• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 37 subscribers
  • Views 6215 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Secure password extension in multiple domains

Alexandros Marioleas
over 6 years ago

Hello all,

Let's say that i have domain01, child domain02, child domain03. My Password manager server is in domain02 and i have users that i want to manage in all domains. Workstations belong to domain03.

What should i do in a situation like that for secure password extension? Do i have to deploy the administrative template in every domain? Should i configure something like the "Overriding Automatic Self-Service Site Location"?

Thank you.

  • +1 over 6 years ago
    #1. IF GPO can span whole forest THEN you can use single GPO. I recommend put in PM SPE GPO the URL registered in DNS URL = https://MyPasswordManager (easy to manage control, intranet/internet, upgrade etc.)
    Concern: you might interfere with local Domain, Site GPOs for ex-gina clients. Therefore at the end it depends on concrete GPO architecture and delegation in your IT org.
    #2. OfflinePasswordReset - might be more complex (PM Service will need to touch domain03\PC$ objects write/read secure secret for OfflinePasswordReset, in addition to domain01,2,3\pcuser password reset)
  • 0 over 6 years ago
    So if i manage to target all the workstations that i would like to be able to have SPE in all domains through a single GPO in one of the domains i should be fine.

    Thank you Aidar.