diff --git a/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md b/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md index da26e89086..be4f315fd7 100644 --- a/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md +++ b/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md @@ -8,7 +8,7 @@ sidebar_position: 85 ## Overview -Access Analyzer integrates with **Netwrix Activity Monitor (NAM)** to ingest real-time file system, SharePoint Online, and Microsoft 365 Copilot activity events. Once configured, these events populate the activity reports in AA2601 and power anomaly detection and sensitive data activity tracking. +Access Analyzer integrates with **Netwrix Activity Monitor (NAM)** to ingest real-time file system, SharePoint Online, and Microsoft 365 Copilot activity events. After you configure the integration, these events populate the activity reports in AA2601 and power anomaly detection and sensitive data activity tracking. The integration works through a built-in TCP listener that NAM agents connect to over a secure, mutually authenticated TLS 1.3 channel. Events stream continuously from NAM agents into AA2601's analytics database (ClickHouse), where they become available in reports. @@ -40,7 +40,7 @@ AA2601 Reports (file system activity, SharePoint, Copilot) ### Security Model -Authentication uses **mutual TLS with SPKI hash pinning**: +Authentication uses **mutual TLS with Subject Public Key Info (SPKI) hash pinning**: - AA2601 requires TLS 1.3 and rejects older protocol versions. - Both products perform mutual authentication by matching hashes of each other's certificate public key (SPKI hash) against a persistent allowlist in their configuration. @@ -54,7 +54,7 @@ SPKI hashes survive certificate renewal as long as the key pair is unchanged. Re Before connecting NAM agents to AA2601: - **Netwrix Activity Monitor** must be installed and monitoring the hosts or services for which you want real-time activity in AA2601. Confirm monitoring is active before adding the AA2601 output. -- **TLS certificates** must be provisioned on the AA2601 server. The server certificate and private key paths are set via the environment variables `SYSLOG_TLS_CERT_PATH` and `SYSLOG_TLS_KEY_PATH`. Contact your infrastructure team if the listener isn't starting. +- **TLS certificates** must be provisioned on the AA2601 server. The environment variables `SYSLOG_TLS_CERT_PATH` and `SYSLOG_TLS_KEY_PATH` specify the server certificate and private key paths. Contact your infrastructure team if the listener isn't starting. - **Network connectivity** must allow NAM agents to reach AA2601 on TCP port 4504 (default) through any firewalls or network policies. - You must have **Administrator** access to AA2601 to generate enrollment tokens and view enrolled agents. @@ -142,8 +142,8 @@ All Activity Monitor settings are at **Configuration > Application Settings > Ac | Setting | Default | Range | Description | | --- | --- | --- | --- | | `activitymonitor_tcp_port` | 4504 | 1 – 65535 | TCP port the listener binds to. Must match the port configured in NAM agent settings. | -| `activitymonitor_max_connections` | 100 | 10 – 1000 | Maximum simultaneous agent connections. Connections beyond this limit are rejected at the TCP layer. | -| `activitymonitor_connection_timeout` | 900 | 5 – 3600 | Seconds of inactivity before an idle agent connection is dropped. Set this to be comfortably longer than your NAM polling interval. | +| `activitymonitor_max_connections` | 100 | 10 – 1000 | Maximum simultaneous agent connections. AA2601 rejects connections beyond this limit at the TCP layer. | +| `activitymonitor_connection_timeout` | 900 | 5 – 3600 | Seconds of inactivity before AA2601 drops an idle agent connection. Set this to be comfortably longer than your NAM polling interval. | ### Performance and Throughput Settings @@ -151,7 +151,7 @@ All Activity Monitor settings are at **Configuration > Application Settings > Ac | --- | --- | --- | --- | | `activitymonitor_reactor_threads` | 0 (auto) | 0 – 32 | Async input/output threads for handling connections. `0` automatically uses one thread per CPU core — correct for almost all deployments. | | `activitymonitor_buffer_threads` | 8 | 1 – 16 | Writer threads that drain the in-memory event buffer to ClickHouse. More threads help sustain high write rates. | -| `activitymonitor_buffer_max_size` | 