on a server in the internal network. - -**Step 1 –** Start the Password Reset Setup wizard (APR330.exe). - -**Step 2 –** The Setup wizard may ask you to backup some files if an older version of Password Reset -is detected. Backup the files, and then click **Next**. - -**Step 3 –** Click **Next**. - -**Step 4 –** Read the License Agreement. Click **I accept the terms of the license agreement**, and -then click **Next** if you accept all the terms. - -**Step 5 –** Select the Server **Only option**, and then click **Next**. - -**Step 6 –** Type a **User Name**, **Domain**, and **Password** for the Password Reset service -account. The account will be created and added to the Domain Admins group if it does not exist. - -**NOTE:** You can remove the account from the Domain Admins group later. If using an existing -account, make sure it has the required permissions. See the -[Securing Password Reset](/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md) -topic for additional information. - -**Step 7 –** Make sure the **Create Windows Firewall Exception for the NPR Server service** check -box is selected, and then click **Next** twice. - -**Step 8 –** Wait for the Password Reset Server to install, and then click **Finish**. - -**NOTE:** Open UDP port 5100 on the Password Reset Server computer if a host-based firewall other -than the Windows Firewall is installed. This is needed in addition to the DMZ firewall rules -above. -The Password Reset Setup wizard installs the Password Reset Server and associated files into the -`\Program Files\Netwrix Password Reset\` folder by default. Use the SERVERDIR parameter to install -the Password Reset Server to a different folder. For example, APR330.exe -SERVERDIR="D:\Programs\NPR\" - -Install Web Interface Server in DMZ - -Follow the steps below to install the Web Interface on a server in the DMZ. - -**Step 1 –** Start the Password Reset Setup wizard (APR330.exe). - -**Step 2 –** The Setup wizard may ask you to backup some files if an older version of Password Reset -is detected. Backup the files, and then click **Next**. - -**Step 3 –** Click **Next**. - -**Step 4 –** Read the License Agreement. Click **I accept the terms of the license agreement**, and -then click **Next** if you accept all the terms. - -**Step 5 –** Select the **Web Interface Only** option, and then click **Next**. - -**Step 6 –** The Setup wizard may offer to install IIS. Click **OK** to install IIS. - -**Step 7 –** Select an **IIS Web Site** from the drop-down list, and optionally change the default -**Virtual Directory** for the Web Interface. The Web Interface should be installed in its own -virtual directory. - -**Step 8 –** Click **Next** twice. - -**Step 9 –** Wait for the Web Interface to install, and then click **Finish**. - -**Step 10 –** Start the Registry Editor (regedit.exe). - -**Step 11 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, **ANIXIS**, **ANIXIS Password -Reset**, and **3.0** registry keys. - -**Step 12 –** Set the **ServerIP** registry value to the IP address of the computer that you -installed the Password Reset Server onto. - -![installing_npr_1](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/installing_npr_1.webp) - -The Password Reset Setup wizard only installs one Web Interface on each server, but you can copy the -files to another directory and publish several Web Interfaces from one server. This allows you to -present different user interfaces from each directory. The Web Interfaces all communicate with the -same NPR Server because there is only one ServerIP value. - -Follow the steps below to configure the Web Interfaces to communicate with different Password Reset -Servers. - -**Step 1 –** Start the Registry Editor (regedit.exe). - -**Step 2 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, **ANIXIS**, **ANIXIS Password Reset**, -and **3.0** registry keys. - -**Step 3 –** Clear the data in the **ServerIP** registry value. - -**Step 4 –** Create a REG_SZ value for each Web Interface called ServerIP_VDIR where VDIR is the -name of the virtual directory. - -For example, if the virtual directory is called Finance, then the registry value should be called -ServerIP_Finance. - -**Step 5 –** Set each ServerIP_VDIR value to the IP address of the Password Reset Server. - -## Upgrading From NPR V3.x - -Some planning is needed to ensure a smooth upgrade from NPR V3.x. A trial run on a lab network is -recommended if you have not installed NPR before. - -### Before You Begin - -The database files are not overwritten during an upgrade, but you should still create a backup -before upgrading. See the -[Backing up the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md#backing-up-the-database) -topic for additional information. - -**The Web Interface files are overwritten during an upgrade. You must backup any customized Web -Interface files before upgrading**. The Web Interface files are installed in the -`\Inetpub\wwwroot\pwreset\` folder by default. - -**NOTE:** A full backup of the NPR server(s) is recommended. This allows you to roll back to the -previous version if the upgrade cannot be completed. -You may need to restart Windows after upgrading. - -If Password Reset was originally installed by someone else and you do not have their installation -notes, then read the installation instructions above before you begin. Also make sure you know the -password for the Password Reset Server service account as you will need it during the upgrade. - -### Upgrading to V3.3 - -Start the Password Reset Setup wizard (APR330.exe) and follow the prompts. The Setup wizard -uninstalls the previous version, so there is no need to manually uninstall it. - -If the Password Reset Server and Web Interface are installed on different servers, then upgrade all -servers before using the new version. The Password Reset Server and Web Interface are only tested -with matching versions. - -Restore any customized Web Interface files after upgrading. Do not restore APR.dll from the backup -as it belongs to the previous version. You should keep a copy of the original Web Interface files -and compare them with the files from the previous version using a file comparison tool. Any changes -between versions should be merged into your customized files. - -The Password Reset V3.30 data console does not read the VerificationCode or EnrollRecord columns -from the User table on SQL Server. Access to these columns can be denied for Data Console users -after upgrading all instances of the Data Console. See the -[Using the Data Console](/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console.md) -topic for additional information. - -## Upgrading From NPR V2.x - -As this is a major upgrade with many changes, some planning is needed to ensure a smooth upgrade. A -trial run on a lab network is recommended, especially if you are customizing the user interface. See -the -[Editing the HTML Templates](/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md) -topic for additional information. - -**CAUTION:** Due to a protocol upgrade, Netwrix Password Reset v3.3 is not compatible with Netwrix -Password Policy Enforcer v8.x and earlier versions. If you are using Netwrix Password Reset with any -of those older Netwrix Password Policy Enforcer versions, please consider upgrading Netwrix Password -Policy Enforcer first to a current version, and only then upgrade Netwrix Password Reset to v3.3 (or -later). - -### Before You Begin - -**Step 1 –** Backup the NPR V2.x server(s). - -**Step 2 –** Close the Data Console if it is open. - -**Step 3 –** Stop the Netwrix Password Reset service and backing up the database. See the -[Backing up the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md#backing-up-the-database) -topic for additional information. - -### Upgrading to V3.23 - -**Step 1 –** Follow the steps for either [Single Server Installation](#single-server-installation) -or [Multiple Server Installation](#multiple-server-installation). If the Web Interface is on a -different server, then upgrade it as well. - -**Step 2 –** Open the Data Console, and check the Audit Log and User tabs to make sure the data was -imported. - -**Step 3 –** Open NPR in a web browser and test the Enroll, Reset, and Change features. - -**Step 4 –** Install your new license key if you have a perpetual license. - -**Step 5 –** Update the Client license key if you have a perpetual license. - -## Other Tasks - -Move Database files - -The database files are created in the installation folder when NPR is first installed. The default -installation folder for NPR V2.x was below the Program Files (x86) folder, but in NPR V3.3 it is -below the Program Files folder. The database files are not moved automatically during an upgrade, so -you should move them to the new installation folder (or a different folder) after upgrading. - -Follow the steps below to move the database files to the `\Program Files\Netwrix Password Reset\` -folder. - -**Step 1 –** Close the Data Console if it is open. - -**Step 2 –** Stop the Netwrix Password Reset service. - -**Step 3 –** Move apr.sdf and aprlog.sdf from the \Program Files (x86)\Netwrix Password Reset\ -folder to the \Program Files\Netwrix Password Reset\ folder. - -**Step 4 –** Open the Configuration Console. - -**Step 5 –** Click the **General** tab. - -**Step 6 –** Click **Change...** - -**Step 7 –** Click **Browse...** and then browse to the \Program Files\Netwrix Password Reset\ -folder. - -**Step 8 –** Click **OK** twice, and then click **Apply**. - -**Step 9 –** Start the Netwrix Password Reset service. - -**Step 10 –** Update the backup script to copy from the new folder. See the -[Backing up the Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md#backing-up-the-database) -topic for additional information. - -Configure Password Reset Client to use IE11 emulation mode - -Older versions of the Password Reset Client display pages in Internet Explorer 7 emulation mode. -This mode cannot display the new HTML templates correctly. You can upgrade the Password Reset Client -to the latest version, or configure existing installations to use IE 11 mode. This only works on -Windows Vista and later with IE 9 or later. - -Follow the steps below to configure the Password Reset Client to use IE 11 mode. - -**Step 1 –** Start the Registry Editor (regedit.exe). - -**Step 2 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, **Microsoft**, **Internet Explorer**, -**MAIN**, **FeatureControl**, and **FEATURE_BROWSER_EMULATION** registry keys. - -**Step 3 –** Create a new DWORD value called **LogonUI.exe**, and set it to 2AF8 (hex). - -Create this registry value on all the Password Reset Client computers. IE 11 mode can be requested -even if the computer is running an older version of IE. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/moving_to_sql_server.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/moving_to_sql_server.md deleted file mode 100644 index 045b21be32..