Microsoft 4.5.X User's Manual
Contents
1. Select this report type to search for users who have not completed enrollment in the self service verification questions Page 39 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Account inactivity Select this report type to search for accounts which have been inactive have not logged in for the specified number of days Any time a login is recorded on any domain controller that ARC is able to contact the timestamp will be reset However if a domain controller goes offline this information may be inaccurate as the timestamps stored on that domain controller will no longer be available The date used for calculating the time until expiration in the task is drawn from the clock on the machine running ARCWeb NOT the domain controller Thus any inconsistencies in the system clocks between the primary domain controller and the machine running ARCWeb could cause inaccuracies in detecting the appropriate users Running Reports Immediately The Account Reset Console will allow you to run reports immediately through the web interface by checking the report s checkbox and clicking the Run Selected Tasks Now button This allows you to run reports without waiting for them to run at their scheduled time or allows you to keep on demand reports in the Inactive section and run them whenever required Editing Report Settings Clicking the Edit link next to a report2. Page 28 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Accounts Scheduling Reporting Management Configuration Index Schedule Account Tasks EG Edit Scheduled Task Management Reports EE Task Name Find Expiring Users Task O sunday C Monday C Tuesday C Wednesday C Thursday Account Tasks ask runs on i C Friday C Saturday View Task Results at Moon w Last Run Never Target Groups SECURUS domain users del SECURUS Enter group here Filter Users Ignore usernames which contain the following substrings separate by Task Details Find accounts whose password will expire Im D days DO Disable the users account C Enable the users account Send the user an email Dear RealName Your password is about to expire Please visit http server arcweb to El change your password before it exipres EI Plain Text Email HTML Email RTF Email User email keywords RealName Users full name as stored in Active Directory PwdDaysT oExp Days until the user s password expires Email results to yourEmail yourco com Plain Text Email HTML Email Save Task Settings Save Task and Run Now Return to Task List Page 29 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved In the edit screen you can change th
3. Password Change Features When users change their own passwords emulate their user account to comply with domain policies When users change their own passwords expire them so that they must be changed on next login ignored when user cannot change password M Configure Email Settings O 2 Allow self service unlock and password reset resetthrough ARC via ID M Appearance Mobile Settings g verification Allow self service unlock and password reset through Credential Provider Gina via ID verification Verification allowed wrong answers 3 Verification wrong answers timout minutes 3 The Password Change Features page allows you to configure the behavior of ARCWeb when users reset their own passwords Note that the checkbox entitled Allow lost password recovery through ARC may be enabled but will only function properly once you have configured your verification questions and answers in the advanced features The default settings should be sufficient for initial evaluation of the product For more information on this page see the Set Password Change Features section later in this document Page 16 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Configuring email If you want the Account Reset Console to be able to notify users via email of account or password resets or to be able to email administrators and managers of scheduled task completion or
4. Set Up My Identity Reset the account password Password Password again Enable accountif disabled Unlock account iflocked Force userto change password on next login Reset Account Page 8 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The top level menus represent different parts of the ARCWeb product Accounts Scheduling Reporting gement Configuration Index Accounts this menu contains the direct account manipulation pages Ordinary users use these pages to reset their own passwords and configure their answers for identity verification Help desk users use these pages to reset other users accounts Scheduling Reporting this menu contains pages for viewing the access and reset logs and for scheduling tasks and viewing the reports generated by these tasks These pages are generally for help desk managers Management this menu contains pages for setting group permissions program features and application appearance skinning This is also where email will be configured Configuration this menu contains pages for domain and data source management verification questions log database location and application licensing Index this menu links to the index page to the entire application allowing you to immediately jump to any page you have rights to access Once you have logged onto the Account Reset Console you should begin by configu
5. When licensed by us to you for commercial use the software can be used to manage the number of user account passwords and settings granted in the license The serial number provided to you is designed for a specific named machine If you need to move the license to another system we will provide you with new serial numbers for those systems owned controlled by you at no cost as long as you maintain a current support agreement with us included for free in your first year Each server running our web server software requires you to purchase a separate server license as well as an appropriate number of managed user licenses If the same user account is managed by two or more web servers the multiple instances of the user account shall be treated as only a single user For example if you have three web servers managing the same domain of 4500 users then you would need to buy three server licenses and buy 4500 user licenses 2 Copyright The SOFTWARE is owned by Lieberman Software Corporation and is protected by United States copyright law and international treaty provisions Therefore you must treat the software like any other copyrighted material e g a book or musical recording except that you may either a make one copy of the SOFTWARE solely for backup and archival purposes or b transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes The manual is a copyrighted work also you m
6. Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Appearance p A AS This page allows you to adjust the appearance of the Account Management Group Access Console Change these settings to adjust the console to reflect your own organization s brand identity Account Reset Features Adjust appearance settings Password Change Features Company tagline Account Reset Console Configure Email Settings Company Tagline Color C13738 Appearance Select banner image Default Banner LSC Mobile Settings Upload new banner image maximum size 640x100 Browse Main Menu Bar Colors Menu Bar Color C13738 Text Color d0d0d0 Selected Text Color FFFFFF Side Menu Bar Colors Menu Color FOFOFO Text Color 606060 Selected Text Color 000000 Other Colors Page Header Color elele0 Page Header Text Color 000000 Page Border Color cOc0c0 Login Box Border Color cOc0c0 Login Box Color eieiei Save Appearance Settings Restore to Default All colors should be in hexadecimal RGB format Thus red would be FF0000 and green OOFFOO All O characters should be zeros not os For more information on changing the application s appearance see Appearance later in this document Page 26 of 94
7. Begin by logging into the Account Reset Console You will need to use an account that is a member of the initial administrator s group you specified in the installation process If your account is not a member of this initial group you will receive an error message explaining why you are not permitted to log in Page 7 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Please log in to access the Account Reset Console Username Password i Domain SECURUS x Log In Forgot your password Locked out Click here to Reset Password Unlock 2005 2007 Lieberman Software Corporation LIEBERMANSOFTWARE adli aaee ACL 4 50 070530 ARC 4 50 070520 Once you log into the Account Reset Console you should see a series of top level menu options which look similar to the ones below If you do not see all the menus you have logged in with an account that is not a member of the initial administrative group and the Account Reset Console is restricting your access to certain parts of the interface As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Reset User Account gereest Enter Username and a new Password twice for the account to be reset Look up User Data Username Change My Password Domain SECURUS y
8. can be reset del SECURUSidomain admins SECURUS domain users del If an Administrative Group is granted Access to a Managed Group members of the Administrative Group will be able to use the Account Reset Console to reset the accounts of users that are members of the Managed Group For example in the screenshot above Page 52 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved members of the can reset group are permitted to reset accounts of users in the can be reset group It is important to note that there are two different types of Group Access Rights e Reset Password Granting an Administrative Group Reset Password rights allows the members of the Administrative Group to reset the accounts and passwords of users that are members of the Managed Group e View User Answers Granting an Administrative Group View User Answers rights allows the members of the Administrative Group to view the user identity information i e identification answers of users that are members of the Managed Group Adding Access Rights To grant group access rights to a Windows group enter the appropriate Administrative Group and Managed Group select the appropriate checkboxes and click Add Group Access Rule This will grant access rights to the specified group You will see the list s of existing access rights change to include the new rights Viewing or Deleting Existing Access Ri
9. v Execute permissions Scripts only Application pool DefaultAppPool z Unload Cancel Apply Help Page 84 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Q When attempting to load the web site you receive the following error The page cannot be displayed followed by a 403 2 error A This is caused when the Home Directory permissions are missing the Read permission Set the checkbox for Read permission Local path C Program Files ARC Weby Browse T Script source access Jh Log visits Je Read Ie Index this resource T Write Directory browsing Q see the ASP source code when try to do a report Or get an error 404 when accessing the report caused by 404 dll being mapped to ASP extensions 3 http 192 168 0 202 umprpgReportFinder asp ReportType 18PasswordReport G0 Kreep 01 x File Edit View Favorites Tools Help E Back gt gt Q A A search fajravorites Meda A dy S w D Address E http 192 168 0 202 umprpgReportFinder asp ReportType 18PasswordRe zl des Links Osnat Ei lt Language VBScript gt UmpRpg gt lt html gt lt head gt lt meta http equiv content type content text html charset iso lt meta name generator content Adobe GoLive 4 gt lt title gt User Manager Pro Random Password Generator Recovery
10. Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Setting up the mobile site Advanced The Account Reset Console s Mobile site allows you to access any feature of the application from your mobile device with an optimized download size and screen layout You can change the ARCWeb mobile behavior under the Management main menu and the Mobile Settings side menu tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Configure Mobile Settings Program Access og This page allows you to adjust the appearance of the Account Management Group Access Console for mobile platforms Adjust mobile settings Display tagline Screen width px 320 Account Reset Features Password Change Features Configure Email Settings Save Mobile Settings Appearance Mobile Settings You will need to determine your selected mobile device s width in pixels to view the application By default ARCWeb ships with a 320 pixel screen width which may be too wide for most phone screens For more information on setting up the mobile site see the Configure Mobile Settings section later in this document Scheduling tasks Advanced Users who have View Console Logs and Task Reports access privileges can schedule and view management reports and users who have Manage All Web Access
11. Appearance Select banner image Default Banner LSC w Mobile Settings Upload new banner image 5 maximum size 640x100 Browse Main Menu Bar Colors Menu Bar Color C13738 Text Color diad Selected Text Color FFFFFF Side Menu Bar Colors Menu Color FOFOFO Text Color 606060 Selected Text Color 000000 Other Colors Page Header Color ede0e0 Page Header Text Color 000000 Page Border Color c0c0c0 Login Box Border Color c0c0co Login Box Color eieiei Save Appearance Settings Restore to Default Page 61 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Nearly all colors of the Account Reset Console can be altered at any time as well as the banner and tagline at the top of the page To change the appearance of the Account Reset Console change the values in the page and click Save Appearance Settings Colors All colors in the Account Reset Console are saved using standard RGB hexadecimal format This is a six figure string in the format RRGGBB where RR is the hexadecimal representation of the red component of the color A few examples Pure black is 000000 Pure white is FFFFFF Pure red is FF0000 Pure green is 00FF00 Pure blue is OOOOFF Altering the Page Header The top of each page of the Account Reset Console contains an image and a company tagline By default these are the Lieberman S
12. View Account Reset Console Logs View Logs Display Activity Log Management AccessLog O Action Log Reports 5 31 2007 sl to 5 31 2007 View Reports E Account Tasks Username View Task Results Display Log Use this screen to report on usage of the Account Reset Console Select Access Log or Action Log and specify a date range Then click Display Log to see what users have been doing on the system You can select to view access logs logs of who has logged on or off the Account Reset Console or action logs logs of which user accounts have been reset or viewed by which users Both successful actions and failed requests are logged For more information see the Log Viewing section of this document Configuring Verification Questions and Answers Advanced Before users can use the Account Reset Console to reset their lost passwords via question and answer identity verification you will need to configure the verification questions and answers To do this you will need to use the Data Sources Verification and Password Change Features pages The Data Sources and Verification pages can be accessed through the Configuration main menu link the Password Change Features page can be accessed through the Management main menu link Page 20 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved You will begin configuring the verification system at the Veri
13. the target of the action and the result If the user requesting the account action does not have permissions to reset the account the log will read Error Not Allowed If the account action fails the failure cause will be entered into the reset log Clicking on the headers of each column will sort the table by that column Scheduling Management Reports Overview The Account Reset Console includes an automatic report scheduling system which allows you to automatically generate reports on accounts matching specified criteria Task scheduling is located under the Scheduling Reporting menu item in the Management Reports tab Management reports can be scheduled or run by users with View Console Logs and Task Reports privileges Creating and Viewing Management Reports The scheduled reports that are currently saved are displayed in a table on the main scheduled tasks screen as shown below Page 38 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Create Management Reports View Logs Configure scheduled tasks here Management Reports Active Tasks View Reports O Passwords that will expire in 14 days Deactivate Del Edit Account Tasks S Inactive Tasks View Task Results Run Selected Tasks Now Add New Task Task Name Password Expiration Task Type Self Reset Configuration Account Inactivity Add Task Management reports are divide
14. LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Reset User Account EE Enter Username and a new Password twice for the account to be reset Look up User Data Username Change My Password Domain SECURUS Set Up My Identity Reset the account password Password Password again Enable account if disabled Unlock account if locked Force user to change password on next login Reset Account For more information on configuring user identity information see Identity Configuration later in this document Reviewing Data Security Advanced The Account Reset Console is designed to protect the security of your data sources and network by a limiting the amount of time a user automatically stays logged in and b protecting against escape characters in SQL strings before they are sent to your databases You can modify these settings under the Configuration main menu and the Security side menu tab Page 24 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Application Security Data Sources These settings allow you to configure the Account Reset Console s security Log Config Change t
15. Lieberman Software Corporation All Rights Reserved Configuring Mobile Settings Overview The Account Reset Console has a mobile site available at the Mobile subdirectory which can be configured to match nearly any mobile device s screen available Mobile appearance settings are located under the Management menu item in the Mobile Settings tab Mobile settings can be managed by users with Manage All Web Access Controls privileges Managing the Mobile Settings As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Configure Mobile Settings Program Access gt This page allows you to adjust the appearance of the Account Management Group Access Console for mobile platforms Adjust mobile settings Display tagline Screen width px 320 Account Reset Features Password Change Features Configure Email Settings Save Mobile Settings Appearance Mobile Settings The mobile settings allow you to customize the appearance of the Account Reset Console in the mobile device of your choosing Different mobile devices have different screen resolutions so you may want to reconfigure the Account Reset Console for your organization s selected mobile platform e Display tagline You can preserve vertical screen space on your mobile device by choosing to not display the tagline on the mobile s
16. have selected If the test logging is successful the Account Reset Console will begin logging to the new data source if not no change will be made Log Requirements The Account Reset Console logs to any SQL Server database This can be a full installation of SQL Server 2000 or 2005 or MSDE or SQL Express User Verification Configuration Overview The Account Reset Console can be configured to allow users to reset their own passwords if they have forgotten them Users answer a series of preconfigured questions correctly to verify their identity and then are permitted to change their own password Each question draws from a defined data source to Page 69 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved User verification configuration is located under the Configuration main menu item in the Verification tab The verification configuration can be managed by users with super user account privileges Adding and Removing Questions The questions currently being used for verification purposes are listed at the top of the Verification page As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index User Identity Verification Configuration Data Sources Configure user identity verification questions here Log Config Active Questions Verification What E your f
17. the application s day to day functions o Users with this access right can set program and group access rights for other windows groups o Users with this access right can configure the program features for account reset and password change o Users with this access right can view the system logs o Users with this access right can configure the Account Reset Console s appearance Adding Access Rights To grant program access rights to a Windows group check the desired access rights select the domain or local machine as appropriate enter the name of the group in the edit box and click Add Rule This will grant the selected program access rights to the specified group You will see the list of existing access rights change to include the new rights Viewing or Deleting Existing Access Rights The existing group program access rights are listed at the bottom of the page Any group can be deleted from a given rights list by clicking the del link next to its name Deleting a group from any particular rights list removes those rights from the group Permission Stacking Each permission level bestows a specific set of capabilities upon the group It is important to note that these are not inclusive For example a group with Allow Reset of Other Users Accounts but not Allow Web Login will not be able to log into the Account Reset Console Page 51 of 94 Administration Manual Copyright 2007 Liebe
18. user resets their own password using the Account Reset Console You can enter the text of the email and the Help Desk email address below the checkbox You can use wildcards to specify fields to automatically fill in o RealName the real name of the user as stored in Active Directory o UserName the user s username o Email the email address of the user as stored in Active Directory Save Program Features click this button to save the changes you have made Note that the values are not saved until you have clicked the Save Program Features button Page 57 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Ag L EBERMANSOFTWARE Account Reset Console Loagged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Password Change Features Program Access ks These features are for general users resetting their own passwords Change Group Access these settings to allow users to update their own account information Account Reset Features gem w lleg Allow users to change their own passwords using the web interface Password Change Features When users change their own passwords emulate their user account to Configure Email Settings comply with domain policies When users change their own passwords expire them so that they must be Appearance O changed on next login ignored when user cannot change password Mobil
19. you will need to make one final change to the password change features under Management on the main menu and Password Change Features on the side menu You need to allow users to reset their forgotten password through ARC via ID verification Select the Allow self service unlock and password reset through ARC via ID verification checkbox And enter a number of allowable wrong answers we suggest 3 then click Save Program Features You may also elect to allow self service unlock via ARC Credential Provider which is a separate download and installation for each client This option allows users Page 22 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved to reset unlock their accounts without requiring access to a browser or help desk personnel For further information or to download please visit the Lieberman Software web site at http www liebsoft com and visit the Account Reset Console pages As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Password Change Features Program Access D These features are for general users resetting their own passwords Change Group Access these settings to allow users to update their own account information Account Reset Features daran Allow users to change their own passwords using the web interface Password Change Feat
20. 1 Viewing or Deleting Existing Access Hobtes unn 51 Set Group Access ebe ee A A EE EE 52 VOR VOW e A A EE EE aR ROAR Rea 52 EI ele ACCESS AIM iS a 52 Page 4 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Adding ACCESS e a 53 Viewing or Deleting Existing Access Hobtes un 53 Set Account Reset EI 54 DEA EAE EEE TAE E EN A ENEN RTA 54 Account Reset Ee Le E 54 Set Password Change EE 56 EE EE 56 Password Change Opio Sincero celia iia 57 Configuring Email SeingS pls gegen ds A ed At teeta es eat aes 59 LEE ee EES 59 Config rng UE 59 A eea ede EEEE aeee ed aree aE aae eyed 61 EE eege EE 61 Managing the Account Reset Console Appearance see eee 61 Ee DEE Ee Ee 62 Altering the ee EE EE 62 Customizing the Main Menu sese eee 62 Customizing the Side Menu usa 63 Customizing the Page e EE 63 Configuring Mobile Settings sse sees eee 64 A O ae eee 64 Managing the Mobile Settings ocn 64 DAS as 65 Page 5 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved O O Ee 65 Viewing Available Data SOUrCOS eege eege ed eee eae ek eet 65 ACGING 42 Data SOUrCe meti 66 Editing a Data EIERE EE 66 Editing a Microsoft Jet Data Source cion cie 67 Editing a Microsoft SQL Server Data Source ENEE 67 Editing a General ADO Compatible Data Gource see 68 ESOgIna Sera ie Wire Le io rere eer 68 Eeer 68 Viewing the Log ConfiQuratiOn viscosa dd 68 Ch
21. 32 inetsrv asp dill GET HEA cfm d CFUSIONSbin iscf dl All dbm dACFUSION A binsiscf dll All ide CAWINDOWS System32 inetsryshttpo OPTIONS eshtm CAWINDOWS System32 inetsrv ssinc GET POST Shtrol C AWINDOWS System32 inetsrv ssinc GET POST im CAWINDOWS System32 inetsrv ssine GET POST Y Add Edit Remove Cancel Apply Help Confirm that the entry in the Extension column for asp points to the asp dll executable for the verbs GET HEAD POST TRACE or the single entry of ALL If the ASP entry is missing or incorrect remove the bad entry click on the Add button and add the entry as follows Page 86 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Add Edit Application Extension Mapping Executable Browse Extension Be Verbs C Al verbs Ze Limit to GET HEAD POST TRACE IV Script engine V Verify that File exists Cnel Hp Please note that the path will be unique for your installation Q When attempting to load the web site you receive the following error Directory Listing Denied or you see the contents of the ArcWeblwww directory A The correct default document has not been defined on the documents tab of your website or virtual directory Go to the documents tab of the virtual directory or website you setup for ArcWeb and add select Enable default content page an
22. Co lt head gt lt body gt lt object id Ump runat SERVER classid clsid 902229C3 height 48 VIEWASTEXT gt lt object gt lt img src Product gif width 250 height 63 gt lt font face Arial Helvetica sans serif size 2 gt lt b gt lt br gt m ofl 4 Ges PTI mm E A The Application Configuration page mapping is missing an entry for ASP DLL or is pointed to the 404 d11 file If you are running on a Windows 2003 server you will need to go to the Add Remove Programs and reconfigure IIS to support ASP pages disabled by default in Server 2003 Startthe IIS Configuration applet Right click on the web site and select properties Click on the Home Directory tab Page 85 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Application settings Application name ArcWeb Remove Starting point lt Default Web Site gt ArcW Configuration Execute permissions scripts only DI Application pool DefaultappPool e Unload Cancel Apply Help Click on the Configuration button located in the lower right area of the page You will then see a dialog similar to the following Mappings Options Debugging V Cache ISAPI applications Application Mappings EOI Verbs AY WINDOWS System32 inetsrv asp dil bET HEA po SES GET HEA Ch CAWINDOWS System32 inetsrv asp dill GET HEA Cer CAWINDOWS System
23. Controls privileges can schedule account tasks as well You can find task scheduling and report viewing in the Scheduling Reporting main menu section e Management Reports allow users to report on account statuses but prevent them from taking any actions on the accounts found e Account Tasks allow users to identify accounts and automate account actions Page 27 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Schedule Account Tasks View Logs Configure scheduled tasks here Management Reports Active Tasks View Reports O Find Expiring Users Deactivate Del Edit Account Tasks Cl Find inactive accounts Deactivate Del Edit View Task Results Cl Users who have not yet enrolled Deactivate Del Edit Inactive Tasks Run Selected Tasks Now Add New Task Task Name Password Expiration Task Type Self Reset Configuration O Account Inactivity Add Task The list of active and inactive tasks is visible Adding a new task to the inactive list is as simple as entering the task name and type and clicking Add Task You can activate deactivate tasks by clicking the Activate and Deactivate links next to the task name To configure the task click the Edit link next to the task name
24. Directory Password The users new password Save Program Features Page 55 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Reset Password through Account Reset Console check this box to allow user passwords to be reset during account reset If this box is not checked help desk users will not be given the option to reset the password during account reset e Allow Help Desk to view user identity information check this box to allow access to the Look Up User Data menu item This allows members of Administrative Groups to view the identity verification answers for members of Managed Groups e Enabled disabled accounts allows the admin to configure whether or not the disabled flag is reset when the account is reset If set to Always the account is always re enabled If set to Never the account is never re enabled it stays in whatever state it was in before being reset If set to Optional the help desk user is given the option to either re enable it or leave it in the state it was in before being reset e Unlock locked accounts allows the admin to configure whether or not the locked flag is reset when the account is reset If set to Always the account is always unlocked If set to Never the account is never unlocked it stays in whatever state it was in before being reset If set to Optional the help desk u
25. Domain and clicking the Save Domain Configuration button Page 76 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Application Security Overview The Account Reset Console is a password management application and as such must be security aware ARCWeb is capable of protecting you against SQL injection attacks and unauthorized web access by allowing you to control your own timeout parameters and permissible character sets Security configuration is located under the Configuration menu item in the Security tab The security configuration can be managed by users with super user account privileges Managing Application Security As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Application Security Data Sources These settings allow you to configure the Account Reset Console s security Log Config Change these settings to control how tightly secured ARCWeb is against unauthorized usage Verification T The session timeout controls how long a web browser session will remain logged mains Se in without activity Security Session timeout 20 Super Users d The allowed character set controls which characters case insensitive will be Licensing accepted as valid characters for verification answers Add Ons Allowed charset ABCDEFGHIJKLMNOPQRS TUV
26. LIEBERMANSOF TWARE Account Reset Console Administration Guide Revision May 31 2007 For Software Version 4 5 x Lieberman Software Corporation 1900 Ave of the Stars Suite 425 Los Angeles CA 90067 Voice 800 829 6263 USA Canada Voice 01 310 550 8575 Worldwide Fax 01 310 550 1152 Worldwide Web www liebsoft com Email support liebsoft com Microsoft GOLD CERTIFIED Partner Table of Contents L670 0472 eg LEE License Agreement eegreteededeeedee ege EES Country of Origin A Fee err eee eer eee ee Limited Warranty ascend deem EN Pre Wsage EE dd Welcome to the Account Reset CGonsole AAA Thanks for using the Account Reset CGonsolel sse The Account Reset Console Web Interface Getting Started nr ee he A ee Configuring the Account Reset Console geseet ere reece eee eh ee 10 RV CROWN EOE cad Sec en oa See vee EL EEE eed E ce 10 Granting super user ACCESS TOhts eee eee 10 Configuring managed Kee Ei E 12 Setting up data sources and logging sit A as 13 Selecting program EI e 14 olai Bure Ten EE 17 Setting up Eeler 18 Qi LOT Re 20 Configuring Verification Questions and Answers Advanced sese 20 Reviewing Data Security I Achyancedl sese 24 Updating the application s appearance lAchyanced eene nnneennnnnnnnnnnen 25 Setting up the mobile site Advanced 27 Page 2 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved scheduling tasks Advanced seene 27 Confi