10,000 | 1,000 – 500,000 | Maximum events held in memory at once. When full, new arrivals are held at the TCP layer (backpressure to agents) rather than dropped. | +| `activitymonitor_buffer_max_size` | 10,000 | 1,000 – 500,000 | Maximum events held in memory at once. When full, AA2601 holds new arrivals at the TCP layer (backpressure to agents) rather than dropping them. | | `activitymonitor_batch_size` | 100 | 10 – 1,000 | Events grouped per internal processing batch. | | `activitymonitor_batch_interval_seconds` | 10 | 1 – 60 | Maximum seconds between batch flushes to ClickHouse. The primary control for **data freshness** — lower values mean events appear in reports sooner, at the cost of more frequent small writes. | | `activitymonitor_clickhouse_batch_size` | 10,000 | 1,000 – 100,000 | Events per ClickHouse write operation. Larger batches are more efficient but increase memory usage during the write. | @@ -162,8 +162,8 @@ All Activity Monitor settings are at **Configuration > Application Settings > Ac | Setting | Default | Range | Description | | --- | --- | --- | --- | | `activitymonitor_enrollment_first_message_timeout_seconds` | 10 | 5 – 60 | Seconds AA2601 waits for the first message after a new connection is established. AA2601 closes connections that send nothing within this window. | -| `activitymonitor_enrollment_ban_duration_seconds` | 10 | 5 – 300 | Seconds a source IP is blocked after a protocol violation (invalid enrollment code, malformed JSON, or unexpected message format). | -| `activitymonitor_max_message_size` | 16,777,216 (16 MB) | 65,536 – 67,108,864 | Maximum byte size of a single message from a NAM agent. If exceeded without a line delimiter, AA2601 drops the connection. | +| `activitymonitor_enrollment_ban_duration_seconds` | 10 | 5 – 300 | Seconds AA2601 blocks a source IP after a protocol violation (invalid enrollment code, malformed JSON, or unexpected message format). | +| `activitymonitor_max_message_size` | 16,777,216 (16 MB) | 65,536 – 67,108,864 | Maximum byte size of a single message from a NAM agent. If a message exceeds this size without a line delimiter, AA2601 drops the connection. | ### Shutdown Settings @@ -213,7 +213,7 @@ Start with defaults. Only adjust if you observe specific symptoms. **If you have many agents connecting simultaneously:** - Raise `activitymonitor_max_connections` to at least the number of expected concurrent agents, with 20–30% headroom. -**Don't lower `activitymonitor_connection_timeout` below your NAM polling interval.** If NAM sends events every 5 minutes and the timeout is less than 300 seconds, agents will be dropped between batches and forced to reconnect constantly. The default of 900 seconds provides safe headroom for most polling configurations. +**Don't lower `activitymonitor_connection_timeout` below your NAM polling interval.** If NAM sends events every 5 minutes and the timeout is less than 300 seconds, AA2601 drops agents between batches and forces them to reconnect constantly. The default of 900 seconds provides safe headroom for most polling configurations. ### Kubernetes Shutdown Considerations @@ -242,7 +242,7 @@ Disabling and re-enabling doesn't cause data loss for events that occurred while - Verify `enable_activitymonitor_ingestion` is `true` in **Configuration > Application Settings > Feature Flags**. - Verify the TLS certificate environment variables (`SYSLOG_TLS_CERT_PATH`, `SYSLOG_TLS_KEY_PATH`) are set and the files are readable. The application logs report a specific error if a certificate is missing, unreadable, or expired. -- Verify the configured port isn't already bound by another process. +- Verify another process isn't already using the configured port. The listener retries startup up to 5 times with exponential backoff (starting at 0.5s, capping at 30s). Check logs for `"Failed to start NAM Listener"` messages with retry counts. @@ -250,11 +250,11 @@ The listener retries startup up to 5 times with exponential backoff (starting at - Verify network connectivity from the agent host to AA2601 on the configured port (default: 4504). - Verify the agent is configured with the correct hostname and port. The port in NAM agent configuration must match `activitymonitor_tcp_port`. -- Verify the agent has a valid TLS client certificate. Connections without a client certificate are rejected and the source IP is temporarily