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/moving_to_sql_server.md +++ /dev/null @@ -1,119 +0,0 @@ -# Moving to SQL Server - -Some planning is needed before moving the database to SQL Server. A trial run on a lab network is -recommended. You can run the Data Copy wizard more than once if you cannot complete the move on the -first attempt. A move back to SQL Server Compact is also possible. - -### Create the Database - -Your database administrator needs to set up the SQL Server database. The instructions below are an -overview of the procedure, they are not step-by-step instructions. NPR V3.30 has been tested with -SQL Server 2012 to 2019. - -Follow the instructions below for an overview of the procedure. - -**Step 1 –** Create an SQL Server database. - -**Step 2 –** Create an SQL Server login for the Password Reset service account, and configure it for -Windows authentication. To identify the service account, open services.msc, double-click the -Password Reset service, and then click the Log On tab. Password Reset logs on to SQL Server with -this account. - -![working_with_the_database](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.webp) - -**Step 3 –** Create an SQL Server user, and map it to the service account login. - -**Step 4 –** Add the SQL Server user to the db_datareader, db_datawriter, and db_ddladmin server -roles for the database. - -Your database administrator also needs to grant access to the users that will use the Data Console. -These users only need to be added to the db_datareader server role, and they can be denied access to -the VerificationCode and EnrollRecord columns in the User table. The user running the Data Copy -wizard also needs to be added to the db_datawriter and db_ddladmin server roles. - -Additional permissions can be set for users of the Data Console after the tables are created. Grant -the DELETE privilege on the User table to users who are allowed to delete user records. Deny all -privileges on the VerificationCode and EnrollRecord columns in the User table as they are not used -by the Data Console. - -### Create the Tables and Copy the Data - -The Data Copy wizard creates the database tables and copies the data to SQL Server. You must run the -wizard even if the SQL Server Compact database is empty. Data in the destination database is deleted -before it is copied from the source database. - -Follow the steps below to create the tables and copy the data. - -**Step 1 –** Open the Configuration Console. - -**Step 2 –** Click the **General** tab. - -**Step 3 –** Click **Copy Data...** to open the Data Copy wizard. - -**Step 4 –** Click **Copy from SQL Compact to SQL Server**. - -**Step 5 –** Check the path to the SQL Server Compact database files. If the default path is -incorrect, then click **Browse...**, choose a path, and then click **OK**. - -**Step 6 –** Click **Next**. - -**Step 7 –** Set the SQL Server connection settings for the Data Copy wizard. You can set different -connection settings for the service account later. The **Username** and **Password** are only needed -if **SQL Server Authentication** is selected. The user must be in the db_datareader, db_datawriter, -and db_ddladmin SQL Server roles. **Encrypt connection** should be selected to protect user -information, and **Trust server certificate** must be selected if SQL Server is using a self-signed -certificate. SQL Server uses a self-signed certificate if a trusted certificate is not installed. -The SQL Server Native Client must be installed if **Trust server certificate** is selected. - -![working_with_the_database_1](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database_1.webp) - -**Step 8 –** Click **Next**. - -**Step 9 –** Check the summary information, and then click **Start**. - -**Step 10 –** Wait for the wizard to finish, and then click **Close**. - -### Configure Netwrix Password Reset to Connect to SQL Server - -Configure Password Reset to connect to SQL Server immediately after copying the data. If the cutover -is delayed, then run the Data Copy wizard again to update the SQL Server database with the latest -data. To configure Password Reset to connect to SQL Server: - -**Step 1 –** Open the Configuration Console. - -**Step 2 –** Click the **General** tab. - -**Step 3 –** Click **Change...** - -**Step 4 –** Select the **SQL Server** option. - -**Step 5 –** Type the server name in the **Server** text box. Use `[server]\[instance]` to connect -to a named instance. - -**Step 6 –** Type the database name in the **Database** text box. - -**Step 7 –** Select the **Encrypt connection** option to encrypt the connection to SQL Server. This -option should be selected to protect user information. - -**Step 8 –** Select the **Trust server certificate** option if SQL Server is using a self-signed -certificate. SQL Server uses a self-signed certificate if a trusted certificate is not installed. -Password Reset cannot connect to SQL Server with a self-signed certificate if this option is not -selected. The SQL Server Native Client must be installed if **Trust server certificate** is -selected. - -**Step 9 –** Click **OK**, and then click **Apply**. - -**Step 10 –** Restart the Password Reset service. If the service does not start, then check the -database connection options and the SQL Server login, user, and server roles configured earlier. You -can change the database back to SQL Server Compact while you troubleshoot the issue. - -### Other Tasks - -Open the Data Console and set your SQL Server connection options. You will need to enter a password -every time you open the Data Console if **SQL Server Authentication** is selected. The Data Console -executable and help file (APRDC.exe and CHM_NPR.chm) can be copied to the computers of other users -who will use the Data Console. - -Delete the two SQL Server Compact database files (apr.sdf and aprlog.sdf) after cutting over to SQL -Server. These files will soon contain outdated information, and leaving them on the server is an -unnecessary security risk. Also ensure that the SQL Server database is backed up regularly. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md deleted file mode 100644 index c618a17829..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md +++ /dev/null @@ -1,229 +0,0 @@ -# Password Reset Client - -The Password Reset Client allows users to securely reset their password or unlock their account from -the Windows Logon and Unlock Computer screens. Users click **Reset Password** to access the Password -Reset system. - -![the_password_reset_client_905x750](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_905x750.webp) - -**NOTE:** The Password Reset Client does not modify any Windows system files. - -## Installing the PRC - -The Password Reset Client is designed to run on Windows XP to Windows 10, and Server 2003 to -Server 2019. The PRC is compatible with Remote Desktop Services on these operating systems. Support -for Windows XP and Server 2003 is depreciated because the PRC uses Internet Explorer for page -rendering, and Internet Explorer 8 has very limited support for HTML5. Send an e-mail to -[support@netwrix.com ](mailto:support@netwrix.com)if you need to use the Password Reset Client with -these older operating systems. - -### System Requirements - -- Windows Vista, 7, 8, 8.1, or 10. - Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, or 2019. - Windows XP, Server 2003, or 2003 R2 (depreciated). -- 1 Megabyte free disk space. -- 128 Kilobytes free RAM (per session if using Remote Desktop Services). - -You can install the PRC manually if you only have a few computers, but it is easier to perform an -automated installation if you have many computers. Follow the instructions below to perform an -automated installation with Group Policy. - -### Create a Distribution Point - -A distribution point can either be a UNC path to a server share, or a DFS (Distributed File System) -path. Organizations with large, multi-site networks should use DFS as it offers fault tolerance and -load sharing. To create a PRC distribution point: - -**Step 1 –** Log on to a server as an administrator. - -**Step 2 –** Create a shared network folder to distribute the files from. - -**Step 3 –** Give the Domain Computers security group read access to the share, and limit write -access to authorized personnel only. - -**Step 4 –** Copy NPRClt330.msi into the distribution point folder. - -**NOTE:** NPRClt330.msi is in the Client folder below the Netwrix Server's installation folder. -(`\Program Files\Netwrix Password Reset\` by default). - -**Step 5 –** Give the Domain Computers security group read access to the NPRClt330.msi file in the -distribution point. - -### Create a Group Policy Object - -**Step 1 –** Start the Group Policy Management Console (gpmc.msc). - -**Step 2 –** Expand the forest and domain items in the left pane. - -**Step 3 –** Right-click the domain root node in the left pane, and then click **Create a GPO in -this domain, and Link it here...** - -**Step 4 –** Enter **Password Reset Client**, then press **ENTER**. - -![the_password_reset_client_1_895x652](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_1_895x652.webp) - -### Edit the Group Policy Object - -**Step 1 –** **Right-**Click the **Password Reset Client GPO**, then click the Edit**...** button. - -**Step 2 –** Expand the **Computer Configuration**, **Policies**, and **Software Settings** items in -the left pane. - -**Step 3 –** **Right-Click** the **Software installation** item, and then select **New** > -**Package**. - -**Step 4 –** Enter the full UNC path to NPRClt330.msi in the Open dialog box. - -**NOTE:** You must enter a UNC path so that other computers can access this file over the network. -For example, \\file server\distributionpointshare\NPRClt330.msi - -**Step 5 –** Click **Open**. - -**Step 6 –** Select the **Assigned deployment** method, then click **OK**. - -**Step 7 –** Close the Group Policy Management Editor. - -### Complete the Installation - -Restart each computer to complete the installation. Windows installs the Password Reset Client -during startup. The computer may restart itself automatically to complete the installation. - -**NOTE:** Computers with Fast Logon Optimization enabled may not install the Password Reset Client -during the first restart. These computers perform a background refresh of Group Policy, and will -install the client on the first restart after the refresh. Microsoft article -[305293](http://support.microsoft.com/kb/305293) has more information about the Fast Logon -Optimization feature. - -## Configuring the PRC - -You must install an Active Directory administrative template to configure the Password Reset Client. -The administrative template only has to be installed once. - -Install PRC Administrative Template - -Follow the steps below to install the PRC administrative template. - -**Step 1 –** Use the Group Policy Management Console (gpmc.msc) to display the GPOs linked at the -domain level. - -**Step 2 –** **Right-click** the **Password Reset Client** GPO, and then **click** the -**Edit...**button. - -**Step 3 –** Expand the **Computer Configuration** item. - -**Step 4 –** Expand the **Policies** item if it is visible. - -**Step 5 –** **Right-click** the **Administrative Templates** item, and then click **Add/Remove -Templates...** - -**Step 6 –** Click **Add...** and then browse to the Client folder below the Password Reset Server's -installation folder. (`\Program Files\Netwrix Password Reset\` by default). - -**Step 7 –** Select **NPRClt.adm**, and then click **Open**. - -![the_password_reset_client_2](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_2.webp) - -**Step 8 –** Click **Close**. - -Configure the PRC - -Follow the steps below to configure the Password Reset Client. - -**Step 1 –** Use the Group Policy Management Console (gpmc.msc) to display the GPOs linked at the -domain level. - -**Step 2 –** **Right-click** the **Password Reset Client** GPO, then click the **Edit...