27. Look up User Data Username Change My Password Resetthe account password Set Up My Identity 6 Password Password again Enable account if disabled Unlock account if locked Force user to change password on next login Reset Account 2005 2006 Lieberman Software Corporation LIEBERMANSOFTWARE Wan OPORE Aat ACL 3 03 060911 ARC 3 03 060411 1 Corporate Logo your corporate logo can be put here instead of the Lieberman Software logo 2 Tagline your own tagline can be used here In addition nearly all colors in the Account Reset Console can be changed to match your own corporate identity 3 Logged in User the user currently logged into the system at this web browser 4 Logout link Logs the user out of the system 5 Main menu Each link on the main menu represents a separate area of activity Users with lower privilege levels will see only a few main menu items such as Accounts for normal users or Accounts and Scheduling Reporting for Help Desk Managers 6 Side Menu Each main menu section is subdivided into several pages which can be accessed through the side menu Getting Started Once you have completely installed the Account Reset Console you will begin by logging into the web interface and configuring the product You will also need to set the group privileges to allow help desk and admin personnel to utilize the appropriate parts of the application
28. Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Super User Groups Data Sources Add a new application superuser group Log Config SECURUS x Enter groupname here Verification Add SuperUsers Domains Global Program Access Rules Security Global Access Category Allowed Windows Groups Super Users Allow application config securusidomain admins del Licensing Use this screen to grant complete application control access to members of Add Ons Windows Groups To add a Super User group select the domain or local machine as appropriate enter the name of the group in the edit box and click Set Group as SuperUsers This will add the windows group to the list of groups allowed super user access to the Account Reset Console Viewing or deleting existing Super User Groups At the bottom of the page are the existing Super User groups Any group can be deleted from the list by clicking the del link next to its name Deleting a group from the list removes its super user status Super User Permissions Users with Super User permissions are able to access any page of the Account Reset Console They have no limitations on the changes they can make to the application s configuration or installation settings However Super User permissions does not automatically confer upon a user the rights to reset or change another user s account This
29. Reset Console does not currently support DSN connections Editing a Microsoft Jet Data Source Edit Data Source Name Test data source Type MS Jet Server Installation Database Name Status Y Not Working Save Data Source Settings Return to Data Sources Microsoft Jet data sources are characterized by the server installation and database name Editing a Microsoft SQL Server Data Source Edit Data Source Name Default Database Type SQL Server Server Installation dbServerName InstanceName Database Name arc Username SQLAccount Password e Status Y Working Save Data Source Settings Return to Data Sources A Microsoft SQL Server 2000 data source is characterized by a SQL Server installation a database name a username and a password The Account Reset Console will attempt to connect to the named database on the named database server using the username password pair to authenticate Page 67 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Editing a General ADO Compatible Data Source Edit Data Source Data source name Alternate Log Type ConnectionStr Connection String Status Y Not Working Save Data Source Settings Return to Data Sources General ADO Compatible data sources are characterized by an explicit connection string You can enter your own connection
30. Sources Add or configure data sources here Log Config Name Type Working Actions Default Database SQL Server y Edit del Verification Eut Domains New Data Source Security Name Super Users Type Microsoft Jet v Licensing Add New Data Source Add Ons For evaluation purposes the default installed database should suffice If you need to configure more databases later the section titled Data Sources later in this document fully documents the process of adding a new data source or editing existing data sources For initial evaluation it should be sufficient to note that the default data source Default Log should be functional have a green check as shown above If you have installed the product and the data source does not have the green check you will need to return to the installation checklist and double check the database configuration steps Once you have functioning data sources you will need to examine the logging configuration This page is the next one down on the side menu bar still in the Configuration main menu section under the Log Config side menu tab The Status line of the page should have a green checkmark next to it indicating that the default database is functioning Page 13 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduli
31. Text Color 606060 Selected Text Color 000000 The background color of the inactive menu elements can be changed by entering a new value into the Menu Color box Text Color refers to the inactive menu options Selected Text Color refers to the active menu options The active menu option will always have a white background All colors are saved using standard RGB hexadecimal format Customizing the Page Content Other colors in the Account Reset Console can be customized as well The border header and header text colors of the primary content box can be changed as well as the color and border color of the initial login box Other Colors Page Header Color eieiei Page Header Text Color 000000 Page Border Color cOcOcO Login Box Border Color cOcOcO Login Box Color e2e2e2 Page Header Color and Page Header Text Color refer to the color of the page title bar and its text respectively In the full page screenshot above the page title bar is the grey bar titled Manage Appearance Page Border Color refers to the color of the border around the page title bar the side menu and the page contents Login Box Border Color and Login Box Color refer to the color of the border and the background of the initial login box All colors are saved using standard RGB hexadecimal format Page 63 of 94 Administration Manual Copyright 2007
32. US bucky SECURUS serviceaccount The Account Reset Console records the time that the access was attempted the IP address from which the user attempted to log onto the system the action logon success failure or logoff and the user attempting to take the action logon Clicking on the headers of each column will sort the table by that column Page 37 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Viewing the Action Log To view the Action Log select Action Log enter the desired range of dates and user account and click Display Log View Account Reset Console Logs View Logs Action Log 5 31 2007 SS EE CESE SC Reports Address 05 31 2007 11 55 27 Transfer to new logging database Transfer succeeded ie 05 31 2007 11 55 27 Terminal Configuring Log DB Installer Successful 05 31 2007 14 03 17 1 1 0 0 Lookup User Answers SECURUS serviceaccount Sg Success reng 05 31 2007 14 04 06 1 1 0 0 Password SECURUS bucky SECURUS bucky Success Server IDC 05 31 2007 14 04 06 1 1 0 0 SetAccountFlags SECURUS bucky SECURUS bucky Setting Flag LockedOut to FALSE View Task 05 31 2007 14 05 00 1 1 0 0 Lookup User Answers SECURUS serviceaccount SECURUS bucky Success Results The Account Reset Console records the time that the access was attempted the IP address from which the user attempted to log onto the system the action requested the user requesting the action
33. WXYZ1234567890 Save security settings The Account Reset Console allows you to specify your own settings for application security without having to modify your web server installation e Session timeout This is the number of minutes before the web server will expire the session object which it uses to track a user s login session When the session expires the application will automatically log the user out when they next click on a link or Page 77 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved button The default timeout period is 20 minutes but if you have a need to make your environment more secure you can set this as low as 1 minute e Allowed charset This is the set of characters case insensitive which are acceptable in user defined answers Both the answer configuration and identity verification login will use this set to filter the answers before performing any queries to the database This prevents SQL injection attacks and use of SQL escape characters in the answer strings By default this includes the letters A Z the number 0 9 and the space character The Account Reset Console also protects you from other malicious attacks in the following automatic ways e Sessions not cookies ARCWeb uses only server side sessions to store login information not client side cookies Names and passwords are not transmitted repeatedly over the network e Entire
34. a Allow self service unlock and password reset reset through ARC via ID A verification P s x Allow self service unlock and password reset through Credential Provider Gina via ID verification Verification allowed wrong answers 3 Verification wrong answers timout minutes 3 C Display the following HTML message to users resetting their own passwords TT Email users notifications that their passwords have been reset O Plain Text O HTML Mail O Rich Text E Email the help desk a notification when a user resets their own password O Plain Text O HTML Mail O Rich Text Help Desk Address Email keywords RealName Users full name as stored in Active Directory UserName Users logon name Email Users email address as stored in Active Directory Password The users new password Save Program Features Page 58 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Configuring Email Settings Overview The Account Reset Console can send emails to users notifying them that their accounts have been reset It can also notify administrators of scheduled task completion and can send emails to users as part of a scheduled task Email settings are located under the Management menu item in the Configure Email Settings tab Email settings can be managed by users with Manage All Web Access Contro
35. anging the Log Databases be cede eee ee 69 Log Reg irementS EE 69 User Verification Configuration EEN 69 DAETA ANEAN AEE E E EEEE EEEE E 69 Adding and Removing Questions E 70 Setting BEE 71 Editing Question Configurations EEN 71 Verification Query KE 72 Designing Ba EN 73 Domain Contigua a aiee ates 75 O 75 Managing DI A e het 75 Viewing Domain Details eee essere eee eee 76 Page 6 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved SONG 1S DAMA as 76 Application SS CUY A AD AAA 77 OVA lio is 77 Managing Application Security eee 77 Super User COMUN yee aa Ere E Aroa Ee E eE erR Ee OEN EREA ain 78 EEN ees 78 Adding new Super User Groups ci a ea 78 Viewing or deleting existing Super User Group ENEE 79 CONSI in de il DER 80 OVA 80 Changing or Viewing License Information une 80 The ARCWeb ele EE 82 OTEA E FEEN ERER 82 Appendix E 83 Bet si iaie e EE 83 Page 7 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Copyright Notice Copyright O 2005 2007 Lieberman Software Corporation All rights reserved The software contains proprietary information of Lieberman Software Corporation it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law Reverse engineering of the software is prohibited Due to continued product development this information may change wi
36. avorite ol Remove Edit What is your mothers maiden name Remove Edit Domains What is your first pets name Remove Edit Security Inactive Questions Super Users Licensing Set test user information Add Ons Username bob ea Domain local Update Test User Add New Question Question Text Add Question Questions are divided into asked and unasked groups asked questions must be answered by users to verify their identity while unasked questions are not utilized for verification You can use the add and remove links to move questions from unasked to asked status or vice versa New questions can be added to the unasked list by entering the question text in the Add New Question box and clicking Add Question Newly added questions will not be Page 70 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved configured See Editing Question Configurations for details Once you have configured a question you can add it to the asked list Add New Question Question Text Add Question Setting the Test User A test user account is necessary to determine whether or not the questions have been correctly configured Setting the test user allows the Account Reset Console to set and retrieve answers from your chosen data source for each question thus confirming that each question is ready to
37. ay not make copies of the manual for any purpose other than the use of the software 3 Other Restrictions You may not rent or lease the SOFTWARE You may not reverse engineer de compile or disassemble the SOFTWARE that is provided solely as executable programs EXE files If the SOFTWARE is an update any transfer must include the update and all prior versions Some of the software provided to you is in source code form You may not use this or any other part of this product to create derivative products for sale or use without our express written permission 4 Notice This software contains functionality designed to periodically notify Lieberman Software Corporation of demo usage and of the detection of suspected pirated license keys By using this software you consent to allow the software to send information to Lieberman Software Corporation under these circumstances and you agree to not hold Lieberman Software Corporation responsible for the use of any or all of the information by Lieberman Software Corporation or any third party Page 2 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Country of Origin This software was developed entirely in the United States of America Page 3 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Limited Warranty The media optional and manual that make up this software are warranted by Lieberma
38. be used for verification You set the test user by entering the username and the appropriate domain and clicking Save Test User Settings The Account Reset Console will use this domain and username to test each question s setting and retrieval syntax for details see Editing Question Configurations below Set test user information Username bob Domain local be Save Test User Settings Editing Question Configurations Before any question can be used to verify a user s identity it must be configured to set and retrieve the appropriate answer for that user from a valid data source The Account Reset Console ships with a default verification database which requires users to enroll by entering their own answers into the application however advanced users can configure the tool to use custom verification databases which may or may not be pre populated with user answers i e HR databases When using custom databases the Account Reset Console supports any ADO compatible data source which can be accessed via SQL for purposes of verification It is up to the site administrator to properly create the verification query strings while configuring each question Page 71 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved User Identity Verification Configuration Data Sources Edit Verification Question Log Config Sege Question Text What is your fa
39. ccount check this box to have the scheduled task disable the account DO NOT select both Disable account and Enable account on the same task o Enable the user s account check this box to have the scheduled task enable the account DO NOT select both Disable account and Enable account on the same task o Save the task results to the reports database check this box to save the detected accounts and the actions taken to the reports database Note that account reset actions are always saved to the log the reports database is stored separately and is sorted by task and date not by user account o Send the user an email check this box to send an email to the user at his or her Active Directory email address You may enter the text of the email message in the textarea below this checkbox You can use wildcards to specify fields to automatically fill in RealName the real name of the user as stored in Active Directory PwdDaysToExpi the days before the user s password will expire InactiveDays the number of days the user s account has been inactive e Email Results to enter an email address in this box will cause the scheduled task system to send a summary email to this email address when the task has been completed e Save Task Settings click this to save the task settings e Save Task and Run Now click this to save the task settings and run the task immediatel