banned. +- Verify the agent has a valid TLS client certificate. AA2601 rejects connections without a client certificate and temporarily bans the source IP. ### An agent connected but isn't sending data -- Verify the agent was successfully enrolled. AA2601 silently rejects data connections from agents that have not completed enrollment because their SPKI hash isn't in the allowlist. Re-enroll using a new token. +- Verify the agent enrolled successfully. AA2601 silently rejects data connections from agents that have not completed enrollment because their SPKI hash isn't in the allowlist. Re-enroll using a new token. - Verify `activitymonitor_connection_timeout` isn't shorter than the agent's event polling interval. If agents idle longer than the timeout, AA2601 drops them between batches and they must reconnect. ### Events aren't appearing in reports @@ -274,7 +274,7 @@ Bans are short (default: 10 seconds) and reset on pod restart. For persistent is ### Enrolled agents list has stale entries -Agents that have been decommissioned or reinstalled may leave stale entries in the allowlist. These are harmless — the old SPKI hash will never match a new agent's certificate. Remove them using the API: +Decommissioned or reinstalled agents may leave stale entries in the allowlist. These are harmless — the old SPKI hash will never match a new agent's certificate. Remove them using the API: ``` DELETE /api/v1/nam-listener/agents/:spki_hash diff --git a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/_category_.json b/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/_category_.json deleted file mode 100644 index 2909f781e7..0000000000 --- a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/_category_.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "label": "Email and Mailer Configuration", - "position": 3, - "link": { - "type": "generated-index", - "description": "Knowledge base articles related to installing and configuring the PPE Mailer for email notifications." - } -} diff --git a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/installing-the-ppe-mailer.md b/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/installing-the-ppe-mailer.md deleted file mode 100644 index 7688e4d1e3..0000000000 --- a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/installing-the-ppe-mailer.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -description: >- - Install the PPE Mailer for Netwrix Password Policy Enforcer on one server per - domain and learn how to run PPEMail.exe to send or test e-mail delivery and - troubleshoot configuration errors. -keywords: - - PPE Mailer - - Password Policy Enforcer - - PPEMail.exe - - mailer installation - - email delivery - - PPE912 - - Password Policy Server -products: - - password-policy-enforcer -sidebar_label: Installing the PPE Mailer -tags: [] -title: "Installing the PPE Mailer" -knowledge_article_id: kA04u0000000K96CAE ---- - -# Installing the PPE Mailer - -The PPE Mailer is not installed by default. Install it on only one server in each domain. The PPE Mailer can be installed on any server, including a domain controller. The PPE Mailer is part of Netwrix Password Policy Enforcer. - -To install the PPE Mailer: - -1. Start the PPE installer (`PPE912.exe`). -2. Read the license agreement, and then click **Yes** if you accept all the license terms and conditions. -3. Select the **Advanced** option, and then click **Next**. -4. Double-click the `PPE912.msi` file. -5. If you are prompted to Modify, Repair, or Remove the installation, then select **Modify** and then click **Next**. (Skip to step 11. Do not disable the other features as described below.) -6. Click **Next** when the PPE Installation Wizard opens. -7. Select **I accept the license agreement**, and then click **Next**. -8. Select the **Custom** option, and then click **Next**. -9. Click the icon beside the **Password Policy Server** feature, and then click **PPE Mailer Service**. Entire feature will be unavailable. -10. Repeat the previous step for the **Management Console, Documentation**, and **Dictionaries** features unless you also want to configure PPE from this server. -11. Click the icon beside the **PPE Mailer Service** feature, and then click `Will be installed on local hard drive`. -12. Click **Next** twice. -13. Wait for the PPE Mailer to install, and then click **Finish** twice. - -You can run the