** button. - -**Step 3 –** Expand the **Computer Configuration, Policies** (if it exists), **Administrative -Templates**, **Classic Administrative Templates (ADM)**, **Netwrix Password Reset**, and **Password -Reset Client** items. - -**Step 4 –** Double-click the **Browser settings** item in the right pane of the Group Policy -Management Editor. - -![the_password_reset_client_3](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_3.webp) - -**Step 5 –** Select the **Enabled** option. - -![the_password_reset_client_4](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_4.webp) - -**Step 6 –** Enter the desired **Width** and **Height** of the PRC browser window. - -**NOTE:** Set the Width and Height to 0 to have the PRC calculate an appropriate size. - -**Step 7 –** Enter the **Start address** (URL) of the Password Reset system. The URL should point to -the Password Reset menu or reset page. - -**NOTE:** See the **Help** box for more information. - -**Step 8 –** Enter a **Restricted path** (URL) to stop users from following links to other sites -from the Password Reset Client browser. - -**Step 9 –** Click **OK**. - -**Step 10 –** Close the Group Policy Management Editor. - -The new PRC configuration is applied to all computers in the domain. This does not happen -immediately, as Windows takes some time to apply the changes to Group Policy. You can force an -immediate refresh of Group Policy on the local computer with the following command: gpupdate -/target:computer - -The Password Reset Client only opens URLs with .dll, .htm, and .html extensions. URLs without a -filename are not opened. The PRC also blocks some page content, including audio and video files, -ActiveX controls and Java applets. Send an e-mail to -[support@netwrix.com ](mailto:support@netwrix.com)if you need to change the default filename and -content restrictions. - -**CAUTION:** Users may follow links to untrusted sites if the Password Reset user interface or -server error pages contain external links. This is a security risk because the Password Reset Client -runs under the context of the local system account. Specify a restricted path to stop users from -following links to other sites from the Password Reset Client. The start address and restricted path -should both begin with https:// - -**NOTE:** The **Enable Password Reset Client**, **Always show reset link**, and **Dialog attachment -delay** are automatically set by the Password Reset Client, and are normally left in their default -(Not configured) state. -The administrative template contains detailed information about all the PRC configuration settings. -This information is shown on the **Help** box. The **Help** box is shown after you double-click one -of the configuration settings in the right pane. - -## Licensing the PRC - -Follow the steps below to add a license key to the PRC configuration. - -**Step 1 –** Open the **Configuration Console** and install your license key. - -**Step 2 –** Start the **Registry Editor** (regedit.exe). - -**Step 3 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, **ANIXIS**, **ANIXIS Password Reset**, -and **3.0** registry keys. - -**Step 4 –** Double-click the **LicenseKey** value, and then copy the entire license key to the -clipboard. - -**Step 5 –** Use the Group Policy Management Console (gpmc.msc) to display the GPOs linked at the -domain level. - -**Step 6 –** Right-click the **Password Reset Client** GPO, then click the **Edit...** button. - -**Step 7 –** Expand the **Computer Configuration**, **Policies** (if it exists), **Administrative -Templates**, **Classic Administrative Templates (ADM)**, **Netwrix Password Reset**, and **Password -Reset Client** items. - -**Step 8 –** Double-click the **License key** item in the right pane of the Group Policy Management -Editor. - -**Step 9 –** Select the **Enabled** option. - -**Step 10 –** Click inside the **License key** text box, then paste the license key. - -![the_password_reset_client_5](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/the_password_reset_client_5.webp) - -**Step 11 –** Click **OK**. - -**Step 12 –** Close the Group Policy Management Editor. - -The license key is applied to all computers in the domain. This does not happen immediately, as -Windows takes some time to apply the changes to Group Policy. You can force an immediate refresh of -Group Policy on the local computer with the following command: `gpupdate /target:computer` diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/permissions_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/permissions_tab.md deleted file mode 100644 index a32acb6260..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/permissions_tab.md +++ /dev/null @@ -1,25 +0,0 @@ -# Permissions Tab - -Use the **Permissions** tab to control which users can use Password Reset. - -![configuring_npr_9](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_9.webp) - -### Enroll - -Select the **Allow all users to enroll** option if all users are permitted to enroll. Only enrolled -users can reset passwords and unlock accounts. - -Select the **Allow only members of these groups to enroll** option if users are permitted to enroll -only if they belong to a specified group. Click **Add...** to choose which groups are permitted to -enroll. - -Select the **Allow all users except members of these groups to enroll** option if users are -permitted to enroll unless they belong to a specified group. Click **Add...** to choose which groups -are not permitted to enroll. - -To remove a group from the list, select it and then click **Remove**. Enrolled users can continue to -reset their passwords and unlock their accounts even if they are no longer allowed to enroll. - -### Change - -These settings specify which users can change their password with Password Reset. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/persuading_users_to_enroll.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/persuading_users_to_enroll.md deleted file mode 100644 index 65a1ba3e8f..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/persuading_users_to_enroll.md +++ /dev/null @@ -1,76 +0,0 @@ -# Persuading Users to Enroll - -The Web Interface includes a REST API which your web sites and applications can query to determine -if a user is enrolled. Your web site or application can take appropriate action to encourage the -user to enroll. This could be anything from displaying a discreet message to denying access until -the user enrolls. - -## Enabling the API - -The API is disabled by default. If an attacker sends many queries to the API, they could try to -guess the domain and user names of enrolled users. They could get the same information by sending -many requests to the Web Interface.API is the more attractive target because API responds faster and -API queries are not logged to the Audit Log. - -If you do not want to enable the API because your Web Interface is accessible from the Internet, -then you could leave the API disabled on your Internet-facing Web Interface and set up an internal -Web Interface for API queries. Use the ServerIP registry value to point both Web Interfaces to the -same NPR Server, and enable the API only on the internal server. See the -[Multiple Server Installation](/docs/passwordpolicyenforcer/10.2/password_reset/administration/installation.md#multiple-server-installation) -topic for more information. - -Follow the steps below to enable the API. - -**Step 1 –** Start the Registry Editor (regedit.exe). - -**Step 2 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, **ANIXIS**, **ANIXIS Password Reset**, -and **3.0** registry keys. - -**Step 3 –** Create a new **DWORD** value called **WebAPIState**, and set it to 1. - -![persuading_users_to_enroll](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/persuading_users_to_enroll.webp) - -## Querying the API - -Send a GET request with the user's Active Directory domain and user name like: - -GET https://[server]/pwreset/apr.dll/api/enrollments/**[domain]**/**[user]** - -You can also use the User Principal Name (UPN): - -GET https://[server]/pwreset/apr.dll/api/enrollments/upn/**[user@domain]** - -## Interpreting the Response - -There are three possible responses: - -| Response | Meaning | -| ----------------------- | -------------------------------------- | -| `{"isEnrolled": true}` | User is enrolled | -| `{"isEnrolled": false}` | User is not enrolled or does not exist | -| `{}` | System maintenance is running | - -The API may also return one of these HTTP errors: - -| Error | Reason | -| ------------------------- | ------------------------------------------ | -| 400 Bad Request | Invalid request path | -| 403 Forbidden | API disabled, or cannot read configuration | -| 500 Internal Server Error | Other error | - -## Performance and Caching - -API performance is dependent on many factors. Synchronous queries will suffice in most cases, but -asynchronous queries are recommended to avoid delays. - -Avoid unnecessary calls to the API as they can overload the server. Try to call the API only once -after users logon. - -Caching improves performance and increases capacity. When the API sends a **user is enrolled** -response, it requests caching for up to two weeks. The web browser should cache the response and use -it for the next two weeks before querying the server again. No caching is requested for other -responses. - -**NOTE:** You may get a **user is enrolled** response after deleting an enrolled user when testing -the API. Clearing the browser cache may fix this, but not if other HTTP caches have cached the -response. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md deleted file mode 100644 index cb7a1fdecc..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md +++ /dev/null @@ -1,110 +0,0 @@ -# Securing Password Reset - -Password Reset has many inbuilt security features, but there are some things you should do to secure -Password Reset. The most important of these is to install an SSL certificate for the Web Interface. -You can also set up a standard user account with delegated permissions for the Password Reset -Server. - -## Installing and Using an SSL Certificate - -The Web Interface and Password Reset Server always communicate over a secure channel. You do not -have to configure the encryption for this connection, but you do need to set up SSL (Secure Sockets -Layer) encryption for the connection between the web browser (or Password Reset Client) and the web -server. See the -[Password Reset Client](/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md) -topic for more information. - -**CAUTION:** Do not use Password Reset on a production network without SSL encryption. - -You can use a self-signed certificate with Password Reset, but most organizations purchase -certificates from a certificate authority. You can install the Web Interface on a server that -already has an SSL certificate if you would rather not purchase another one. - -Your certificate authority will have instructions to guide you through the certificate request and -installation process. You can also learn more about using SSL certificates with IIS on the pages -below. - -- [http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis](http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis) -- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx](http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx) - -**NOTE:** Ensure that users only access Password Reset over an encrypted connection after the SSL -certificate is installed. The Start address and Restricted path in the Password Reset Client -configuration should start with https://. Web browsers can be redirected to the secure URL. See the -[Configuring the PRC](/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md#configuring-the-prc) -topic for more information. - -## Delegating Permissions to the Netwrix Password Reset Server Service - -When the Setup wizard creates a service account for the Password Reset Server, it adds the account -to the Domain Admins group. This allows Password Reset to start working without