40. ccount Reset Console interface For more information on super users see the dedicated Super User Configuration section later in this document Page 11 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Configuring managed domains Once you have entered your selected super user groups it is time to configure the specific domains that the Account Reset Console will be able to manage Domain configurations can be found under the Configuration main menu item in the Domains side menu tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Data Sources Managed Domains and Domain Controllers Log Config Managed Domain soe Domain Controller CS Verification SECURUS Y details Domains local system d Security Default Domain Super Users Domain SECURUS x Licensing Save Domain Configuration Add Ons Use this screen to set the domains controlled by the Account Management Console The Account Reset Console will allow you to select enable any domain for which your COM account has administrator privileges WARNING The COM account for the ARCYeb COM components does not have administrator privileges on this domain ARCVVeb will not be able to make changes on this domain You can see any status error messages by clicking the details link for a g
41. ccuracies in detecting the appropriate users Running Tasks Immediately The Account Reset Console will allow you to run tasks immediately through the web interface by checking the task s checkbox and clicking the Run Selected Tasks Now button This allows you to run tasks without waiting for them to run at their scheduled time or allows you to keep on demand tasks in the Inactive section and run them whenever required Editing Task Intervals and Actions Clicking the Edit link next to a task name will allow you to set the task s name interval criteria and actions Page 45 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Accounts Scheduling Reporting Management Configuration Index Schedule Account Tasks EG Edit Scheduled Task Management Reports EE Task Name Find Expiring Users Task O sunday C Monday C Tuesday C Wednesday C Thursday Account Tasks ask runs on i C Friday C Saturday View Task Results at Moon w Last Run Never Target Groups SECURUS domain users del SECURUS Enter group here Filter Users Ignore usernames which contain the following substrings separate by Task Details Find accounts whose password will expire Im D days DO Disable the users account C Enable the users account Send the user an email Dear RealName Your password
42. chosen groups ARCWeb uses two types of account permission Program Access and Group Access Program Access allows you to delegate login rights and interface level privileges to groups Group Access allows you to delegate the authority to reset specific other users accounts to groups Group permissions are the first two side menu tabs under the Management main menu tab Program Access You will need to begin by assigning different user groups appropriate web interface access permissions This is available under Program Access To grant permissions to a group select the appropriate permissions and click Add Rule As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Program Access Permissions Program Access Add a New Global Program Access Rule Group Access Cl Allow Web Logon Domain SECURUS Y a at EROS O Allow Reset of Other Users Accounts Enter groupname here O View Console Logs and Task Reports Add Rule Password Change Features O Manage All Web Access Controls Configure Email Settings Global Program Access Rules Appearance Global Access Category Allowed Windows Groups Mobile Settings Allow Web Logon securusidomain admins del SECURUSican reset del SECURUSican be reset del Manage All Web Access Controls securusidomain admins del Allow Reset of Other Users Accounts securusidomain admins d
43. configuration permissions do not allow table creation or destruction this series of commands will fail and the data source will be tagged as nonfunctional Adding a Data Source The Account Reset Console allows you to add a new data source by simply entering a name for the new source and clicking Add New Data Source New Data Source Name Type Microsoft Jet v Add New Data Source When you click Add New Data Source a new unconfigured data source will be added to the Account Reset Console You will see that the new data source is not functional To make the data source functional you will need to configure it by clicking the Edit link next to it Once you add a new data source you cannot change the name of that data source Editing a Data Source Clicking on the Edit link next to any data source will allow you to modify the data source s name and characteristics Each type of data source has its own characteristics to change When you have finished updating the data source s configuration click Save Data Source Settings to save the data source This will update the data source and allow you to see whether or not the new settings are working When you have finished working with a data source click Return to Data Sources to return to the main Data Sources page Page 66 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The Account
44. count Look up User Data Change My Password Set Up My Identity Scheduling Reporting View Logs Management Reports View Reports Account Tasks View Task Results Management Program Access Group Access Account Reset Features Password Change Features Configure Email Settings Appearance Mobile Settings Configuration Data Sources Log Config Verification Domains Security Super Users Licensing Add Ons Users will see index entries appropriate for their access level Thus only super users and admins will see the Management entries and only super users will see the Configuration part of the table Page 82 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Appendix A Troubleshooting Q When you attempt to access the web page you receive the error Object Disabled A This error is caused by ASP processing being disabled This can be corrected by bringing up the properties of the ArcWeb site clicking on the Home Directory tab click on the Configuration button and enabling the use of the asp dll file for asp processing Application Configuration App Mappings App Options App Debugging IV Cache ISAPI applications Application Mappings Extension ExecutablePath Verbs chtw C AWINNT system32 webhits dil GET HEAD i C AWINNT system32 idg dll GET HEAD CAWINNT system32 idg dll DET HEAD ES CAWINNTSSystem32 inetsrv4404 dll GET HE aD Ce
45. d add default asp as the default document Then click OK ArcWeb Properties El E Virtual Directory Documents Directory Security HTTP Headers Custom Errors Add Remove Move Up Move Down Page 87 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved
46. d into two classes Active and Inactive reports Active reports are in the queue to be run when the task process runs Inactive reports will never be run unless they are transferred into the Active list You can switch a task from Inactive to Active status by clicking the Activate link next to its name Similarly you can switch a task from Active to Inactive status by clicking on the Deactivate link next to its name Each scheduled task has an interval at which it runs a set of criteria it scans for and a set of user groups to scan All task settings can be found by clicking the task s Edit link Adding Reports Adding a report is as easy as entering the new report name selecting the report type and clicking the Add Task button The report type will determine how the report selects users from its target groups e Password expiration Select this report type to search for accounts with passwords due to expire in the specified number of days This scan searches for accounts whose passwords will be expired by the primary domain controller s password policy The date used for calculating the time until expiration in the task is drawn from the clock on the machine running ARCWeb NOT the domain controller Thus any inconsistencies in the system clocks between the primary domain controller and the machine running ARCWeb could cause inaccuracies in detecting the appropriate users e Self Reset Configuration
47. e The ability to control which users or members of the Help Desk have access to the application e The ability to regulate which group s or users each Help Desk person is allowed to manage e The ability to reset or delegate the authority to reset disabled and locked accounts e The ability to allow authorized users to change or reset their own passwords eliminating Help Desk calls for password resets e The ability to allow users to reset their own forgotten passwords based on user identity validation against any relational database e The ability to schedule tasks and reports on all managed users e And more The Account Reset Console Web Interface The Account Reset Console is an entirely web based application which can be completely re skinned to match your corporate colors and logos It can be accessed through any web browser The Account Reset Console s user interface is designed to be simple to understand and to put all features of the tool no more than a few clicks away for quick and easy administration Here is a quick introduction to the interface Page 6 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved 1 As LIEBERMANSOFTWARE 3 Account Reset Console 4 Logged in user lani Log Out Accounts Scheduling Reporting Management Configuration Index Reset User Account Reset User Account Enter Username and a new Password twice for the account to be reset
48. e interval which groups and users H scans for and what actions to take You can find more information on scheduling tasks in the Scheduling Tasks and Reports section later in this document Once your scheduled tasks begin to run you will be able to view the reports they generate by clicking the View Task Results side menu tab under the Scheduling Reporting main menu section Configuring licensing Advanced The final step in getting started is to purchase and enter a valid serial number from Lieberman Software Corporation Licensing and serial number information is available in the Configuration main menu section under the Licensing tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index ARCWeb Licensing Data Sources Current License Details Log Config ComputerlD DC Verification License XDDD IDO Domains ManagedUserCount update l ManagedUserTimestamp 5 31 2007 12 01 01 PM is ARCWebBuild 12 12 2005 12 56 24 PM Super Users MaximumUsers XXX Licensing ExpDate never SupportExpDate 5 16 2012 8 44 08 AM Add Ons L OOO OOK DOOR Update License Key On this page you can enter new serial numbers as well as see the total number of managed users and the version of the product you currently have installed The Account Reset Console is licensed based on the number of users you are managing Any u
49. e restricted Page 32 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Account Reset Options Not all options will necessarily be available depending on how your system administrators have configured the Account Reset Console However the available options will allow you to reset specific components of user accounts e Reset the account password check this box to reset the account password Once you check this box the Password and Password again fields will be enabled You must enter the new password twice to ensure that you have made no typographical errors If the new passwords do not match no changes will be made to the account e Enabled account if disabled check this box to reset the disabled flag on the account e Unlock account if locked check this box to reset the locked flag on the account e Force user to change password on next login check this box to force the user to change their password the next time they log onto Windows Looking Up User Data Overview The Account Reset Console can allow users to view the identity information for another user preparatory to resetting their account User information lookup is located under the Accounts menu item in the Look up User Data tab Users with Allow Reset of Other Users Accounts privileges can look up other users information provided that they have permissio
50. el SECURUSican reset del View Console Logs and Task Reports securusidomain admins del Page 18 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Allow Web Logon Allows users to log onto the Account Reset Console to reset their own passwords or configure verification answers e Allow Reset of Other Users Accounts Allows users to reset other accounts if they have been granted permissions for the specific target user in the Group Access page See the next section for more information e View Console Logs and Task Reports Allows users to view the Account Reset Console s activity logs and schedule and view tasks and reports e Manage All Web Access Controls Allows users to specify program features and group permissions For more information on how to use this page please see Set Program Access Rights later in this document Group Access Each group which has been granted the Allow Reset of Other Users Accounts access right will have access to the Reset User Account page in ARCWeb However their requests to reset accounts will be rejected unless you also grant them the rights to reset other users accounts The Group Access page allows you to specify which target groups can be reset As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Mana
51. ensing is updated twice a day at 12 01 AM and 12 01 PM It is also updated when you click the UPDATE link or input a new license Page 80 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The Account Reset Console is licensed according to the number of users the system is being used to manage A user is being managed if e They have the rights to log into the Account Reset Console and change their own password or e Another user can log into the Account Reset Console and reset their account If you make changes to group membership that result in too many users being managed the Account Reset Console may stop working or give you an alert message If this occurs you can contact Lieberman Software Corporation for a license upgrade or you can remove users To force the Account Reset Console to refresh its user count click the upgrade link next to the ManagedUserCount entry Page 81 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The ARCWeb Site Index Overview The Account Reset Console has an index page on the far right of the main menu which shows you every page in the application This is for your convenience in navigating the application As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Index Accounts Reset User Ac
52. ers will only be prompted to enter answers to questions Page 73 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved which have this checkbox checked This allows you to use a mixture of pre answered and user configurable questions to verify user identities Page 74 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Domain Configuration Overview The Account Reset Console can manage multiple domains simultaneously Domain configuration is located under the Configuration menu item in the Domains tab The domain configuration can be managed by users with super user account privileges Managing Domains The list of domains that can be accessed from the local computer is displayed in the Domains tab Ag L EBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Domains Data Sources PRA Managed Domains and Domain Controllers Show All Managed Domain Primary Domain Controller Manage Status Verification SECURUS DC d details Domains local system d Security Default Domain o y Super Users Domain SECURUS x Licensing S Save Domain Configuration Add Ons Use this screen to set the domains controlled by the Account Management Console To manage a domain the user account being used to r
53. failure you will need to configure the email system You can find the email configuration page under the Management main menu item and the Configure Email Settings side menu tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Configure Email Settings D A deii This page allows you to configure the email settings for ARCWeb These Group Access settings are used by both the web interface and the scheduled task and reporting system Account Reset Features Manage Email Server Settings Password Change Features l s Server Hame mail yourco com Configure Email Settings This email server requires authentication Appearance Username userName Mobile Settings Password 66666666 Source Email Address accountresetconsole Reply Email Address admin yourco com Admin Email Address admin yourco com Save Email Configuration You will need to use appropriate settings for your network and mail server configuration For more information on configuring email settings see Configuring Email Settings later in this document Page 17 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Setting up group permissions The final step before you begin using the basic features of the Account Reset Console is to delegate login and account reset permissions to your