PPE Mailer from the command line to deliver e-mail immediately, or to troubleshoot problems. `PPEMail.exe` is copied into the `\Program Files (x86)\Password Policy Enforcer\` folder when the PPE Mailer is installed. - -Running `PPEMail.exe` with the `/send` parameter disables simulation mode. Any e-mails that are due to be sent today are sent immediately. `PPEMail.exe` can identify a wider range of configuration errors when run in this mode. Use the `/send` parameter judiciously to avoid sending duplicate e-mails to users. - -To test e-mail delivery options without sending any e-mails to users, run `PPEMail.exe` with the `/test` parameter followed by your e-mail address. For example, `PPEMail.exe /test testaccount@netwrix.com`. This will send one test e-mail to your mail server or pickup folder. diff --git a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/ppe-how-to-enable-ssl-on-ppe-mailer-to-enable-access-with-password.md b/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/ppe-how-to-enable-ssl-on-ppe-mailer-to-enable-access-with-password.md deleted file mode 100644 index 8276b2bdfe..0000000000 --- a/docs/kb/passwordpolicyenforcer/email-and-mailer-configuration/ppe-how-to-enable-ssl-on-ppe-mailer-to-enable-access-with-password.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -description: >- - Instructions to enable SSL for the Netwrix Password Policy Enforcer Mailer so - it can authenticate to SMTP with stored credentials moved to Credential - Manager. -keywords: - - Password Policy Enforcer - - PPE Mailer - - SSL - - SMTP - - MailUseSSL - - MailUsername - - MailPassword - - Credential Manager - - registry -products: - - password-policy-enforcer -sidebar_label: 'PPE: How to enable SSL on PPE Mailer to enable acc' -tags: [] -title: "Netwrix Password Policy Enforcer: How to enable SSL on PPE Mailer to enable access with password" -knowledge_article_id: kA04u000000PdL8CAK ---- - -# Netwrix Password Policy Enforcer: How to enable SSL on PPE Mailer to enable access with password - -By default no password can be used. Use this guide to enable the Netwrix Password Policy Enforcer Mailer to use SSL. - -1. Download the PPEMail_SSL.zip from Anixis Website: https://www.anixis.com/ftp/users/tonio/PPEMail_SSL.zip or from Sharepoint: https://netwrixcorporation.sharepoint.com/:u:/r/SupportWiki2/Shared%20Documents/PPEMail_SSL.zip?csf=1&web=1&e=1Lr1iB -2. Stop the Netwrix Password Policy Enforcer Mailer service. -3. Rename `PPEMail.exe` in the `\Program Files (x86)\Password Policy Enforcer\` folder to `PPEMail.exe.original`. -4. Extract the new `PPEMail.exe` downloaded above into the `\Program Files (x86)\Password Policy Enforcer\` folder. -5. Open the Netwrix Password Policy Enforcer Management Console to the **PPS Properties** page. -6. Click the **E-mail** Tab. -7. Make sure the port number is `25` (`587` will not work). -8. Click **OK**. -9. Open the registry editor on the server that the PPE Mailer is running on. -10. Create the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\ANIXIS\Password Policy Enforcer`. -11. Create a `REG_DWORD` value called `MailUseSSL` and set it to `1`. -12. Create a `REG_SZ` value called `MailUsername` and set it to the SMTP username. -13. Create a `REG_SZ` value called `MailPassword` and set it to the SMTP password. -14. Run the mailer with the `/test` parameter to send a test email. For example: -```text -ppemail.exe /test tonio@anixis.com -``` -15. You should see a message that the credentials were moved to the credential manager, and the username and password you created in the registry should be gone. -16. The stored credentials are only accessible from your user account, so if the test above worked you should add the credentials to the service account. To do this, repeat steps 12 and 13 and then start the Netwrix Password Policy Enforcer Mailer service. The username and password should disappear from the registry again. diff --git a/docs/kb/passwordpolicyenforcer/installation-and-configuration/_category_.json b/docs/kb/passwordpolicyenforcer/installation-and-configuration/_category_.json deleted file mode 100644 index 3a30a5ebc2..0000000000 --- a/docs/kb/passwordpolicyenforcer/installation-and-configuration/_category_.