Secure password extension in multiple domains

Hello all,

Let's say that i have domain01, child domain02, child domain03. My Password manager server is in domain02 and i have users that i want to manage in all domains. Workstations belong to domain03.

What should i do in a situation like that for secure password extension? Do i have to deploy the administrative template in every domain? Should i configure something like the "Overriding Automatic Self-Service Site Location"?

Thank you.

  • #1. IF GPO can span whole forest THEN you can use single GPO. I recommend put in PM SPE GPO the URL registered in DNS URL = https://MyPasswordManager (easy to manage control, intranet/internet, upgrade etc.)
    Concern: you might interfere with local Domain, Site GPOs for ex-gina clients. Therefore at the end it depends on concrete GPO architecture and delegation in your IT org.
    #2. OfflinePasswordReset - might be more complex (PM Service will need to touch domain03\PC$ objects write/read secure secret for OfflinePasswordReset, in addition to domain01,2,3\pcuser password reset)
  • In reply to Aidar.Karabalaev:

    So if i manage to target all the workstations that i would like to be able to have SPE in all domains through a single GPO in one of the domains i should be fine.

    Thank you Aidar.