additional -configuration, but it also gives the service excessive permissions. You can improve security by -removing the service account from the Domain Admins group and granting only the required -permissions. - -You can grant Active Directory permissions from the command-line with dsacls.exe, or with the -graphical user interface. The examples below use the command-line, but you can use either method. -The commands you need to execute are: - -dsacls "[object]" /I:S /G "[account]:CA;Reset Password;user" - -dsacls "[object]" /I:S /G "[account]:RPWP;lockoutTime;user" - -dsacls "[object]" /I:S /G "[account]:RPWP;pwdLastSet;user" - -Where [object] is the distinguished name of the domain or OU containing the user accounts, and -[account] is the name of the service account in user@domain or domain\user format. - -The first two commands allow NPR to reset passwords and unlock accounts. Both commands are required -even if the Unlock item is hidden from the menu because Password Reset automatically unlocks an -account when its password is reset. The third command allows Password Reset to set **User must -change password at next logon** in Active Directory if the **Require users to change their password -after a reset** option is enabled in the Configuration Console's **Security** tab. - -For example, the following command grants the axs\apr account permission to reset passwords for -users in the axs.net domain: - -dsacls "dc=axs,dc=net" /I:S /G "axs\apr:CA;Reset Password;user" - -If Password Reset is configured to use an SQL Server Compact database, then give the service account -read and write permissions to the database files. See the -[Moving to SQL Server](/docs/passwordpolicyenforcer/10.2/password_reset/administration/moving_to_sql_server.md) -topic for more information. - -Remove the service account from the Domain Admins group and restart the Password Reset service after -executing these commands. Check the Windows Application event log if the service does not start. - -### Using Delegated Permissions with Protected Groups - -When you delegate permissions for the Password Reset service account, the delegated permissions are -initially applied to all users in the domain or OU. After some time, Windows restores the original -permissions for some important user accounts. The restored permissions do not allow Password Reset -to reset passwords or unlock accounts for these users. - -The accounts protected by this feature vary by Windows version, and include members of the Domain -Admins, Enterprise Admins, and Schema Admins groups. The list of protected groups is configurable, -so it may differ from the defaults in the Windows documentation. - -If you are using an Password Reset service account with delegated permissions and do not want these -privileged accounts to reset their password or unlock their account with Password Reset, then there -is no need to make any configuration changes. Windows automatically restores the original -permissions for these accounts. This is done every hour by default. - -If you want to allow these users to reset their password and unlock their account with Password -Reset, then you need to change the permissions for the AdminSDHolder container. The commands you -need to execute are: - -dsacls "[AdminSDHolder]" /G "[account]:CA;Reset Password" - -dsacls "[AdminSDHolder]" /G "[account]:RPWP;lockoutTime" - -dsacls "[AdminSDHolder]" /G "[account]:RPWP;pwdLastSet" - -Where [AdminSDHolder] is the distinguished name of the AdminSDHolder container, and [account] is the -name of the service account in user@domain or domain\user format. -The DN of the AdminSDHolder container for the netwrix.com domain is -CN=AdminSDHolder,CN=System,DC=netwrix,DC=com - -**NOTE:** Changes to the AdminSDHolder container are not applied to accounts immediately. You may -need to wait up to an hour for Windows to update the DACL for these accounts. You can also start the -process manually. Search for runProtectAdminGroupsTask or FixUpInheritance in Microsoft's -documentation or more information. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/security_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/security_tab.md deleted file mode 100644 index 60ae4c65e7..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/security_tab.md +++ /dev/null @@ -1,65 +0,0 @@ -# Security Tab - -Use the **Security** tab to configure the inactivity timeout, password reset policies, and the -lockout threshold. - -![configuring_npr_8](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_8.webp) - -### Inactivity Timeout - -Users should remain at their computer while resetting their password or unlocking their account. -Their account could be compromised if they leave their computer after answering the first question. -NPR protects user accounts by expiring sessions if users take too long to respond. Select the -inactivity timeout from the **Expire idle sessions after...** drop-down list. Set it to 0 seconds to -disable the inactivity timeout. - -### Reset Policies - -Select the **Enforce the AD password history and minimum age policies for resets** check box to -enforce these Active Directory password policies during a reset. Older Windows versions cannot -enforce these policies for password resets. This capability was added as a hotfix for Windows 2008 -and 2008 R2. See the [KB2386717](http://support.microsoft.com/kb/2386717) Microsoft knowledge base -article for additional information. The hotfix is included with SP1 for Windows 2008 R2, and is a -standard feature on later Windows versions. - -Users are more likely to forget a password shortly after changing it. Enforcing a minimum age for -password resets may increase the number of help desk calls because users won't be able to reset -recently changed passwords. One solution is to clear the check box above, and select the **Require -users to change their password after a reset** check box instead. The Active Directory password -history policy won't be enforced for the password reset, but it will be enforced for the password -change when the user logs on. This stops users from reusing a recent password, but it won't stop -them from resetting a recently changed password. - -Users whose passwords are set to never expire in Active Directory will not be forced to change their -password during logon, even if this check box is selected. - -**NOTE:** Password Policy Enforcer's History rule is enforced for password resets if the **Enforce -policy when password is reset** check box is selected in the PPS properties page, and if the -**Enforce this rule when a password is reset** check box is selected in the History rule's -properties page. Netwrix Password Policy Enforcer does not enforce the Minimum Age rule for password -resets. - -Users may try to evade the password history policy by resetting their password several times in -quick succession to push a password off the password history list. Select a value from the -**Passwords can only be reset if they are at least...** drop-down list to stop users from doing -this. Set it to 0 days to disable this feature. If the Active Directory minimum password age policy -is also enforced for password resets, then the effective minimum age is the greater of the AD and -NPR minimum ages. - -### Lockout - -Password Reset's lockout should not be confused with the Windows lockout policy. A Windows lockout -stops users from logging on, whereas an Password Reset lockout stops users from resetting their -password and unlocking their account. Windows locks out users when they enter too many incorrect -passwords. Password Reset locks out users when they enter too many incorrect answers or verification -codes. - -Select a value from the **Lockout user after...** drop-down list to specify how many incorrect -answers Password Reset accepts before locking out a user. Set it to 0 incorrect answers to disable -the lockout feature. Incorrect verification codes are counted as incorrect answers if the **Lockout -users if they enter too many incorrect verification codes** check box is selected on the -**Verification** tab. - -**NOTE:** Locked out users must re-enroll before they can use Password Reset to reset their password -or unlock their account. The incorrect answer count is reset when a user enrolls, or answers all -questions during a reset or unlock. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_password_reset.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_password_reset.md deleted file mode 100644 index e355e92d63..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_password_reset.md +++ /dev/null @@ -1,163 +0,0 @@ -# Using Password Reset - -Netwrix Password Policy Enforcer is a web application. Users can access it from a web browser, or -from the Password Reset Client. The default URL for the Web Interface -is:` http://[server]/pwreset/` -See the -[Password Reset Client](/docs/passwordpolicyenforcer/10.2/password_reset/administration/password_reset_client.md) -topic for more information. - -You can use URL parameters to open a specific page, and to set the user and domain names. For -example: `http://[server]/pwreset/apr.dll? cmd=enroll&username=johnsmith&domain=CORP` - -Where [server] is the name or IP address of the server hosting the Web Interface. - -![using_npr_866x634](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_866x634.webp) - -Users access the Enroll, Reset, Unlock, and Change features from the menu. These features are -explained on the following pages. - -**CAUTION:** The connection between the Web Interface and Password Reset Server is always encrypted. -Install an SSL certificate on the web server and use HTTPS to encrypt connections from the browser -to the web server. See the -[Installing and Using an SSL Certificate](/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md#installing-and-using-an-ssl-certificate) -topic for more information. - -## Enroll - -Only enrolled users can reset their password and unlock their account. Users can enroll manually by -answering some questions about themselves, or they can be enrolled automatically if automatic -enrollment is enabled. Users only need to enroll once, but they can enroll again if they are locked -out of Password Reset, or if they want to change their questions or answers. See the -[Verification Codes](/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md#verification-codes) -and -[Verification Tab](/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md) -topics for more information. - -Follow the steps below to manually enroll into Password Reset. - -**Step 1 –** Click the **Enroll** item in the menu. - -![using_npr_0_765x963](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_0_765x963.webp) - -**Step 2 –** Type a **Username**, **Domain**, and **Password**. - -**Step 3 –** Type an e-mail address if the **E-mail** text box is visible. See the -[Options](/docs/passwordpolicyenforcer/10.2/password_reset/administration/enroll_tab.md#options) -topic for more information. - -**Step 4 –** Select a question from each of the **Question** drop-down lists, and type an answer to -each question in the **Answer** text boxes. - -**Step 5 –** Click **Next**, and then click **OK** to return to the menu. - -**NOTE:** Windows increments the bad password count in Active Directory when a user tries to enroll -with an incorrect password. This may trigger a lockout if the Windows account lockout policy is -enabled. - -## Reset - -Users should use the Reset feature if they have forgotten their password. Resetting a password also -unlocks the account if it is locked. - -Follow the steps below to reset an account password. - -**Step 1 –** Click the **Reset** item