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "label": "Installation and Configuration", - "position": 1, - "link": { - "type": "generated-index", - "description": "Knowledge base articles related to installing, configuring, and upgrading Netwrix Password Policy Enforcer." - } -} diff --git a/docs/kb/passwordpolicyenforcer/installation-and-configuration/how-to-install-password-policy-enforcer.md b/docs/kb/passwordpolicyenforcer/installation-and-configuration/how-to-install-password-policy-enforcer.md deleted file mode 100644 index 57d5a03389..0000000000 --- a/docs/kb/passwordpolicyenforcer/installation-and-configuration/how-to-install-password-policy-enforcer.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -description: >- - Install Netwrix Password Policy Enforcer 9.12 manually or by Group Policy. - This article lists system requirements, installation types, and step-by-step - instructions for creating a distribution point, copying the MSI, creating and - editing a GPO, and completing the installation. -keywords: - - Netwrix Password Policy Enforcer - - installation - - PPE912 - - Group Policy - - MSI - - domain controllers - - distribution point - - Windows Server - - password policy -products: - - password-policy-enforcer -sidebar_label: How to Install Password Policy Enforcer -tags: [] -title: "How to Install Password Policy Enforcer" -knowledge_article_id: kA04u000000Pd76CAC ---- - -# How to Install Password Policy Enforcer - -## Overview - -Netwrix Password Policy Enforcer version 9.12 is compatible with Windows Server 2008, 2012, 2016, and 2019. You can also install it on Windows Vista, 7, 8, and 10 workstations to enforce **local policies**. If you need to install Netwrix Password Policy Enforcer on Windows Server 2003 domain controllers, install version 8.03 instead of 9.12. - -You do not have to force users to change their password immediately after Netwrix Password Policy Enforcer is installed. Users can continue using their current password until it expires, even if their current password does not comply with the password policy. - -Installing Netwrix Password Policy Enforcer does not extend the Active Directory schema. - -## System Requirements - -- Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, or 2019. Windows Vista, 7, 8, 8.1, or 10. -- Fifteen megabytes of free disk space. -- Eight megabytes of free RAM (seventy-two megabytes if using **Argon2** hashes). - -## Installation Types - -Install Netwrix Password Policy Enforcer on every domain controller to enforce the password policy for domain user accounts, or on individual servers and workstations to enforce the password policy for local user accounts. If your domain contains read-only domain controllers, install Netwrix Password Policy Enforcer on these servers only if you are using the **Maximum Age rule**, **Password Policy Client**, **Password Reset**, or **PPE/Web**. - -You can install Netwrix Password Policy Enforcer **manually** if you only need to install it on a few computers. For many computers in a domain, it is easier to perform an **automated** installation with Group Policy. - -## Instructions - -### Manual Installation (Express Setup) - -Manual installation is recommended for small to medium networks. Repeat the installation procedure below on every computer that should enforce the password policy. - -1. Start the Netwrix Password Policy Enforcer installer (`PPE912.exe`). -2. Read the license agreement, and then click **Yes** if you accept all the license terms and conditions. -3. Select the **Express** option, and then click **Next**. -4. Select the **Password Policy Server** check box if it is not selected. -5. Click **Next** to install Netwrix Password Policy Enforcer. -6. Click **Yes** when asked to restart the computer. - -If you are using Netwrix Password Policy Enforcer to enforce a password policy for domain user accounts, repeat this procedure on the other domain controllers in the domain. - -Netwrix Password Policy Enforcer has its own password rules, so you may want to disable the Windows password policy rules before configuring Netwrix Password Policy Enforcer. - -### Automated Installation (Advanced Setup) - -An automated installation uses Group Policy to distribute Netwrix Password Policy Enforcer. This type of installation is recommended when you need to install Netwrix Password Policy Enforcer on many computers. The following steps show how to install Netwrix Password Policy Enforcer on domain controllers to enforce **domain policies**, but