54. fication side menu tab in the Configuration main menu section As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index User Identity Verification Configuration Data Sources Configure user identity verification questions here Log Config Active Questions S S o Verification What your favorite scan Remove Eat Whatis your mothers maiden name Remove Edit Domains Whatis your first pets name Remove Edit Security Inactive Questions Super Users Licensing Set test user information Add Ons Username bob Domain local Update Test User Add New Question Question Text Add Question The Account Reset Console will configure three initial questions for you by default You can add or remove these questions to from the list of required questions by clicking the Add and Remove links By default on installation all three questions are required You can add more questions by entering the question text at the bottom of the screen and clicking Add Question You should also take this opportunity to select your test user This test user account will be used to check the entries in the database to confirm that the system is functioning It should properly be a member of one of the domains you are managing so that you can test the domain name values stored in your verification databases O
55. ge Group Access Permissions Program Access Add a New Group Access Rule Group Access Administrative Group SECURUS EA Enter groupname here Account Reset Features Managed Group SECURUS Enter groupname here Password Change Features Permissions Reset Password _ View User Answers l j Add Group Access Rule Configure Email Settings Appearance Group Access Rules Account Reset Privileges l l Administrative Group Managed Groups Mobile Settings SECURUS can reset SECURUS can be reset del SECURUS domain admins SECURUS domain users del Group Access Rules View User Answers Privileges Administrative Group Managed Groups SECURUS can reset SECURUS can be reset del SECURUSidomain admins SECURUSidomain users del Page 19 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Only by setting BOTH the Allow Reset of Other Users Accounts program access level AND the appropriate group access rule will a help desk user be able to reset another user s account For more information please see the Set Group Access Rights section later in this document Viewing logs You can view the logs generated by the Account Reset Console in the Scheduling Reporting main menu section under the View Logs side menu tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index
56. ghts The existing group access rights are listed at the bottom of the page Any group can be deleted from a given rights list by clicking the del link next to its name Deleting a group from any particular rights list removes those rights from the group Group Access Permissions Even though a particular group has been granted access to manage another group that does not mean that it will be allowed to reset accounts The administrative group must be granted Web Logon and Allow Reset rights under Program Access Rights or won t be able to log onto the Account Reset Console at all Page 53 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Set Account Reset Features Overview The Account Reset Console can be configured to automatically change account flags during account reset or to allow the resetting user to select which flags to change It can also be configured to email users account password change notifications Account reset settings are located under the Management menu item in the Account Reset Features tab Account reset settings can be managed by users with Manage All Web Access Controls privileges Account Reset Options You can change account reset options by selecting the appropriate values and clicking the Save Program Features button Note that the values are not saved until you have clicked the Save Program Features button at the b
57. guring licensing Advanced EE 30 Changing Your Own Ne EE 31 DAEA EAE EAE AE E EA A ENEN RTE 31 Changing Your Pass WOW dsc 31 Resetting User ACcounts A OS 32 O erna n a A eee 32 Sne Ee Ein 32 Account Reset Options sxs 33 Looking Up User Date WEEN 33 61T EE osa 33 Eileen 33 e eee eee eee 34 BUT O ENEE 34 Setting Up Identity Information te da e teta al da 35 EGO VIC WMG is toi 36 A A IRN RS ee le Se re ee A ee 36 LOG VIEWING OBLIONS ssc ee eters ee see a 36 Viewing HME ANCCOSS LO csi a is cea sca de ee ie ea See 37 Viewing the Action LOG EE 38 Scheduling Management Reportages eee eee 38 O ee 38 Creating and Viewing Management Reports Au 38 Page 3 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Adding Repo E 39 Running Reports Immediately uso 40 Editing Report Settings ic A e 40 Viewing Management Heports eee eee eee 41 OETA e pare Sate Sued ener tus 41 Rep rt Viewing Option gss AS ds 42 Sched ling Acco nt Tasks EE 43 EE 43 Creating and Viewing Account Tasks oooooococccccccccccnoncnononcnnnncnnnnnnnnnoncnnnnnnnnnnnnnnnnnnnnnnnenannnnnns 44 Adding TASKS coi 44 Running Tasks Immediately EE 45 Editing Task Intervals and ACHONS EE 45 Viewing Account Task Heports AEN 47 VOT GW A EEE E EET 47 Rep rt Viewing Options zko rea eo Een e 48 Set Program Access ein 50 RS ee eege ee ee 50 Program Access Levels ou 50 Adding Access Rights isie a cee eee Oka een as A eas Bee eee 5
58. hese settings to control how tightly secured ARCWeb is against unauthorized usage Verification The session timeout controls how long a web browser session will remain logged mains A RE in without activity Security Session timeout 20 Super Users The allowed character set controls which characters case insensitive will be Licensing accepted as valid characters for verification answers Add Ons Allowed charset ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 Save security settings When initially evaluating the product the defaults should suffice The default character set is designed to protect MS Access and SQL Server databases For more information on data security see the Manage Application Security section later in this document Note that after the last character in the allowed character set screen that there is a space This is by design and is there to allow users to have spaces in their verification question answers Updating the application s appearance Advanced Updating the appearance of the Account Reset Console allows you to incorporate your organization s colors and logos into the product thus conveying a unified image to your users You can change the appearance of the ARCWeb interface under the Management main menu and the Appearance side menu tab Page 25 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE
59. hey will be items 3 and 4 Account Reset Features and Password Change Features Page 14 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Account Reset Features As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Account Reset Features Program Access og These features are for IT personnel resetting arbitrary user accounts Change Group Access these settings to allow the IT personnel to reset user accounts A R Gaane Account Reset Features Reset passwords through Account Reset Console Password Change Features Allow Help Desk to view user identity information Configure Email Settings Enable disabled accounts O Always Y Optional Never Unlock locked accounts O Always Optional O Never Require that reset passwords be changed on next login ignored when user cannot change password O Always Optional Never Appearance Mobile Settings O Display the followina HTML message to Help Desk personnel resetting accounts C Email users notifications that the Help Desk has reset their passwords Dear fRealNamet bad This is an automatic notification that your account password has just been l changed You should only be receiving E O Plain Text O HTML Mail O Rich Text Email keywords RealName Users full name as stored in Act
60. is about to expire Please visit http server arcweb to El change your password before it exipres EI Plain Text Email HTML Email RTF Email User email keywords RealName Users full name as stored in Active Directory PwdDaysT oExp Days until the user s password expires Email results to yourEmail yourco com Plain Text Email HTML Email Save Task Settings Save Task and Run Now Return to Task List Page 46 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Task Name the name you use to refer to the task This name will be stored in the reports database so you can find the task output e Task runs on select the days of the week on which the task will run e Last Run the last time that the task was run and the status of the run success or failure e Target Groups the list of groups that the task will scan when run You can add a new group by entering a group name into the box and clicking Add Group You can delete a target group by clicking on the del link next to the group name e Filter Users allows to use create a list of users to ignore when running the reports e Task Details the task will operate on users who meet these criteria The task will search for users who meet the criteria selected e Actions Once the scheduled task has detected users it will take the specified actions o Disable the user s a
61. istration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Resetting User Accounts Overview The Account Reset Console can allow users to reset other user accounts User account reset is located under the Accounts menu item in the Reset User Account tab Users with Allow Reset of Other Users Accounts privileges can reset other users accounts provided that they have permission to reset the appropriate user groups ARCWeb administrators can grant help desk users the appropriate permissions to reset other users accounts Resetting Accounts As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Reset User Account Reset User Account Enter Username and a new Password twice for the account to be reset Look up User Data Username Change My Password Domain SECURUS x Set Up My Identity Resetthe account password Password Password again Enable account if disabled Unlock account if locked Force user to change password on next login Reset Account To reset an account enter the user s username and domain select the appropriate options and click Reset Account Not all the options you see above will be available depending on how your system administrators have configured the Account Reset Console The user accounts you are permitted to reset may also b
62. ite e Screen width px You can configure the horizontal width of the mobile ARC application in pixels here This width will dictate the maximum width of the screen for most not all of the ARC application s pages Some pages such as reports will not display properly at very narrow resolutions and thus require scrolling e Save Mobile Settings Click this to save your changes Page 64 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Data Sources Overview The Account Reset Console can utilize any ADO compatible data source as an information source for user identity verification or logging New data sources can be created at any time and data source settings can be altered to reflect changes in the network configuration Data sources are located under the Configuration menu item in the Data Sources tab Data sources can be managed by users with super user account privileges Viewing Available Data Sources Available data sources are displayed in a table at the top of the page Each data source has a unique name a type and a status As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Data Sources Data Sources Add or configure data sources here Log Config Name Type Working Actions Verificaian Default Database SQL Server d Edit del Do
63. ive Directory UserName Users logon name Emiail Users email address as stored in Active Directory Password The users new password Save Program Features Page 15 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The Account Reset features allow you to configure what operations Help Desk personnel can perform on accounts they are resetting By default the options should allow all actions on the account The settings on this page directly affect the available controls on the Reset User Account page seen by Help Desk personnel For evaluating the product the default options should suffice However you may find it valuable to switch between this page and the Reset User Account page to see exactly what occurs as you change the settings For more information on these features see the Set Account Reset Features and Resetting User Accounts sections later in this document Password Change Features As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Password Change Features Program Access Sa These features are for general users resetting their own passwords Change Group Access these settings to allow users to update their own account information Account Reset Features demetten Y Allow users to change their own passwords using the web interface
64. iven domain If you cannot enable the domain you wish to manage you may re run the installer and use a different account with the appropriate permissions for the COM portion of the application or grant that account required permissions on the target domain You can also choose to allow ARCWeb to manage the local by choosing the local system option For more information on domain configuration see the section titled Domain Configuration later in this document Page 12 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Setting up data sources and logging Account Reset Console 4 X requires Microsoft MSDE SQL Express or SQL Server 2000 2005 or later for logging and user verification purposes Lieberman Software Corporation recommends Microsoft SQL Server 2000 or 2005 as the optimal solution for these purposes The Account Reset Console is designed to use a variety of databases for logging and verification purposes The Data Sources page is the single management point for configuring these databases Once a database is configured here it can be used by other parts of the system You can find this page under the Configuration main menu item in the Data Sources side menu tab As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Data Sources Data
65. liebsoft com or email us at sales liebsoft com Page 4 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Pre Usage Considerations Please ensure that you have completed all steps in the appropriate installation checklist before you begin attempting to manage the Account Reset Console Installation checklists can be found in the accompanying document ArcWeb Install Guide If you have any questions or concerns about this program s installation or operation before or after it has been installed please contact our support department for assistance Incorrect installation or poor security practices could allow the compromise of your passwords When used and installed properly this program provides excellent performance speed and security for your password management Call us if you have any questions about this product Page 5 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Welcome to the Account Reset Console Thanks for using the Account Reset Console Thank you for using Lieberman Software s Account Reset Console The Account Reset Console or ARCWeb for short provides your Help Desk with the ability to reset domain account passwords account flags and allows users to reset their own forgotten or expiring passwords in a fully audited and delegated manner via any web browser Features of the Account Reset Console include
66. lly take them to the Account Reset screen and automatically fill in the user s domain and username Identity Configuration Overview The Account Reset Console can allow users to verify their identity and reset forgotten passwords by answering a series of questions Identity configuration is located under the Accounts menu item in the Set Up My Identity tab Identity data can be configured by users with Allow Web Logor privileges Page 34 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Setting Up Identity Information As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSibucky Log Out Accounts Index Set Up My Identity Change My Password Use this page to configure your identity verification data Set Up My Identity what is your favorite color Answer brown What is your mother s maiden name Answer bojangles What is your first pet s name Answer dog Your verification information is complete Your account is properly configured for password recovery Save Verification Info This page allows you to save your identity verification data Once you have saved this information you will be able to reset your password if you forget it by providing the answers to these questions If the Account Reset Console is configured to allow users to verify their identity and there are questions that the users can supply answers for use