in the menu. - -![using_npr_1_824x469](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_1_824x469.webp) - -**Step 2 –** Type a **Username** and **Domain**, and then click **Next**. - -![using_npr_2_809x640](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_2_809x640.webp) - -**Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all -questions are answered correctly. - -![using_npr_3](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_3.webp) - -**Step 4 –** You may be asked to enter a verification code. The verification code is sent to your -phone by e-mail or SMS. Type the **Code**, and then click **Next**. - -![using_npr_5](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_5.webp) - -**Step 5 –** Type the new **Password** into both text boxes, and then click **Next**. - -![using_npr_6](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_6.webp) - -**Step 6 –** Click **OK** to return to the menu. - -## Unlock - -Users should use the Unlock feature if they know their password, but have entered it incorrectly too -many times and locked out their account. - -Follow the steps below to unlock an account. - -**Step 1 –** Click the **Unlock** item in the menu. - -![using_npr_7](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_7.webp) - -**Step 2 –** Type a **Username** and **Domain**, and then click **Next**. - -![using_npr_4_842x816](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_4_842x816.webp) - -**Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all -questions are answered correctly. - -![using_npr_8](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_8.webp) - -**Step 4 –** You may be asked to enter a verification code. The verification code is sent to your -phone by e-mail or SMS. Type the **Code**, and then click **Next**. - -![using_npr_9_789x276](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_9_789x276.webp) - -**Step 5 –** Click **OK** to return to the menu. - -**NOTE:** The Unlock feature unlocks accounts in Active Directory. Users who are locked out of -Password Reset should re-enroll to gain access to Password Reset. See the -[Verification Codes](/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md#verification-codes) -topic for more information. - -## Change - -Users should use the Change feature if they know their password and would like to change it. - -Follow the steps below to change an account password. - -**Step 1 –** Click the **Change** item in the menu. - -![using_npr_10_771x440](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_10_771x440.webp) - -**Step 2 –** Type a **Username** and **Domain**, and then click **Next**. - -![using_npr_11_773x593](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_11_773x593.webp) - -**Step 3 –** Type the **Old Password**, **New Password**, and **Confirm Password**, and then click -**Next**. - -**Step 4 –** Click **OK** to return to the menu. - -**NOTE:** Windows increments the bad password count in Active Directory when a user tries to change -their password with an incorrect password. This may trigger a lockout if the Windows account lockout -policy is enabled. - -## Error Messages - -Validation errors are shown in a red box below the page instructions. Validation errors are normally -caused by invalid user input. They can often be overcome by changing the value of one or more input -fields and resubmitting the form. - -![using_npr_12](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_12.webp) - -Critical errors are shown on their own page. These errors are mostly a result of configuration or -system errors. An event may be written to the Windows Application event log on the Password Reset -Server computer when a critical error occurs. Users can sometimes overcome a critical error by -following the instructions in the error message, but most critical errors are beyond the user's -control. - -![using_npr_13](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_npr_13.webp) - -Validation and critical error messages are stored in the HTML templates. You can modify the default -messages by editing the templates. See the -[Resource Strings](/docs/passwordpolicyenforcer/10.2/password_reset/administration/editing_the_html_templates.md#resource-strings) -topic for more information. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console.md deleted file mode 100644 index 63902c8647..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console.md +++ /dev/null @@ -1,52 +0,0 @@ -# Using the Data Console - -The Data Console allows you to view and export data collected by Password Reset. Click **Start** > -**Netwrix Password Reset** > **NPR Data Console** to open the console. - -The Data Console has three tabs. The **Recent Activity** tab shows a chart of recent requests. The -chart is empty when Password Reset is first installed, but it will populate itself as the system is -used. - -![using_the_data_console](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console.webp) - -The bars in the chart show how many successful enrollments, resets, unlocks, and changes occurred -every day. You can click the bars to see a filtered view of the events for that day. For example, -you could click the blue bar on 2/19/2015 to see all the password resets for that day. - -![using_the_data_console_1_1393x772](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_1_1393x772.webp) - -The resulting view shows only the 15 successful password resets on 2/19/2015. These are shown in the -**Audit Log** tab. You can create your own filter to find events in this tab. See the -[Custom Filters](/docs/passwordpolicyenforcer/10.2/password_reset/administration/filtering_data.md#custom-filters) -topic for additional information. You can drag a column's header to rearrange the columns, or click -a column header to sort the records. - -The **Audit Log** tab has nine columns: - -- Type — Event type (Success or Failure) -- Date — Event date -- Time — Event time -- Source — Event source (Reset, Unlock, etc.) -- User — User's Active Directory user logon name -- Domain — User's Active Directory domain -- Event — A description of the event -- Source IP — The request's source IP address -- Source User — The request's source username (blank if anonymous access is enabled) - -The **Users** tab contains Information about each user. All users are shown by default, but you can -create filters to find specific users. - -![using_the_data_console_2_1317x725](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/using_the_data_console_2_1317x725.webp) - -The **Users** tab has seven columns: - -- User — User's Active Directory user logon name -- Domain — User's Active Directory domain -- E-mail — E-mail address entered during enrollment -- Last Enroll — Date and time of last successful enroll -- Last Reset — Date and time of last successful password reset -- Last Unlock — Date and time of last successful account unlock -- Last Change — Date and time of last successful password change - -**NOTE:** The Data Console does not automatically display new information as it is added to the -database. Press F5 to refresh the view. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md deleted file mode 100644 index 4b45cd0062..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/verification_tab.md +++ /dev/null @@ -1,113 +0,0 @@ -# Verification Tab - -Use the **Verification** tab to enable verification codes for resets and unlocks. Verification codes -are used for two-factor authentication, and to authenticate users that have not manually enrolled. A -verification code is sent to the user's mobile phone by e-mail and/or SMS, and the user enters the -verification code to continue. - -![configuring_npr_6](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_6.webp)7 - -#### Verification Codes - -Select the **Send verification codes for resets and unlocks** check box to enable verification -codes. - -Select the **Users can reset and unlock with only a verification code if they have not enrolled** -check box to enable automatic enrollment. Automatic enrollment allows users to reset their password -and unlock their account even if they have not previously enrolled. Password Reset enrolls the users -when they request a reset or unlock, and sends them a verification code for authentication. Users -that are automatically enrolled can also manually enroll with questions later. Users that are only -automatically enrolled cannot continue to reset their password and unlock their account if this -option is subsequently disabled. Automatic enrollment should only be used with secure devices -connected to a secure network, otherwise a stolen or lost device could be used to reset a user's -password. - -Automatically enrolled users: - -- Do not have an Password Reset e-mail address, so verification codes are only sent to the user's - Active Directory e-mail address and/or phone number. -- Must be authenticated with a verification code, so their reset or unlock request will be denied - even if the Users can reset and unlock without a verification code if a code cannot be sent check - box is selected. -- Need to manually enroll if the sending of verification codes, or automatic enrollments are - disabled after they are automatically enrolled. -- Can manually enroll at any time. Authenticating users with questions and verification codes is - more secure than using only verification codes. -- Are not sent the After Enroll e-mail alert. - -Select the **Users can reset and unlock without a verification code if a code cannot be sent** check -box if users should be allowed to continue when a verification code cannot be sent. Verification -codes can only be sent to users that have a mobile phone number or e-mail address in Active -Directory, or an e-mail address in Password Reset's database. Even if this information is present, -an error could stop the verification code from being sent. If this check box is not selected, then -users will need to contact the help desk if a verification code cannot be sent. - -Select the **Lockout users if they enter too many incorrect verification codes** check box if the -incorrect answer count should be incremented when users submit an incorrect verification code. A -user's Password Reset record can be locked out if they enter too many incorrect answers or -verification codes. The lockout threshold is set on the **Security** tab. - -Select the **Show incomplete e-mail addresses and phone numbers to users** check box if NPR should -hide parts of the e-mail address and phone number when requesting a verification code. This is -especially important if automatic enrollment is enabled, as it stops an attacker from discovering -information about the user. - -![configuring_npr_0](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_0.webp) - -Verification codes are of a specified length, and may contain both alpha and numeric characters. -Select the desired options from the **Create verification codes with...** drop-down lists. Longer, -more complex (alphanumeric) verification codes are harder to guess, but also harder to enter. -Verification codes do not need to be very long or complex if the verification code lockout and -expiry features are enabled. - -Select a value from the **Expire verification codes after...** drop-down list to limit how long -users have to enter their verification code. Set it to 0 minutes if the verification code should not -expire. A new verification code is sent for every reset and unlock. This setting limits how long a -user has to enter their verification code, it does not allow old verification codes to be reused. - -### E-mail - -Select the **Send verification codes by e-mail** check box to send verification codes to users via -e-mail. You must configure the E-mail delivery options in the **E-mail** tab to send verification -codes by e-mail. See the E-mail Tab configuration for additional information. - -Verification codes can be sent to the Active Directory e-mail address and/or the Password Reset -e-mail address. Select the desired option from the **Send to** drop-down list. - -Click **Edit...