you can also use Group Policy to target member servers and workstations to enforce **local policies**. - -### Create a Distribution Point - -A distribution point can be a UNC path to a server share or a DFS (Distributed File System) path. To create a Netwrix Password Policy Enforcer distribution point: - -1. Log on to a server as an administrator. -2. Create a shared network folder to distribute the files from. -3. Give the **Domain Controllers** security group read access to the share, and limit write access to authorized personnel only. - -### Copy PPE912.msi into the Distribution Point - -1. Start the Netwrix Password Policy Enforcer installer (`PPE912.exe`). -2. Read the license agreement, and then click **Yes** if you accept all the license terms and conditions. -3. Select the **Advanced** option, and then click **Next**. -4. Right-click the `PPE912.msi` icon, click **Copy**, and then paste the file into the distribution point. -5. Give the **Domain Controllers** security group read access to the `PPE912.msi` file in the distribution point. -6. Click **Finish**. - -### Create a Group Policy Object - -1. Start the Group Policy Management Console (`gpmc.msc`). -2. Expand the forest and domain items in the left pane. -3. Right-click the **Domain Controllers** organizational unit (OU) in the left pane, and then click **Create a GPO in this domain, and Link it here...** -4. Type `Netwrix Password Policy Enforcer`, and then press **Enter**. - -### Edit the Group Policy Object - -1. Right-click the **Netwrix Password Policy Enforcer** GPO, and then click **Edit...** -2. Expand the **Computer Configuration**, **Policies**, and **Software Settings** items. -3. Right-click the **Software installation** item, and then select **New > Package...** -4. Type the full UNC path to `PPE912.msi` in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, `\fileserver\distributionpointshare\PPE912.msi` -5. Click **Open**. -6. Select the **Assigned** deployment method, and then click **OK**. -7. Close the Group Policy Management Editor. - -### Complete the Installation - -Restart each domain controller to complete the installation. Windows installs Netwrix Password Policy Enforcer during startup, and then immediately restarts the computer a second time to complete the installation. - -Netwrix Password Policy Enforcer will not enforce a password policy at this time because no policies are defined. Users can still change their password and will only need to comply with the Windows password policy rules (if enabled). diff --git a/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-connecting-to-a-configuration.md b/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-connecting-to-a-configuration.md deleted file mode 100644 index be20d127e2..0000000000 --- a/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-connecting-to-a-configuration.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -description: >- - Describes how to connect the Netwrix Password Policy Enforcer (PPE) management - console to domain and local configurations stored in Active Directory or the - registry. -keywords: - - password policy - - PPE - - domain configuration - - local configuration - - Active Directory - - registry - - domain controller - - HKLM - - CN=Password Policy Enforcer -products: - - password-policy-enforcer -sidebar_label: 'PPE: Connecting to a Configuration' -tags: [] -title: 'PPE: Connecting to a Configuration' -knowledge_article_id: kA04u000000Pd7BCAS ---- - -# PPE: Connecting to a Configuration - -## Connecting to a Configuration - -Netwrix Password Policy Enforcer (PPE)'s configuration settings are stored in Active Directory or the registry. An Active Directory configuration is called a domain configuration, and it defines the password policies for domain user accounts. A registry configuration is called a local configuration, and it defines the password policies for local user accounts. - -## Connecting to a Domain Configuration - -A domain configuration exists on every domain controller. Changes to the configuration replicate to all the domain controllers in the domain, so you only need to configure one domain controller in each domain. If you are using PPE in more than one domain, then you will need to configure each domain separately. To connect to a domain configuration: - -1. Click the **Password Policy Enforcer** item to