67. ls privileges Configuring Email As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Configure Email Settings p A rogram Access This page allows you to configure the email settings for ARCWeb These Group Access settings are used by both the web interface and the scheduled task and reporting system Account Reset Features Manage Email Server Settings Password Change Features Server Name Configure Email Settings gt O This email server requires authentication Appearance S Username Mobile Settings Password Source Email Address Reply Email Address Admin Email Address Save Email Configuration Page 59 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Server Name Enter the name of your email server here The Account Reset Console will use this email SMTP server to send emails to users e This email server requires authentication Check this box if your email server will require authentication to send email s Username and Password If your email server requires authentication enter the username and password here e Source Email Address This is the email address from which emails will appear to come If your email server requires that the source address be in a particular domain this is the email address that will need
68. ly SSL capable ARCWeb can be run on a secure HTTP HTTPS web server This will protect all network communications from interception e Server side answer verification All user provided answer strings are checked in the application logic not transmitted to the database Thus your source databases are protected against SQL injection attacks Super User Configuration Overview Super Users or users who can access the Configuration menu in the Account Reset Console are not set by normal administrators These users must be set through the Super User configuration screen Super Users have all access rights to the console although they do not necessarily have any reset rights for other groups see Managing Group Access Rights above Super User configuration is located under the Configuration menu item in the Super Users tab The Super User configuration can be managed by users with super user account privileges Adding new Super User Groups Super Users are designated at the domain or local group level not by individual user account name Any domain or local group may be designated as a super user group The group s which are granted super user access will be able to configure the properties of ARC such as database logging and verification question information Page 78 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account
69. mains New Data Source Security Name Super Users Type Microsoft Jet y Licensing Add New Data Source Add Ons e The name of the data source is the identifier by which other Account Reset Console components will refer to the data source e The type of the data source refers to what sort of provider is being accessed Currently the Account Reset Console supports three types of data source o Microsoft Jet Refers to a Microsoft Jet data source o SQLServer Refers to a Microsoft SQL Server database SQL Server 2000 and above Page 65 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved o ConnectionStr Refers to any other ADO compatible database Users must explicitly construct their own ADO connection string for this sort of data source connection see Editing a Data Source below e The status of the data source reflects whether or not the Account Reset Console can currently communicate with the data source The Account Reset Console will not allow you to configure a critical component with a data source that is not functioning Working data sources are tagged with a green check nonfunctional data sources with a red X How the Account Reset Console tests data sources The Account Reset Console tests data source access by attempting to use a series of SQL statements to drop create write to and read from a table named test_table If the data source
70. must still be set manually using the Group Access tab under Manage Application Page 79 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Licensing Overview The Account Reset Console requires a valid license from Lieberman Software Corporation to run The Licensing page allows you to view the current license details as well as reset the license in the event of an upgrade or new license purchase Licensing is located under the Configuration menu item in the Licensing tab Licensing can be managed by users with super user account privileges Changing or Viewing License Information Any super user can view the current license information or enter a new license As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index ARCWeb Licensing Data Sources Current License Details Log Config ComputeriD DC Verification License L Domains ManagedUserCount update l ManagedUserTimestamp 5 31 2007 12 01 01 PM gece ARCWebBuild 12 12 2005 12 56 24 PM Super Users MaximumUsers XXX Licensing ExpDate never SupportExpDate 5 16 2012 8 44 08 AM Add Ons X XXXXKXXK KKXKKXKK KKKKKKKK KK NEEN Update License Key To enter a new license simply copy and paste it into the entry blank replacing the existing license if any and click Update License Key Lic
71. n Software Corporation to be free of defects in materials and workmanship for a period of 30 days from the date of your purchase If you notify us within the warranty period of such defects in material and workmanship we will replace the defective manual or media The sole remedy for breach of this warranty is limited to replacement of defective materials and or refund of purchase price and does not include any other kinds of damages Apart from the foregoing limited warranty the software programs are provided AS IS without warranty of any kind either expressed or implied The entire risk as to the performance of the programs is with the purchaser Lieberman Software Corporation does not warrant that the operation will be uninterrupted or error free Lieberman Software Corporation assumes no responsibility or liability of any kind for errors in the programs or documentation of for consequences of any such errors Lieberman Software Corporation will not be responsible for any incidental or consequential damages that result directly or indirectly from the operation of this product This agreement is governed by the laws of the State of California Should you have any questions concerning this Agreement or if you wish to contact Lieberman Software Corporation please write Lieberman Software Corporation 1900 Ave of the Stars Suite 425 Los Angeles CA 90067 You can also keep up to date on the latest upgrades via our website at http www
72. n to view the appropriate user groups ARCWeb administrators can grant help desk users the appropriate permissions to look up other users information Resetting Accounts As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Look up User Data Reset User Account Enter a username to look up Look up User Data Username Change My Domain SECURUS vw Password Set Up My Identity Look Up Answers Page 33 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved To look up user information enter the user s username and domain and click Look Up Answers The user accounts you are permitted to view may be restricted As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Look up User Data Reset User Account Identity information for SECURUS bucky Look up User Data What is your favorite color Change My brown Password Whatis your mothers maiden name Set Up My Identity bojanales What is your first pets name dog Reset User Account Now The user s identity information will be displayed so that the help desk user can confirm their identity by having the user answer each question Once the help desk user is done they can click Reset User Account Now to automatica
73. name will allow you to set the report s interval target groups and criteria Create Management Reports View Logs Edit Scheduled Task Management Reports SSC Task Name Passwords that will expire in 14 days Bee EES O Sunday Monday Tuesday C Wednesday C Thursday Cl Friday C Saturday View Task Results at Midnight ze Last Run Never Target Groups SECURUS domain users del SECURUS w Enter group here Filter Users lanore usernames which contain the following substrings separate by Task Details Find accounts whose password will expire in 14 days Email results to yourEmail yourCo com Plain Text Email HTML Email Save Task Settings Save Task and Run Now Return to Task List Page 40 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved e Task Name the name you use to refer to the report task This name will be stored in the reports database so you can find the task output e Task runs on select the days of the week on which the task will run e Last Run the last time that the task was run and the status of the run success or failure e Target Groups the list of groups that the task will scan when run You can add a new group by entering a groupname into the box and clicking Add Group You can delete a target group by clicking on the del link next to the groupname e Filter Users allows to use create a list of users
74. nce you have a list of questions you are happy with it will be time to edit each question so that it retrieves its answer from the appropriate location You can access this by clicking the Edit link Page 21 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index User Identity Verification Configuration Data Sources Edit Verification Question Log Config E e Question Text Whatis your favorite color Verification L s Domains 5 Use the Default Database for verification Security O Use custom verification database Super Users l a Data Source Select a data source Not Working Queries Add Ons Retrieval o Licensing If your retrieval query is not working please ensure that you have records in the appropriate database for your test user Allow users to set their own answers to this question Setting a Insertion User Deletion Save Question Settings Return to Question List The Account Reset Console allows you to design and use your own SQL queries and thus configure your verification system to access any database you may already be using for data storage This offers you unparalleled flexibility in verification options Once you have finished configuring your questions
75. ng Reporting Management Configuration Index Configure ARCWeb Logging Data Sources Select the logging database information below Log Config Logging Data Source Default Database y Verification Current Settings Domains Name Default Database Security Type SQL Server Status Y Working Super Users Licensing Update logging settings Add Ons You can select any data source as your log destination using the dropdown box on this page The Account Reset Console will reject your choice if you select a non SQL Server data source If you select a SQL Server data source without extant tables ARCWeb will be able to create the appropriate database tables for you You can find information on the database table requirements and setting alternate databases in the Logging Configuration section later in this document For evaluation purposes the default database should be all you need Selecting program features The core features of the Account Reset Console can be configured by administrators and super users They are divided into two sections Account Reset Features and Password Change Features Account Reset Features apply to usage of the Account Reset Console by Help Desk users who are resetting other users accounts Password Change Features apply to usage of the Account Reset Console by users who are resetting their own passwords You can find both sets of features under the Management top level menu item On the side menu t
76. oftware logo and the tagline Account Reset Console Company tagline Account Reset Console Company Tagline Color C13738 Select banner image Default Banner LSC Y Upload new banner image Browse The tagline and tagline color can be changed using the Company tagline and Company Tagline Color boxes All colors are saved using standard RGB hexadecimal format New banner images can be uploaded by using the Browse button to select the image file on your hard drive and then clicking Save Appearance Settings Once you have uploaded the file its name will appear in the dropdown box labeled Select banner image Customizing the Main Menu The main menu bar of the Account Reset Console can be completely customized as well Main Menu Bar Colors Menu Bar Color C13738 Text Color d0d0d0 Selected Text Color FFFFFF Page 62 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The background color of the menu bar can be changed by entering a new value into the Menu Bar Color box Text Color refers to the inactive menu options Selected Text Color refers to the active menu options All colors are saved using standard RGB hexadecimal format Customizing the Side Menu The side menu bar of the Account Reset Console can be completely customized Side Menu Bar Colors Menu Color FOFOFO
77. on All Rights Reserved Set Program Access Rights Overview User groups can be allowed to login as normal users allowed to reset other user accounts and or allowed to manage the Account Reset Console Program access rights are located under the Management menu item in the Program Access tab Program access rights can be managed by users with Manage All Web Access Controls privileges Program Access Levels Program access rights are designated at the domain or local group level not by individual user account name Any domain or local group may be granted program access rights Accounts Scheduling Reporting Program Access Group Access Account Reset Features Password Change Features Configure Email Settings Appearance Mobile Settings As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Management Configuration Manage Program Access Permissions Add a New Global Program Access Rule E Allow Web Logon O Allow Reset of Other Users Accounts O View Console Logs and Task Reports O Manage All Web Access Controls Global Program Access Rules Log Out Index Domain SECURUS x Enter groupname here Add Rule Global Access Category Allowed Windows Groups Allow Web Logon Manage All Web Access Controls Allow Reset of Other Users Accounts View Console Logs and Task Reports securusidomain admins SECURUSican reset SECURUSican be
78. other users Logs can be displayed for a range of dates and can be limited to a single user if desired Viewing the Access Log To view the Access Log select Access Log enter the desired range of dates and user account and click Display Log View Logs Management Reports View Reports Account Tasks View Task Results View Account Reset Console Logs Access Log 5 31 2007 Date 05 31 2007 12 15 21 1 1 0 0 05 31 2007 12 28 19 1 1 0 0 05 31 2007 12 28 37 1 1 0 0 05 31 2007 13 05 23 1 1 0 0 05 31 2007 13 07 20 1 1 0 0 05 31 2007 14 03 22 1 1 0 0 05 31 2007 14 03 35 1 1 0 0 05 31 2007 14 03 41 1 1 0 0 05 31 2007 14 03 46 1 1 0 0 05 31 2007 14 03 59 1 1 0 0 05 31 2007 14 04 13 1 1 0 0 05 31 2007 14 04 17 1 1 0 0 05 31 2007 14 04 42 1 1 0 0 05 31 2007 14 04 53 1 1 0 0 05 31 2007 14 05 41 1 1 0 0 05 31 2007 14 05 46 1 1 0 0 05 31 2007 14 11 17 1 1 0 0 05 31 2007 14 11 32 1 1 0 0 logon success logoff logon success logoff logon success logoff logon failure logon failure logon failure multifactor logon success logoff logon success logoff logon success logoff logon success logoff logon success SECURUS serviceaccount SECURUSiserviceaccount SECURUS serviceaccount SECURUS serviceaccount SECURUSiserviceaccount SECURUSiserviceaccount SECURUS bucky SECURUS bucky SECURUS bucky SECURUS bucky SECURUS bucky SECURUS bucky SECURUS bucky SECURUSiserviceaccount SECURUSiserviceaccount SECURUS bucky SECUR
79. ottom of the page Page 54 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Account Reset Features Program Access og These features are for IT personnel resetting arbitrary user accounts Change Group Access these settings to allow the IT personnel to reset user accounts Account Reset Features e o Ets Reset passwords through Account Reset Console Password Cha Features A d Allow Help Desk to view user identity information Configure Email Settings le di Get Enable disabled accounts O Always Optional Never Mobile Settings Unlock locked accounts O Always Optional Never Require that reset passwords be changed on next login ignored when user cannot change password O Always Optional Never O Display the following HTML message to Help Desk personnel resetting accounts C Email users notifications that the Help Desk has reset their passwords Dear RealName ia This is an automatic notification that your account password has just been B changed You should only be receiving lv O Plain Text O HTML Mail Rich Text Email keywords RealName Users full name as stored in Active Directory UserName Users logon name Email Users email address as stored in Active
80. per User access allows the users of the identified group to be able to perform any actions in the tool including changing verification questions database settings and licensing You can update these permissions at any time but if you have certain administration accounts or groups that you would like to have unfettered access to the tool now is a good time to configure them for your convenience You can find super user configuration under the Configuration main menu item under the Super Users side menu tab Page 10 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Super User Groups Data Sources Add a new application superuser group Log Config SECURUS x Enter groupname here ea Add SuperUsers Domains Global Program Access Rules Security Global Access Category Allowed Windows Groups Super Users Allow application config securus domain admins del Licensing Use this screen to grant complete application control access to members of Add Ons Windows Groups Add your groups by entering their group name and domain if appropriate into the entry fields and clicking Add SuperUsers for each one Granting super user permissions to a group allows them to access any component of the A
