• State Verified Answer
  • Replies 4 replies
  • Subscribers 37 subscribers
  • Views 2400 views
  • Users 0 members are here
Options
Related

Password Policy Events Table

sshvets
over 3 years ago

Hello Experts,

I am troubleshooting an issue where password policies that used to be deployed and working in an environment all of the sudden all have vanished (at least not showing in PMAdmin), other configuration settings are still present but password policies have vanished from all domains. We are using version 5.8.2.1831 of password manager. I am trying to find the table where password policies are stored and also table that would show any changes that have been done to password policies but not finding that information in documentation, could someone please point me to the docs or provide the name of the tables?

Thanks,

Sergei

Parents
  • +1 over 3 years ago

    Hi Sergei,

    Password Manager policies are actually real Group Policy Objects (GPOs) that reside in Active Directory.

    If they disappeared, chances are that an AD Administrator deleted them in the Group Policy Management tool. 

    Since they're encrypted GPOs, anyone looking at them in the native Group Policy Management tool would think they're empty because the data cannot be displayed. The only way to read the data is via Password Manager Admin site (/PMAdmin). In addition, the Password Policy Manager component that gets installed on the DCs decrypts it when users change their passwords and enforces the settings in that policy.

    I would recommend asking your AD team if anyone has deleted any "empty" GPOs that start with "QuestGPC".

    Kind regards

    Daniel

Reply
  • +1 over 3 years ago

    Hi Sergei,

    Password Manager policies are actually real Group Policy Objects (GPOs) that reside in Active Directory.

    If they disappeared, chances are that an AD Administrator deleted them in the Group Policy Management tool. 

    Since they're encrypted GPOs, anyone looking at them in the native Group Policy Management tool would think they're empty because the data cannot be displayed. The only way to read the data is via Password Manager Admin site (/PMAdmin). In addition, the Password Policy Manager component that gets installed on the DCs decrypts it when users change their passwords and enforces the settings in that policy.

    I would recommend asking your AD team if anyone has deleted any "empty" GPOs that start with "QuestGPC".

    Kind regards

    Daniel

Children
  • 0 over 3 years ago in reply to Daniel.Bishop

    Daniel,

    Thank you so much for your reply! I have a follow up question, is there an industry standard or rather best practice solution to prevent the removal of GPOs for Password Manager, for example maybe a setting for accidental deletion or something like that. Basically trying to find out if there is a One Identity recommendation for how to prevent the removals of these GPOs since they are stored in AD?

    Thank you in advance for your help.

    Thanks,

    Sergei  

  • 0 over 3 years ago in reply to sshvets

    Hi Sergei,

    Since they reside in AD, the best advice would be to inform your AD team what these objects are, and to exclude them from any GPO backup processes and ignore them from any cleanups/maintenance they may perform.

    Since Domain & Enterprise Admins have Full Control of GPOs, there's no simple way to stop them.

    Kind regards,

    Daniel

  • 0 over 3 years ago in reply to Daniel.Bishop

    Short of setting up special, unique permissions on those particular GPO objects whereby Domain Admins and Enterprise Admins are denied access and only a "GPO Admins" group is allowed to modify them.