display the **PPE view**. -2. Click **Connect To** in the right pane of the management console. -3. Select the **Domain** option. -4. Type the name or IP address of a domain controller, and then click **OK**. - -You cannot make changes to the PPE configuration while the management console is connected to a read-only domain controller. - -## Connecting to a Local Configuration - -A local configuration is used by only one computer, so it does not replicate to any other computers. You can copy a local configuration to another computer by exporting the configuration from the registry, and then importing it into the registry of the other computer. You can also use Group Policy to distribute a local configuration to many computers. To connect to a computer's local configuration: - -1. Click the **Password Policy Enforcer** item to display the **PPE view**. -2. Click **Connect To** in the right pane of the management console. -3. Select the **Local** option, and then click **OK**. - -Domain configurations are stored in the `CN=Password Policy Enforcer 9.0,CN=System` object. -Local configurations are stored in the `HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 9.0\` registry key. -Users with write permission to these objects can configure PPE. diff --git a/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-management-console.md b/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-management-console.md deleted file mode 100644 index aae2675458..0000000000 --- a/docs/kb/passwordpolicyenforcer/installation-and-configuration/ppe-management-console.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -description: >- - Explains how to install and open the Netwrix Password Policy Enforcer - management console, and describes the console views and their functions. -keywords: - - password policy enforcer - - management console - - PPE - - PPS - - policies - - rules - - Microsoft Management Console - - installation - - remote configuration -products: - - password-policy-enforcer -sidebar_label: PPE Management Console -tags: [] -title: "PPE Management Console" -knowledge_article_id: kA04u000000Pd7GCAS ---- - -# PPE Management Console - -The Netwrix Password Policy Enforcer (PPE) management console is a Microsoft Management Console snap-in that is used to edit PPE's configuration. The management console is installed by default when PPE is installed, but you can also install it on your computer if you want to remotely configure PPE. - -## Installing the Management Console - -To install the PPE management console onto your computer so that you can remotely configure PPE: - -1. Start the Netwrix Password Policy Enforcer (PPE) installer (`PPE912.exe`). -2. Read the license agreement, and then click **Yes** if you accept all the license terms and conditions. -3. Select the **Advanced** option, and then click **Next**. -4. Double-click the `PPE912.msi` file. -5. Click **Next** when the PPE Installation Wizard opens. -6. Select **I accept the license agreement**, and then click **Next**. -7. Select the **Custom** option, and then click **Next**. -8. Click the icon beside the **Password Policy Server** feature, and then click **Entire feature will be unavailable**. -9. Click **Next** twice. -10. Wait for the management console to install, and then click **Finish**. - -## Opening the Management Console - -Click **Start > Netwrix Password Policy Enforcer 9 > PPE Configuration** to open the PPE management console. If you are opening the management console for the first time, then click **Yes** when asked if you would like to create a new PPE configuration. - -The management console images in this document are taken from a computer running Windows Server 2016. Other Windows versions may display the management console slightly differently; however, the management console is used identically on all Windows versions. - -Press F1 while using the management console to display help information for the current window. - -## Management Console Views - -The PPE management console has four views. Click an item in the left pane of the management console to select a view. - -### PPE View - -Click **Netwrix Password Policy Enforcer** in the left pane to display this view. - -![User-added image](../0-images/ka04u000000HdEl_0EM4u000002DJGC.png) - -Use this view to: -- Read the Netwrix Password Policy Enforcer documentation. -- Connect to a