81. r CMWINNTV ustermZ2Mnetsrah A4 dll BET HEAD COX C A WINNTSystem32 inetsrv 404_ dl GET HEAD asa C AWINNT System32 inetsrv 404 dil BET HEAD htr CAWINNT System32 inetsrv 404 dll GET POST ide C AAWINNTSystem32 inetsrv4404 dll OPTIONS shtm CAWINNT System32 inetsrv4404 dil BET POST CMAINNTAGustemZ2unetsrah 404 dll ceros E FAIM TY Custam ZZ etz ANA ail GET POST Cancel Apply Help Page 83 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Q After installation and web site configuration logon screen is displayed successfully When a logon is attempted the message Error Database Not Available Account Reset Console Error Database Not Available The Account Reset Console could not access the log database Please notify your system administrator of this error A This error is caused by the application not being able to access the SQL Server database where the log is being kept You may need to double check your SQL Server credentials in the Admin Console to ensure that they are correct Q When attempting to load the web site you receive the following error The page cannot be displayed followed by a 403 1 error A Script processing has been disabled Set Execute Permissionto Scripts only Application settings Application name ArcWeb Remove Starting point lt Default Web Site gt ArcW Configuration
82. recent runs of any scheduled task at the top of the page and a list of all scheduled task reports at the bottom of the page You can click on the recent run name to view the report of that run View Logs Management Reports View Reports Account Tasks View Task Results View Account Task Results AccountTasks Find Expiring Users Run on 05 31 2007 14 33 55 All actions were completed successfully Task Configuration Task Description Find accounts that expire in 0 days Target Groups SECURUS domain users Task Action s build report SECURUS bucky Match criteria d The users password has already expired Page 48 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The report shows the name of the task and the date of the run a description of the task a summary and then a list of the users found the actions taken and the result of the action You can also click on the name of a scheduled task at the bottom of the report listing to see a list of all runs of that task in the database View Account Task Results View Logs Select a report date to view Management Reports Find Expiring Users View Reports Report Date Status 05 31 2007 14 33 55 All actions were completed successfully Account Tasks View Task Results From this listing you can select a single run and view the results as above Page 49 of 94 Administration Manual Copyright 2007 Lieberman Software Corporati
83. reset securusidomain admins securusidomain admins SECURUSican reset securusidomain admins G 2 Page 50 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Allow Web Logon This access right allows members of the specified group to log onto the Account Reset Console through the web interface o If the Account Reset Console is configured to allow them to change their own passwords users will have this option once they log in o If the Account Reset Console is configured to allow users to recover passwords through an ID verification process and there are questions that users need to specify answers for users will be allowed to set or change their answers once they log in Allow Reset of Other Users Accounts This access right allows members of the specified group to reset other users accounts once they log in Examples of groups who should have this access right might be help desk users or network administrators o Groups with this access right must still be granted group access rights to manage specific groups For more information see Set Group Access Rights below View Console Logs and Task Reports This access right allows members of the specified group to schedule tasks view the Account Reset Console logs and view the reports generated by scheduled tasks Manage All Web Access Controls This access right allows members of the specified group to manage
84. ring the application to fit your network and your particular needs Page 9 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Configuring the Account Reset Console Overview Once you have installed and logged into the Account Reset Console there are a few steps you will need to take to configure the tool to function properly with your network You can use the tool at any point but properly configuring it will unlock the full functionality of the product and allow you to explore every feature it offers We recommend that you begin working with the Account Reset Console by Granting Super User access rights Configuring managed domains Setting up data sources and logging Selecting program features Configuring email Setting up group permissions Viewing logs ANOV OPN Once you have finished these the core functionality of the Account Reset Console will be completely accessible to yourself and those you delegate authority to You can then proceed to configure the advanced features of ARCWeb Configuring verification questions and answers Reviewing data security Updating the application s appearance Setting up the mobile site if applicable Scheduling tasks Configuring licensing E Ee Granting super user access rights When you first installed Account Reset Console you were asked for a group that would be granted initial access This group is also granted Super User access Su
85. rman Software Corporation All Rights Reserved Set Group Access Rights Overview User groups that are allowed to reset other user accounts are strictly limited to resetting only accounts which they are permitted to affect Group access rights are located under the Management menu item in the Group Access tab Group access rights can be managed by users with Manage All Web Access Controls privileges Group Access Rights Group access rights are designated at the domain or local group level not by individual user account name Any domain or local group may be granted group access rights Ag L EBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Group Access Permissions Program Access Add a New Group Access Rule Group Access Administrative Group SECURUS x Enter groupname here Account Reset Features Managed Group SECURUS Enter groupname here Password Change Features Permissions Reset Password _ View User Answers Add Group Access Rule Configure Email Settings Group Access Rules Account Reset Privileges Appearance f l Administrative Group Managed Groups Mobile Settings SECURUSIican reset SECURUSican be reset del SECURUSidomain admins SECURUS domain users del Group Access Rules View User Answers Privileges Administrative Group Managed Groups SECURUSican reset SECURUS
86. rporation All Rights Reserved Password expiration Select this task type to search for accounts with passwords due to expire in the specified number of days This scan searches for accounts whose passwords will be expired by the primary domain controller s password policy The date used for calculating the time until expiration in the task is drawn from the clock on the machine running ARCWeb NOT the domain controller Thus any inconsistencies in the system clocks between the primary domain controller and the machine running ARCWeb could cause inaccuracies in detecting the appropriate users Self Reset Configuration Select this report type to search for users who have not completed enrollment in the self service verification questions Account inactivity Select this task type to search for accounts which have been inactive have not logged in for the specified number of days Any time a login is recorded on any domain controller that ARC is able to contact the timestamp will be reset However if a domain controller goes offline this information may be inaccurate as the timestamps stored on that domain controller will no longer be available The date used for calculating the time until expiration in the task is drawn from the clock on the machine running ARCWeb NOT the domain controller Thus any inconsistencies in the system clocks between the primary domain controller and the machine running ARCWeb could cause ina
87. rs will be given the opportunity to answer these questions on this page Each user configurable question will be listed To change your answers simply enter the new value into the Answer box below the appropriate question and click Save Verification Info The Account Reset Console will save the new answer to the database provided by your system administrators If you have not supplied answers for all of the verification questions a red message will tell you Your verification information is not complete This indicates that you will not be able to use the ID verification system to recover your password until you have supplied answers to ALL of the questions Page 35 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The Account Reset Console protects the data sources accessed by the verification system against intrusion by limiting the characters you can enter into the answer fields In this scenario you may see a message such as the one below You will have to use a different answer to proceed Set Up My Identity Use this page to configure your identity verification data One or more of your answers contained illegal characters These answers have not been modified Log Viewing Overview The Account Reset Console logs all access attempts and account actions recording the user name domain and action taken including success or failure These logs can be retrieved by
88. ser is given the option to either unlock it or leave it in the state it was in before being reset e Require that reset passwords be changed on next login allows the admin to configure whether or not the expired flag is reset when the account is reset If set to Always the account password is always expired when reset so that the user has to change the password when they next log in If set to Never the account is un expired so that the user does not have to reset their password when they next log in If set to Optional the help desk user is given the option to either expire or un expire the account e Display the following HTML message to Help Desk personnel resetting accounts check this box to display an HTML message to Help Desk personnel using the Reset User Account page to reset a user account This message might include warnings procedural notes or company policy e Email users notifications that their passwords have been reset check this box to send an email to users when their accounts have been reset You may enter the text of the email message in the textarea below this checkbox You can use wildcards to specify fields to automatically fill in o RealName the real name of the user as stored in Active Directory o UserName the user s username o Email the email address of the user as stored in Active Directory e Save Program Features saves the selections you have made Se
89. ser which is a member of a group that can reset its own passwords or which can be reset by ARCWeb help desk users counts as a managed user Page 30 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Changing Your Own Password Overview The Account Reset Console can allow users to reset their own passwords Self service password change is located under the Accounts menu item in the Change My Password tab Users with Allow Web Logor privileges can reset their own passwords if the Account Reset Console is configured to allow them to do so Changing Your Password As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Change My Password pen Please enter your new Password twice to reset it Look up User Data Username SECURUS serviceaccount Change My New Password daa Repeat New Password eeben Change Password To change your own password you will need to enter the new password twice If you enter passwords that do not match you will be prompted to re enter them so that they match If you enter a password that does not conform to the password rules set by your system administrators the Account Reset Console will not change your password Please ensure that your new password conforms to the rules set by your system administrators Page 31 of 94 Admin
90. string allowing you to connect to any general ADO compatible database Logging Configuration Overview The Account Reset Console can utilize any ADO compatible data source as a log location Logging configuration is located under the Configuration menu item in the Log Config tab The logging configuration can be managed by users with super user account privileges Viewing the Log Configuration The logging database and its current status is shown on the tab Page 68 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Configure ARCWeb Logging Data Sources Select the logging database information below Log Config Logging Data Source Default Database Verification Current Settings Domains Name Default Database Security Type SQL Server Status Working Super Users Licensing Update logging settings Add Ons Changing the Log Database You can select any working data source to set as the logging database The Account Reset Console will not allow you to select a data source that it cannot confirm as functional Once you select a logging data source in the drop down box click Update logging settings to save it The Account Reset Console will attempt to log test messages to the data source you
91. t Console to obtain the user s verification answer from the database so that ARCWeb can compare it to the entered answer Setting queries are only required for verification questions whose answers can be set by the user If the Allow users to set their own answers to this question checkbox is not checked Page 72 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved you do not need to enter a setting query If this checkbox is checked you will need to enter a setting query The Account Reset Console uses this query to set the answer in the database when the user configures his identity verification answers Insertion queries are only required for verification questions whose answers can be set by the user If the Allow users to set their own answers to this question checkbox is not checked you do not need to enter an insertion query If this checkbox is checked you will need to enter an insertion query The Account Reset Console uses this query to add a user to the database when an appropriate entry for that user does not exist User deletion queries are only required for verification questions accessing databases which should be cleaned up periodically that is have inactive or nonexistent accounts removed The Account Reset Console currently does not utilize this query Designing Queries Queries should be in SQL Before the Account Reset Console sends the query language to
92. t Password Change Features Overview The Account Reset Console can be configured to allow users to change their own passwords reset their passwords by verifying their identity through a question and answer system and even to alert users via email when their passwords are due to expire User password change settings are located under the Management menu item in the Password Change Features tab User password change settings can be managed by users with Manage All Web Access Controls privileges Page 56 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Password Change Options You can change password change options by selecting the appropriate values and clicking the Save Program Features button Allow users to change their own passwords using the web interface Check this box to allow users to log into the Account Reset Console and change their own passwords Users will still need to be a member of a group with login permissions to the Account Reset Console If you do not select this checkbox users clicking Change My Password will receive a message that the option has been disabled by their system administrators When users change their own passwords expire them so that they must be changed on next login By default if a user changes their own password the Account Reset Console resets the password expiration date Checking this box will force the