** to edit the e-mail template for verification codes. The [CODE] macro is replaced -with the verification code, so include the [CODE] macro in the e-mail subject or body. - -The user's Active Directory e-mail address is read from the **mail** attribute by default. Click -**AD Attribute** if you want to use an e-mail address from a different attribute. Type the name of -the attribute, and then click **OK**. - -#### SMS - -Select the **Send verification codes by SMS** check box to send verification codes to users via SMS. -Any SMS provider with a Windows command-line interface (CLI) can be used. - -Click **Browse...** to select the executable that sends the SMS. The executable is supplied by your -SMS provider. - -Type the command-line parameters in the Parameters text box. Refer to your SMS provider's -documentation for the expected parameters. You can also use the macros in the table below. Use -quotes around parameters and macros that may contain space characters. - -| Macro | Replaced with | -| ---------- | --------------------------------------- | -| [CODE] | Verification code | -| [PHONE] | User's Active Directory phone number | -| [USERNAME] | User's Active Directory user login name | -| [DOMAIN] | User's Active Directory domain name | -| [LANG] | Current Web Interface language code | - -The user's Active Directory mobile phone number is read from the mobile attribute by default. Click -**AD Attribute** if you want to use a phone number from a different attribute. Type the name of the -attribute, and then click **OK**. - -**NOTE:** Use a script to perform additional processing before sending the SMS. For example, a -script could read the user's phone number from a database, or send a language-specific SMS based on -the value of the [LANG] macro. Put the path of the scripting engine executable in the **Command** -text box, and the path to the script file and other parameters in the **Parameters** text box. - -![configuring_npr_7](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/administration/configuring_npr_7.webp) diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md deleted file mode 100644 index a97cb80ad8..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/working_with_the_database.md +++ /dev/null @@ -1,75 +0,0 @@ -# Working with the Database - -The NPR Server stores user and event information in a database. The default database is Microsoft -SQL Server Compact, an embedded version of SQL Server. The benefits of using SQL Server Compact -include: - -- No manual installation or configuration required. -- No maintenance apart from database. See the [Backing up the Database](#backing-up-the-database) - topic for additional information. -- Fast and lightweight. -- Free to use. - -Despite these benefits, there are some disadvantages to using an embedded database. The benefits of -using SQL Server include: - -- Remote access to the database from the Data Console and other applications. -- Improved availability if SQL Server is configured for high availability. -- Increased security. - -See solutions to these disadvantages in the -[Moving to SQL Server](/docs/passwordpolicyenforcer/10.2/password_reset/administration/moving_to_sql_server.md) -topic. - -## Backing up the Database - -The database should be backed up regularly. The instructions below are for a SQL Server Compact -database. If using SQL Server, then use your backup software to backup the database. - -Follow the steps below for the recommended backup procedure. - -**Step 1 –** Close the **Data Console** if it is open. - -**Step 2 –** Stop - -**Step 3 –** Copy the database files to a local or network disk. - -**Step 4 –** Start the **Netwrix Password Reset** service. - -**Step 5 –** Copy the database files to another device. - -The database files (apr.sdf and aprlog.sdf) are in the Password Reset Server's installation folder -by default, but the location is configurable. The following commands create copies of the files with -a .bak extension. Copy the .bak files to another device, and run the backup script daily. - -net stop "Netwrix Password Reset" - -copy /Y "c:\program files\netwrix password reset\apr.sdf" "c:\program files\netwrix password -reset\apr.bak" - -copy /Y "c:\program files\netwrix password reset\aprlog.sdf" "c:\program files\netwrix password -reset\aprlog.bak" - -net start "Netwrix Password Reset" - -**NOTE:** Change the paths above if the database files are in a different folder. See the -[Database](/docs/passwordpolicyenforcer/10.2/password_reset/administration/general_tab.md#database) -topic for more information. - -**Restoring database from backup** - -Follow the steps below to restore the database files from a backup. - -**Step 1 –** Restore apr.bak and aprlog.bak from the backup device. - -**Step 2 –** Close the Data Console if it is open. - -**Step 3 –** Stop . - -**Step 4 –** Copy apr.bak over apr.sdf, and aprlog.bak over aprlog.sdf. - -**Step 5 –** Start . - -**CAUTION:** apr.sdf contains hashes of the user answers. The hashes are salted and encrypted to -protect them from attack, but you should still ensure that this file and all backup copies are -stored securely. diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/evaluation/evaluation_overview.md b/docs/passwordpolicyenforcer/10.2/password_reset/evaluation/evaluation_overview.md deleted file mode 100644 index 253f012fdd..0000000000 --- a/docs/passwordpolicyenforcer/10.2/password_reset/evaluation/evaluation_overview.md +++ /dev/null @@ -1,18 +0,0 @@ -# Evaluation - -Password Reset is a self-service password management system that helps organizations to reduce the -number of password related help desk calls. Password Reset allows users to securely change their -password and unlock their account, even if they have forgotten their password. - -This Evaluator's Guide shows you how to quickly install, configure, and test Password Reset. You -should read this guide if you are evaluating Password Reset, or if you are using Password Reset for -the first time. - -Please [contact Netwrix support](mailto:support@netwrix.com) if you have any questions, or if you -encounter any problems during your evaluation. - -![introduction_1_1](/img/product_docs/passwordpolicyenforcer/10.2/password_reset/evaluation/introduction_1_1.webp) - -The Password Reset Administrator's Guide contains additional installation and configuration -information. Refer to the Administrator's Guide for more detailed coverage of the topics discussed -in this guide. diff --git a/docs/passwordpolicyenforcer/10.2/web/configuration.md b/docs/passwordpolicyenforcer/10.2/web/configuration.md index 34a6550fd9..b7528d7bbf 100644 --- a/docs/passwordpolicyenforcer/10.2/web/configuration.md +++ b/docs/passwordpolicyenforcer/10.2/web/configuration.md @@ -23,7 +23,7 @@ When Password Policy Enforcer/Web is first installed, the Domain List is empty a their domain name. You can configure Password Policy Enforcer/Web to display a list of domains instead of an empty text box. -Add Domain +**Add Domain** Follow the steps below to add a domain to the list. @@ -33,11 +33,14 @@ Follow the steps below to add a domain to the list. **Step 3 –** Click **OK**, the click **Apply**. -**NOTE:** The most frequently used domain should be first in the list as it will be the default. You +:::note +The most frequently used domain should be first in the list as it will be the default. You can rearrange the domains by dragging them to another position. You can also click **Sort** to sort them alphabetically. +::: -Remove Domain + +**Remove Domain** Follow the steps below to remove a domain from the list. @@ -64,10 +67,13 @@ controllers. You can also set the Port, Timeout, and number of Retries for the Password Policy Protocol if the defaults are not suitable. -**NOTE:** A Password Policy Enforcer/Web license does not include a Password Policy Enforcer +:::note +A Password Policy Enforcer/Web license does not include a Password Policy Enforcer license. Go to [netwrix.com/password_policy_enforcer](https://www.netwrix.com/password_policy_enforcer.html) to learn more about Password Policy Enforcer. +::: + ## About Tab diff --git a/docs/passwordpolicyenforcer/10.2/web/editing_html_templates.md b/docs/passwordpolicyenforcer/10.2/web/editing_html_templates.md index 16a10f36e3..5264963b81 100644 --- a/docs/passwordpolicyenforcer/10.2/web/editing_html_templates.md +++ b/docs/passwordpolicyenforcer/10.2/web/editing_html_templates.md @@ -25,10 +25,13 @@ The other user interface files are language independent. Most of the formatting and some additional CSS for Internet Explorer is in ppeweb_ie.css. The image files are in the images folder. These files are installed into the `\Inetpub\wwwroot\ppeweb\` folder by default. -**NOTE:** Always backup the user interface files before and after editing them. Your changes may be +:::note +Always backup the user interface files before and after editing them. Your changes may be overwritten when Password Policy Enforcer/Web is upgraded, and some changes could stop Password Policy Enforcer/Web from working correctly. Web browsers display pages differently, so test your changes with several versions of the most popular browsers to ensure compatibility. +::: + The en_default.htm contains static HTML, but the other .htm files contain special comment tags that are used to prepare the pages. Some of these comments define ranges. A range looks like this: @@ -39,7 +42,7 @@ Password Policy Enforcer/Web deletes ranges (and the text inside them) when they Some ranges span only one word, while others span several lines. The other type of comment tag is called a field. - +**** Fields are replaced by some other information. For example, the field above is replaced with a username. @@ -54,7 +57,7 @@ Templates end with a resource string section. @RES_EMPTY_FIELD_DOMAIN:    Enter your domain name in the Domain box. ---> +**-->** Resource strings are mostly validation error messages, but they can contain any text Password Policy Enforcer/Web may need to build the page. See the @@ -63,10 +66,11 @@ topic for additional information. Do not modify the identifiers on the left, onl the right. Resource strings are always inside a range called RESOURCE_STRINGS. Password Policy Enforcer/Web deletes this range before sending the page to the user's web browser. -**CAUTION:** You may rebrand the Password Policy Enforcer/Web user interface, but it is a violation -of the License Agreement to modify, remove or obscure any copyright notice. See the -[License Agreement](/docs/passwordpolicyenforcer/10.2/web/license_agreement.md) -topic for additional information. +:::warning +You may rebrand the Password Policy Enforcer/Web user interface, but it is a violation +of the License Agreement to modify, remove or obscure any copyright notice. +::: + ## Examples @@ -104,11 +108,11 @@ or they may be displayed on the wrong page. ``` - +****

Enter your old and new passwords in the text boxes below.

- +**** ### Edit Validation Error Messages @@ -148,7 +152,7 @@ error, but you can delete them if you do not want them. If you want to display some text for all error messages, then insert your text above or below the `

{/*ERROR*/}

` line. For example: -

{/*ERROR*/}

+**

{/*ERROR*/}

**

The help desk phone number is 555-555-5555.

