• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 5562 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QPPM functionality when administration server is down

muthukumar.p
over 6 years ago

Hi,

 

We are looking to deploy QPM as one of the service in our AD forest to meet the password complexity requirements. Question is, assuming if the server running QPM administration site is down, what would happen to the passwords reset during that period? Would the DCs hold like a cache of the copy of the policy or for each reset the domain controller makes a connection to one of the QPM server to validate the new password?

  • 0 over 6 years ago
    few notes.
    1. Password Complexity Policy reside and validated on DC-side. Native AD GPO
    1.2. PWM provides additional Password Complexity Policy GPO (more advanced to native) on top of native AD GPO. That will require to "touch" every single DC and deploy password module on DC native auth. layer. Many customer do not do it to avoid DC touch.
    2. PWM Server hold workflow to reset passwords/unlock via Q/A check. In case PWM Server side is down, Q/A door is down, but AD user (HelpDesk ADUC) still can reset password via native route DC (CTRL-ALT-DEL) as usual (bypassing PWM Server Workflow)
    3. PWM architecture allows to have HA with multiple PWM Servers deployed holding the same Workflows. PWM is front-end enterprise application => requires HA.
    4. PWM also allows DR of the application.
  • 0 over 6 years ago

    Cheers. I think I get the gist! Let me rephrase my question.

    We intend to use only the QPPM but not the other modules that comes with it. We will be installing the agents on all the domain controllers. There will be a high availablity configured for QPM but assuming the QPM is down for odd reason, would the password changes on the domain controller still happen using the password policies defined by Quest?

  • 0 over 6 years ago
    (As per my understanding)
    PWM Granular Password Complexity Policy "module" is GPO managed dll (which manages password) installed on each DC (and it is not an agent/service/executable running on DC)
    Password Reset happens according to MSFT AD/DC technology provided with the password complexity rules been installed on ("fed" into) the DC.
  • 0 over 6 years ago
    So, all QPM does is update this DLL with a bunch of rules? Would it be safe to call QPM, a GUI for custom password filter.dll?
  • 0 over 6 years ago
    I never looked at it from this angel. I guess, in terms of Password String Complexity DC-server side, the client-side does not matter (PWM website, CTR-ALT-DEL) . http://PMUser website might provide additional filter (not allowed dictionary, for example)