93. t Recent Reports Refresh List View Reports Task Name Report Date Status Accounts that will 05 31 2007 All actions were completed Account Tasks expire in 14 days 14 21 17 successfully Task Reports By Name Task Name Last Run Date Passwords that will expire in 14 days Accounts that will expire in 14 days Use this screen to view the scheduled task reports Select one of the most recent reports atthe top of the screen or select a task name atthe bottom to view all runs of that report Scheduled task reports are saved in the current Account Reset Console log database Any reports saved to a previous log database will not be available The Account Reset Console will display the most recent runs of any management report at the top of the page and a list of all scheduled management reports at the bottom of the page You can click on the recent run name to view the report of that run Page 42 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Create Management Reports View Logs ManagementReports Accounts that will expire in 14 days Run on 05 31 2007 14 26 05 Management Reports All actions were completed successfully View Reports Task Configuration Account Tasks Task Description Find accounts that expire in14 days Target Groups SECURUS domain users View Task Results Task Action s build report Domain Juser Jactons resus SECURUS bucky Match criteria Y The users pass
94. t Tasks e Configure scheduled tasks here Management Reports Active Tasks View Reports C Find Expiring Users Deactivate Del Edit Account Tasks O Find inactive accounts Deactivate Del Edit Users who have not yet enrolled Deactivate Del Edit View Task Results Inactive Tasks Run Selected Tasks Now Add New Task Task Name 5 Password Expiration Task Type Self Reset Configuration Account Inactivity Add Task Scheduled tasks are divided into two classes Active and Inactive tasks Active tasks are in the queue to be run when the task process runs Inactive tasks will never be run unless they are transferred into the Active list You can switch a task from Inactive to Active status by clicking the Activate link next to its name Similarly you can switch a task from Active to Inactive status by clicking on the Deactivate link next to its name Each scheduled task has an interval at which it runs a set of criteria it scans for a set of actions to take on the user accounts it finds and a set of user groups to scan All task settings can be found by clicking the task s Edit link Adding Tasks Adding a task is as easy as entering the new task name selecting the task type and clicking the Add Task button The task type will determine how the task selects users from its target groups Page 44 of 94 Administration Manual Copyright 2007 Lieberman Software Co
95. the data source it will perform the following substitutions in the query string String Replaced With Example user The username without domain bob domain The user s domain SALESDMN question The GUID of the question 3C1D8B25 D423 419B AD6E E78169B89374 answer The text of the answer Blue When the Account Reset Console performs this replacement it does not insert or remove quotation marks or other tokenizers Thus if you have a character valued column and you want to look up the user name in that column you will probably have to enclose the user in quotes Where user name column user When retrieving the answer from the data source using the retrieval query it will take the value in the first column of the first row of the retrieved recordset as the answer to the question You may return any number of rows or columns but only the first cell will be utilized by the Account Reset Console When you click Save Question Settings the Account Reset Console will attempt to retrieve the answer for the specified test user from the data source you have selected using the retrieval query you have entered It will also attempt to set that user s answer using a predefined test value If you have selected the checkbox Allow users to set their own answers to this question users will be allowed to enter an answer to the question in the Set Up My Identity tab described earlier in the document Us
96. thout notice The information and intellectual property contained herein is confidential between Lieberman Software Corporation and the client and remains the exclusive property of Lieberman Software Corporation H you find any problems in the documentation please report them to us in writing Lieberman Software Corporation does not warrant that this document is error free No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of Lieberman Software Corporation Microsoft Windows Window 95 Window 98 Windows NT Windows 2000 Windows Server 2003 IIS are trademarks of the Microsoft Corporation Page 1 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved License Agreement This is a legal and binding contract between you the end user and Lieberman Software Corporation By using this software you agree to be bound by the terms of this agreement If you do not agree to the terms of this agreement you should return the software and documentation as well as all accompanying items promptly for a refund 1 Your Rights Lieberman Software Corporation hereby grants you the right to use a single copy of this product to evaluate the product on an unlimited number of user accounts and systems for up to 30 days in a non production environment
97. to be in said domain s Reply Email Address This is the email address which will be set as the reply to address for outgoing emails e Admin Email Address This is the email address of the system administrator The Account Reset Console will send update and report emails to the system administrator at this address Page 60 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Appearance Overview The Account Reset Console can be fully skinned to integrate with your existing network portal infrastructure You can select colors and company banners to match your own themes Console appearance settings are located under the Management menu item in the Appearance tab Appearance settings can be managed by users with Manage All Web Access Controls privileges Managing the Account Reset Console Appearance As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Manage Appearance Program Access og This page allows you to adjust the appearance of the Account Management Group Access Console Change these settings to adjust the console to reflect your own organization s brand identity Account Reset Features Adjust appearance settings Password Change Features Company tagline Account Reset Console Configure Email Settings Company Tagline Color C13738
98. to ignore when running the reports e Task Details the task will operate on users who meet these criteria The task will search for users who meet the criteria selected e Email Results to enter an email address in this box will cause the scheduled task system to send a summary email to this email address when the task has been completed e Save Task Settings click this to save the task settings e Save Task and Run Now click this to save the task settings and run the task immediately e Return to Task List click this to return to the list of tasks Viewing Management Reports Overview The Account Reset Console s automatic task scheduler allows you to generate reports on any scheduled task and save the reports to the logging database These reports can be viewed by an admin or help desk manager to discover account issues requiring additional action Report viewing is located under the Scheduling Reporting menu item in the View Reports tab Reports can be viewed by users with View Console Logs and Task Reports privileges Page 41 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Report Viewing Options As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Create Management Reports View Logs View Scheduled Task Reports Management Reports Mos
99. un the COM application must have administrator privileges on that domain To select which domains are managed by the Account Reset Console check or uncheck the boxes and click Save Domain Configuration If you uncheck all the boxes the Account Reset Console will still process logins from the local system Page 75 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Viewing Domain Details Clicking the details link next to a domain name will allow you to view details on that domain As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUS serviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index Data Sources Edit Domain Configuration Log Config Domain name SECURUS Verification Primary Domain Controller DC Domains Domain Controller Status DC Success i Domain Controller List DC Use as Default DC ea Domain Details Super Users AdminCheckError 0 AdminCheckErrorDescription Licensing Managed True Add Ons LastError 0 LastErrorDescription Return to Domains If there are multiple domain controllers available you can set ARC to use a preferred domain controller This is desirable for directing traffic to the nearest domain controller Setting the Default Domain The default domain is the domain which the login domain selection boxes default to It can be set by selecting the appropriate domain under Default
100. ures When users change their own passwords emulate their user account to Configure Email Settings comply with domain policies O When users change their own passwords expire them so that they must be Appearance changed on next login ignored when user cannot change password Mobile Settings Allow self service unlock and password reset resetthrough ARC via ID verification Allow self service unlock and password reset through Credential Provider Gina via ID verification Verification allowed wrong answers 3 Verification wrong answers timout minutes 3 Once you have completed these steps you should see that the login screen for the Account Reset Console now includes an option to reset a forgotten or locked out account As LIEBERMANSOFTWARE Account Reset Console Please log in to access the Account Reset Console Username l Password Domain SECURUS v Forgot your password Locked out Click here to Reset Password Unlock Page 23 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The new button at the bottom of the login page allows users to answer the selected questions to verify their identity and reset their passwords You may also notice that the Set Up My Identity page becomes available under the Accounts main menu item allowing users to enter their own answers into the database for those questions which allow it As
101. user to reset their password the next time they log into the domain NOT the next time they log into the Account Reset Console Allow lost password recovery through ARC via ID verification Check this box to allow users to answer identifying questions to reset their passwords Checking this box will cause the Reset Password button to appear on the login page of the Account Reset Console Allowed wrong answers The number of verification questions the user can answer incorrectly before a wrong answer causes the verification attempt to fail Display the following HTML message to users resetting their own passwords check this box to display an HTML message to users personnel using the Change My Password page to reset their own passwords This message might include warnings procedural notes or company policy Email users notifications that their passwords have been reset Check this box to send a notification email to users when they change their own password You may enter the text of the email message in the textarea below this checkbox You can use wildcards to specify fields to automatically fill in o RealName the real name of the user as stored in Active Directory o UserName the user s username o Email the email address of the user as stored in Active Directory Email the help desk a notification when a user resets their own password Check this box to send a notification email to the help desk when any
102. username and or date Log retrieval is located under the Scheduling Reporting menu item in the View Log tab Logs can be retrieved by users with View Console Logs and Task Reports privileges Log Viewing Options As LIEBERMANSOFTWARE Account Reset Console Logged in user SECURUSiserviceaccount Log Out Accounts Scheduling Reporting Management Configuration Index View Account Reset Console Logs View Logs Display Activity Log Management AccessLog Action Log Reports d l l l 7 sl t y X EE 5 31 2007 ES to 5 31 2007 ES Account Tasks Username View Task Results Display Log Use this screen to report on usage of the Account Reset Console Select Access Log or Action Log and specify a date range Then click Display Log to see what users have been doing on the system Page 36 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved The Account Reset Console will display logs from the current logfile Any logging information saved in a different log data source will not be displayed There are two separate logs that the Account Reset Console can display The first is the Access Log which contains information on which users have accessed logged onto the Account Reset Console The other is the Action Log which contains information on which user accounts have been reset or viewed or have been attempted to be reset or viewed by which
103. vorite color Verification Domains Use the Default Database for verification Security Use custom verification database Super Users Data Source Select a data source Not Working Licensing gt l Queries Add Ons Retrieval o If your retrieval query is not working please ensure that you have records in the appropriate database for your test user Allow users to set their own answers to this question Setting O Insertion User Deletion Save Question Settings Return to Question List The default value for each question is Use built in verification database When this setting is selected all other values data source query text are ignored and the Account Reset Console uses the default built in SQL Server database to store user enrollment data When Use custom verification database is selected the Account Reset Console will attempt to connect to the specified data source and use the retrieval query to get the answer to the question or the setting query to set the answer There are four queries that you may need to specify depending on your data source retrieval setting insertion and user deletion Verification Query Types Each verification question may require up to four types of query The Account Reset Console ships with default query language for all four of these queries Retrieval queries are required for all verification questions This query is used by the Account Rese
104. word has already expired The report shows the name of the task and the date of the run and then displays a list of the users found the actions taken and the result of the action You can also click on the name of a report task at the bottom of the report listing to see a list of all runs of that report in the database Create Management Reports View Logs Select a report date to view Management Reports Accounts that will expire in 14 days View Reports Report Date Status 05 31 2007 14 24 35 All actions were completed successfully Account Tasks 05 31 2007 14 21 17 All actions were completed successfully View Task Results From this listing you can select a single run and view the results as above Scheduling Account Tasks Overview The Account Reset Console includes an automatic task and report scheduling system which allows you to automate basic account monitoring and reset tasks and to generate reports on accounts matching specified criteria Task scheduling is located under the Scheduling Reporting menu item in the Account Tasks tab Tasks can be scheduled by users with Manage All Web Access Controls privileges Page 43 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Creating and Viewing Account Tasks The scheduled account tasks that are currently saved are displayed in a table on the main scheduled tasks screen as shown below Schedule Accoun
105. y e Return to Task List click this to return to the list of tasks Viewing Account Task Reports Overview The Account Reset Console s automatic task scheduler allows you to generate reports on any scheduled task and save the reports to the logging database These reports can be viewed by an admin or help desk manager to discover account issues requiring additional action Page 47 of 94 Administration Manual Copyright 2007 Lieberman Software Corporation All Rights Reserved Report viewing is located under the Scheduling Reporting menu item in the View Task Results tab Reports can be viewed by users with Manage All Web Access Controls privileges Report Viewing Options View Logs Management Reports View Reports Account Tasks View Task Results View Account Task Results View Scheduled Task Reports Most Recent Reports Refresh List Task Name Report Date Status Find Expiring 05 31 2007 All actions were completed Users 14 33 55 successfully Task Reports By Name Task Name Last Run Date Find Expiring Users Use this screen to view the scheduled task reports Select one of the most recent reports at the top of the screen or select a task name atthe bottom to view all runs of that report Scheduled task reports are saved in the current Account Reset Console log database Any reports saved to a previous log database will not be available The Account Reset Console will display the most
Download Pdf Manuals
Related Search