@@ -187,8 +191,11 @@ some understanding of CSS to do this. For example, this is the CSS for the valid Edit these properties to change the appearance of the error box. You may need to clear your web browser's cache to see the changes. -**NOTE:** Web browsers display pages differently, so test your changes with several versions of the +:::note +Web browsers display pages differently, so test your changes with several versions of the most popular browsers to ensure compatibility. +::: + ### Replace URLs to the Welcome Page @@ -199,4 +206,4 @@ To display a different page when users click OK or Cancel, search for `en_defaul `en_ppeweb.htm`, `en_finished.htm`, and `en_error.htm` and replace `en_default.htm` with an alternative URL. For example: -https://myserver/accounts/login.htm +**https://myserver/accounts/login.htm** diff --git a/docs/passwordpolicyenforcer/10.2/web/installation.md b/docs/passwordpolicyenforcer/10.2/web/installation.md index 9d0a862414..0122b03c96 100644 --- a/docs/passwordpolicyenforcer/10.2/web/installation.md +++ b/docs/passwordpolicyenforcer/10.2/web/installation.md @@ -15,8 +15,11 @@ Password Policy Enforcer/Web from their web browser. - 5 megabytes of free disk space. - 5 megabytes free RAM. -**NOTE:** Password Policy Enforcer/Web can share server resources with other applications. It can be +:::note +Password Policy Enforcer/Web can share server resources with other applications. It can be installed on an existing, well secured web server. +::: + ## Preparing IIS @@ -159,7 +162,10 @@ Enforcer/Web documentation and tools, then click **Next**. **Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if needed. -**NOTE:** Password Policy Enforcer/Web should be installed in its own virtual directory. +:::note +Password Policy Enforcer/Web should be installed in its own virtual directory. +::: + **Step 7 –** Click **Next** twice. @@ -176,13 +182,19 @@ The HTML templates and associated images are overwritten during an upgrade. You customized HTML templates and images before upgrading. The HTML templates and images are installed in the `\Inetpub\wwwroot\ppeweb\` folder by default. -**NOTE:** A full backup of the PPE/Web server is recommended. This allows you to roll back to the +:::note +A full backup of the PPE/Web server is recommended. This allows you to roll back to the previous version if the upgrade cannot be completed. You may need to restart Windows after upgrading. +::: -**CAUTION:** PPE/Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade + +:::warning +PPE/Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade Password Policy Enforcer to a compatible version if you have enabled Password Policy Enforcer integration. +::: + #### Upgrading to V7.11 @@ -203,13 +215,19 @@ The HTML templates and associated images are overwritten during an upgrade. You customized HTML templates and iages before upgrading The HTML templates and images are installed in the `\Inetpub\wwwroot\ppeweb\` folder by default. -**NOTE:** A full backup of the PPE/Web server is recommended. This allows you to roll back to the +:::note +A full backup of the PPE/Web server is recommended. This allows you to roll back to the previous version if the upgrade cannot be completed. You may need to restart Windows after upgrading. +::: -**CAUTION:** PPE/Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade + +:::warning +PPE/Web V7.11 is only compatible with Password Policy Enforcer V7.0 and later. Upgrade Password Policy Enforcer to a compatible version if you have enabled Password Policy Enforcer integration. +::: + #### Upgrading to V7.11Upgrading to V7.11 @@ -245,7 +263,10 @@ Right-click the PPE/Web item in the right pane, then click Delete. Click Yes to **Step 4 –** Back up the PPE/Web V3.x files. -**NOTE:** the PPE/Web V3.x files are most likely located in the `\Inetpub\wwwroot\ppeweb\` folder. +:::note +the PPE/Web V3.x files are most likely located in the `\Inetpub\wwwroot\ppeweb\` folder. +::: + **Step 5 –** Delete the folder containing the PPE/Web V3.x files. @@ -257,7 +278,10 @@ Follow the steps below to upgrade to PPE/Web V7.x. **Step 2 –** Open the Configuration console to configure PPE/Web and install your new license key. -**NOTE:** Any customizations to the PPE/Web V3.x user interface will need to be recreated after +:::note +Any customizations to the PPE/Web V3.x user interface will need to be recreated after upgrading to PPE/Web V7.11. See the [Editing HTML Templates](/docs/passwordpolicyenforcer/10.2/web/editing_html_templates.md) topic for additional information. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/web/license_agreement.md b/docs/passwordpolicyenforcer/10.2/web/license_agreement.md deleted file mode 100644 index 851f8c2b67..0000000000 --- a/docs/passwordpolicyenforcer/10.2/web/license_agreement.md +++ /dev/null @@ -1,144 +0,0 @@ -# License Agreement - -NETWRIX PTY LTD ("NETWRIX") IS WILLING TO LICENSE THIS SOFTWARE ONLY UPON THE CONDITION THAT YOU -ACCEPT ALL OF THE TERMS CONTAINED IN THIS SOFTWARE LICENSE AGREEMENT. PLEASE READ THE TERMS -CAREFULLY. IF YOU DO NOT AGREE WITH THESE TERMS, THEN NETWRIX IS UNWILLING TO LICENSE THE SOFTWARE -TO YOU. - -NETWRIX SOFTWARE LICENSE AGREEMENT AND WARRANTY STATEMENT - -(End-User Trial Use License With Option For Extended Use/Redistribution Prohibited) - -1. The Software. - - The Software licensed under this Agreement consists of computer programs, data compilation(s), - and documentation referred to as PPE/Web V7.x (the "Software"). - -2. Trial Use. - - You are authorized to use the Software for evaluation purposes during a trial use term of thirty - (30) days, unless prior to the expiration of the trial use term this license is terminated by - You for convenience or terminated by either party for material breach. You have the option to - register for full use of the Software at any time by paying the required license fee. - Registration will authorize You to use an unlocking key which will convert the Software to full - use, subject to the terms and conditions of this agreement. Your use of the Software under this - trial use license for any purpose after the expiration of the initial trial use term is not - authorized without the prior written consent of Netwrix. Upon expiration of the limited trial - use term, the Software may automatically disable itself. Immediately upon expiration of the - limited trial use term, You shall either register for full use of the Software, or destroy all - copies of the Software and documentation. - -3. Perpetual Term. - - If You purchase a perpetual license, then the term of the license granted herein shall be - perpetual unless terminated by You for convenience or terminated by either party for material - breach. - - Immediately upon termination of this license for any reason, You shall destroy all copies of the - Software and documentation. - -4. Subscription Term(s). - - If You purchase a subscription license, then the term of this license is on a subscription basis - with an initial term of one (1) year, and optional renewal terms of one (1) year each, unless - prior to renewal this license is terminated by You for convenience or terminated by either party - for material breach. Renewal procedures are available from Netwrix, and unless such procedures - are strictly satisfied, including the payment of any required license fee, Your use of the - Software for any purpose after the expiration of the subscription term is not authorized. Upon - expiration of the subscription term, the Software may automatically disable itself. Immediately - upon expiration or termination of this license for any reason, You shall destroy all copies of - the Software and documentation. - -5. License Grant. - - You are granted non-exclusive rights to install and use the Software on any computer and/or - transmit the Software over a computer network, provided that You acquire and dedicate a licensed - copy of the Software for each user who may access the Software. A license for the Software may - not be shared or used concurrently by different users. You may purchase additional licenses for - the Software from time to time. This Agreement shall take precedence over any purchase order for - additional licenses, and any conflicting, inconsistent, or additional terms in such purchase - orders shall be null and void. You may copy the Software for archival purposes, provided that - all copies must contain the original Software's proprietary notices in unaltered form. - -6. Restrictions. - - You may not: (i) permit others to use the Software, except as expressly provided above for - authorized network use; (ii) modify or translate the Software, except the HTML, CSS, and image - files; (iii) reverse engineer, decompile, or disassemble the Software, except to the extent this - restriction is expressly prohibited by applicable law; (iv) create derivative works based on the - Software; (v) merge the Software with another product; (vi) copy the Software, except as - expressly provided above; or (vii) modify, remove or obscure any copyright, trademark or other - proprietary rights notices or labels on the Software. - -7. Transfers. - - You may not transfer the Software or any rights under this Agreement without the prior written - consent of Netwrix, which consent shall not be unreasonably withheld. A condition to any - transfer or assignment shall be that the recipient agrees to the terms of this Agreement. Any - attempted transfer or assignment in violation of this provision shall be null and void. - -8. Ownership. - - Netwrix and its suppliers own the Software and all intellectual property rights embodied - therein, including copyrights and valuable trade secrets embodied in the Software's design and - coding methodology. The Software is protected by Australian copyright laws and international - treaty provisions. This Agreement provides You only a limited use license, and no ownership of - any intellectual property. - -LIMITED WARRANTY STATEMENT; LIMITATION OF LIABILITY. Netwrix warrants only to You that the Software -shall, in unmodified form, perform substantially in accordance with accompanying documentation under -normal use for a period of thirty (30) days from the purchase date. The entire and exclusive -liability and remedy for breach of this Limited Warranty shall be, at Netwrix option, either (i) -return of the amount received by Netwrix for the Software, or (ii) replacement of defective Software -and/or documentation. NETWRIX AND ITS SUPPLIERS AND RESELLERS SPECIFICALLY DISCLAIM THE IMPLIED -WARRANTIES OF TITLE, NON- INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SYSTEM -INTEGRATION, AND DATA ACCURACY. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION OF THE SOFTWARE -WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT THE SOFTWARE WILL MEET ANY PARTICULAR CRITERIA OF -PERFORMANCE, QUALITY, ACCURACY, PURPOSE, OR NEED, EXCEPT AS EXPRESSLY PROVIDED IN THE LIMITED -WARRANTY. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. NO USE OF THE -SOFTWARE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. No action for the above Limited -Warranty may be commenced after one (1) year following the expiration date of the warranty. To the -extent that this Warranty Statement is inconsistent with the jurisdiction where You use the -Software, the Warranty Statement shall be deemed to be modified consistent with such local law. -Under such local law, certain limitations may not apply, and You may have additional rights which -vary from jurisdiction to jurisdiction. For example, some states in the United States and some -jurisdictions outside the United States may: (i) preclude the disclaimers and limitations of this -Warranty Statement from limiting the rights of a consumer; (ii) otherwise restrict the ability of a -manufacturer to make such disclaimers or to impose such limitations; or (iii) grant the consumer -additional legal rights, specify the duration of implied warranties which the manufacturer cannot -disclaim, or prohibit limitations on how long an implied warranty lasts. - -INDEPENDENT OF THE FORGOING PROVISIONS, IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT -LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL NETWRIX OR ANY OF ITS SUPPLIERS BE -LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF -ANY KIND, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER -MALFUNCTION, OR ANY OTHER KIND OF COMMERCIAL DAMAGE, EVEN IF NETWRIX HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL -INJURY TO THE EXTENT PROHIBITED BY APPLICABLE LAW. - -IN NO EVENT SHALL NETWRIX'S LIABILITY FOR ACTUAL DAMAGES FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF -THE FORM OF ACTION, EXCEED THE AMOUNT OF THE PURCHASE PRICE PAID, IF ANY, FOR THE SOFTWARE LICENSE. - -EXPORT CONTROLS. You agree to comply with all local laws in Your jurisdiction which might impact -Your right to import, export or use the Software, and You represent that You have complied with any -regulations or registration procedures required by applicable law to make this license enforceable. - -MISCELLANEOUS. This Agreement constitutes the entire understanding of the parties with respect to -the subject matter of this Agreement and merges all prior communications, representations, and -agreements. This Agreement may be modified only by a written agreement signed by the parties. If any -provision of this Agreement is held to be unenforceable for any reason, such provision shall be -reformed only to the extent necessary to make it enforceable. This Agreement shall be construed -under the laws of the State of New South Wales, Australia, excluding rules regarding conflicts of -law. This Agreement will not be governed by the United Nations Convention on Contracts for the -International Sale of Goods, the application of which is expressly excluded. The parties have -requested that this Agreement and all documents contemplated hereby be drawn up in English. Les -parties aux presentes ont exige que cette entente et tous autres documents envisages par les -presentes soient rediges en anglais. - -U.S. GOVERNMENT END USERS: If the Software and documentation is acquired by or for the United States -Government then it is provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the United -States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of The Rights -in Technical Data and Computer Software clause at DFARS 252.227-7013, or subparagraphs (c)(1) and -(2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 or clause -18-52.227-86(d) of the NASA supplement to the FAR, as applicable. Manufacturer is NETWRIX PTY LTD, 9 -Monteray Terrace, Glenmore Park, NSW 2745 Australia. diff --git a/docs/passwordpolicyenforcer/10.2/web/securing_web.md b/docs/passwordpolicyenforcer/10.2/web/securing_web.md index 2d0ef05702..af4134567e 100644 --- a/docs/passwordpolicyenforcer/10.2/web/securing_web.md +++ b/docs/passwordpolicyenforcer/10.2/web/securing_web.md @@ -17,7 +17,10 @@ Password Policy Enforcer/Web sends passwords to the domain controllers over a se you need to set up SSL (Secure Sockets Layer) encryption for the connection between the web browser and the web server. -**CAUTION:** Do not use Password Policy Enforcer/Web on a production network without SSL encryption. +:::warning +Do not use Password Policy Enforcer/Web on a production network without SSL encryption. +::: + You can use a self-signed certificate, but most organizations purchase certificates from a certificate authority. This is a recurring cost, and you will need to complete forms for the diff --git a/docs/passwordpolicyenforcer/10.2/web/using_web.md b/docs/passwordpolicyenforcer/10.2/web/using_web.md index 590bb0a7c0..b380514675 100644 --- a/docs/passwordpolicyenforcer/10.2/web/using_web.md +++ b/docs/passwordpolicyenforcer/10.2/web/using_web.md @@ -22,14 +22,20 @@ You can also include the username and/or domain in the URL: `http://[server]/ppeweb/ppeweb.dll?username=maryjones&domain=ANIXIS` -**_RECOMMENDED:_** Install the SSL Certificate the web server and use the HTTPS protocol if Password +:::info +Install the SSL Certificate the web server and use the HTTPS protocol if Password Policy Enforcer/Web will be used on an unencrypted network. See the -[Installing and Using an SSL Certificate](/docs/passwordpolicyenforcer/10.2/web/securing_web.md#installing-and-using-an-sslcertificate) +[Installing and Using an SSL Certificate](/docs/passwordpolicyenforcer/10.2/web/securing_web.md) topic for additional information. +::: -**NOTE:** A license reminder message is shown occasionally when Password Policy Enforcer/Web is used + +:::note +A license reminder message is shown occasionally when Password Policy Enforcer/Web is used without a license key. Contact Netwrix support if you would like to evaluate Password Policy Enforcer/Web without the reminder message. +::: + ## Changing a Password @@ -46,9 +52,12 @@ Follow the steps below to change a password with Password Policy Enforcer/Web. **Step 3 –** Enter the **Old Password**, **New Password**, and **Confirm Password**, then click **Next**. -**NOTE:** Windows increments the bad password count in Active Directory every time a user enters +:::note +Windows increments the bad password count in Active Directory every time a user enters their old password incorrectly. This may trigger a lockout if the Windows account lockout policy is enabled. +::: + ## Error Messages diff --git a/docs/passwordpolicyenforcer/10.2/web/what_new.md b/docs/passwordpolicyenforcer/10.2/web/what_new.md index 0553dc1cbc..d529e90082 100644 --- a/docs/passwordpolicyenforcer/10.2/web/what_new.md +++ b/docs/passwordpolicyenforcer/10.2/web/what_new.md @@ -6,20 +6,20 @@ sidebar_position: 10 # What's New -User Interface +**User Interface** - Displays a diagnostic message if the Password Policy Enforcer does not respond to a request. This is likely to happen if a domain controller is not running Password Policy Enforcer, or if a firewall is blocking access to the PPS port. -Compatibility +**Compatibility** - Compatible with Windows Server 2012 and 2012 R2 (as well as Windows Server 2003, 2003 R2, 2008, and 2008 R2). - Improved Setup Wizard to ensure that PPEWeb.dll is always added to the list of Web Service Extensions on Windows 2003 and 2003 R2 64-bit editions. -Other +**Other** - Uses the Password Policy Enforcer V7.x libraries for improved compatibility with new features in recent version of Password Policy Enforcer. @@ -29,13 +29,16 @@ Other [Upgrading from PPW/Web V6.x](/docs/passwordpolicyenforcer/10.2/web/installation.md#upgrading-from-ppwweb-v6x) topic for additional information. -**NOTE:** PPE/Web V7.11 integrates with Password Policy Enforcer V7.0 or later. Disable Password +:::note +PPE/Web V7.11 integrates with Password Policy Enforcer V7.0 or later. Disable Password Policy Enforcer integration in the PPE/Web Configuration console if you need to use PPE/Web with an older version of Password Policy Enforcer. +::: + #### New in PPE/Web V6.x (Previous Version) -User Interface +**User Interface** - Updated HTML Templates allow customization of all user interface elements including error messages. @@ -45,12 +48,12 @@ User Interface - The Setup Wizard installs and configures PPE/Web without the manual setup steps from earlier versions. -Compatibility +**Compatibility** - Compatible with Windows Server 2008 and 2008 R2 (as well as Windows Server 2003 and 2003 R2). - Compatible with 64-bit and 32-bit Windows editions. -Other +**Other** - Additional validation of all user input to improve security. - Can get user and domain names from URL parameters. @@ -59,4 +62,7 @@ Other - Can be used without Password Policy Enforcer if Password Policy Enforcer's additional password policy controls are not needed. -**NOTE:** PPE/Web V6.0 integrates with Password Policy Enforcer V6.0 or later. +:::note +PPE/Web V6.0 integrates with Password Policy Enforcer V6.0 or later. + +::: diff --git a/docs/passwordpolicyenforcer/10.2/overview/whatsnew.md b/docs/passwordpolicyenforcer/10.2/whatsnew.md similarity index 83% rename from docs/passwordpolicyenforcer/10.2/overview/whatsnew.md rename to docs/passwordpolicyenforcer/10.2/whatsnew.md index b26b5a2214..c9908514a7 100644 --- a/docs/passwordpolicyenforcer/10.2/overview/whatsnew.md +++ b/docs/passwordpolicyenforcer/10.2/whatsnew.md @@ -1,7 +1,7 @@ --- title: "What's New" description: "What's New" -sidebar_position: 10 +sidebar_position: 2 --- # What's New @@ -18,12 +18,12 @@ Password Policy Enforcer version. ### Password Policy Enforcer v10.2 -NEW: Bulk Password Testing +**NEW: Bulk Password Testing** Check a large number of passwords against a selected policy and a get a report of the accepted and rejected passwords. -NEW: HIPB Updater +**NEW: HIPB Updater** Downloads the most recent Have I Been Pwnd (HIBP) hash list and incremental updates directly from Netwrix Labs . Offers options to apply scheduling and triggers. This feature replaces the Pwnd @@ -33,34 +33,34 @@ See the [HIBP Updater](/docs/passwordpolicyenforcer/10.2/administration/hibpupdater.md) topic for additional information. -NEW: Password Quality Feedback +**NEW: Password Quality Feedback** End users get real-time feedback when typing a new password on the Windows Change Password screen, indicating whether the new password meets the applied policies. -Enhancement: Updated Password Checker User Interface +**Enhancement: Updated Password Checker User Interface** Added a three-tab user layout for better separation of settings and improved usability. Password Checker can now be accessed from the PPS Properties page. -Enhancement: Event Logging in Password Checker +**Enhancement: Event Logging in Password Checker** Password Checker now has an option to log an event when it finds a compromised password. -Enhancement: Force Password Expiration in Password Checker +**Enhancement: Force Password Expiration in Password Checker** Password Checker now has an option to force password expiration for accounts where compromised passwords are found. -Enhancement: License Usage Count +**Enhancement: License Usage Count** The License tab on PPS Properties page now displays the number of connected active AD accounts and the number of AD accounts where policies are applied. -Enhancement: Security Update +**Enhancement: Security Update** Added option to utilize RPC Kerberos Sign/Seal protocol for client-server communication. -Enhancement: Rule Name Properties +**Enhancement: Rule Name Properties** Added the names of the rules to their properties’ windows for better identification. diff --git a/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe1.webp b/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe1.webp new file mode 100644 index 0000000000..85d6d660ef Binary files /dev/null and b/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe1.webp differ diff --git a/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe2.webp b/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe2.webp new file mode 100644 index 0000000000..068bc37273 Binary files /dev/null and b/static/img/product_docs/passwordpolicyenforcer/10.2/administration/ppe2.webp differ