configuration. - -### PPS View - -Click **PPS** in the left pane to display this view. - -![User-added image](../0-images/ka04u000000HdEl_0EM4u000002DJGH.png) - -Use this view to: -- Edit **PPS** properties. -- Connect to a configuration. -- Display the **Support Tools** page. - -### Policies View - -Click **Policies** in the left pane to display this view. - -![User-added image](../0-images/ka04u000000HdEl_0EM4u000002DJGM.png) - -Use this view to: -- Edit policy properties. -- Test policies. -- Create and delete policies. -- Set policy priorities. - -### Rules View - -![User-added image](../0-images/ka04u000000HdEl_0EM4u000002DJGR.png) - -Click a policy name in the left pane to display this view. Use this view to configure the rules for a policy. diff --git a/docs/kb/passwordpolicyenforcer/installation-and-configuration/upgrade-checklist-in-password-policy-enforcer.md b/docs/kb/passwordpolicyenforcer/installation-and-configuration/upgrade-checklist-in-password-policy-enforcer.md deleted file mode 100644 index cb68775bc8..0000000000 --- a/docs/kb/passwordpolicyenforcer/installation-and-configuration/upgrade-checklist-in-password-policy-enforcer.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -description: >- - Step-by-step checklist to upgrade Netwrix Password Policy Enforcer servers and - clients, including configuration import, license import, AD replication, and - reboot order. -keywords: - - Password Policy Enforcer - - PPE - - upgrade - - domain controller - - AD replication - - license import - - PPS Properties - - PPE Configuration -products: - - password-policy-enforcer -sidebar_label: Upgrade Checklist in Password Policy Enforcer -tags: [] -title: "Upgrade Checklist in Password Policy Enforcer" -knowledge_article_id: kA0Qk0000001Cf3KAE ---- - -# Upgrade Checklist in Password Policy Enforcer - -## Overview - -This article covers steps to take when upgrading Netwrix Password Policy Enforcer (PPE) in your environment. - -## Instructions - -Refer to the following steps to complete the PPE upgrade: - -1. After you upgrade the **PPE Server** installation in one domain controller (DC), select **No** when a reboot is prompted. -2. Run the **PPE Configuration** tool on the DC. Upon the launch, the upgraded **PPE Server** instance imports the configuration. -3. Import the PPE license—in the **PPS Properties** menu, select the **License** tab and import the license. -4. Allow the Active Directory replication to replicate the configuration settings to all DCs in the domain. -5. Reboot the DC with the updated **PPE** instance. -6. Upgrade and reboot other DCs. - -> **NOTE:** Once you complete the steps provided above, you can upgrade the **PPE** client installations. diff --git a/docs/kb/passwordpolicyenforcer/troubleshooting-and-errors/password-policy-client-generic-message-windows-rules.md b/docs/kb/passwordpolicyenforcer/troubleshooting-and-errors/password-policy-client-generic-message-windows-rules.md new file mode 100644 index 0000000000..d97caf4f2b --- /dev/null +++ b/docs/kb/passwordpolicyenforcer/troubleshooting-and-errors/password-policy-client-generic-message-windows-rules.md @@ -0,0 +1,81 @@ +--- +title: "Password Policy Client Displays Generic Message and No PPE Event Is Logged" +description: >- + Explains why the PPE Password Policy Client displays a generic rejection message and no + PPE event is logged when a password change fails, and how to resolve it by disabling + Windows password policy rules. +sidebar_label: "Password Policy Client Displays Generic Message and No PPE Event Is Logged" +keywords: + - generic rejection message + - password rejected + - Windows password policy + - LSASS + - password filter + - event log + - Password Policy Client + - troubleshooting + - Password Policy Enforcer + - PPE + - no event logged + - Windows rules +products: + - password_policy_enforcer +tags: + - kb + - troubleshooting-and-errors +knowledge_article_id: +--- + +# Password Policy Client Displays Generic Message and No PPE Event Is Logged + +## Symptom + +When you attempt to change your password, one or both of the following occur: + +- No rejection event appears in the event log. +- The Password Policy Client displays a generic rejection message instead of a detailed message explaining which rules the password did not comply with. + +## Cause + +The Password Policy Client evaluates a subset of the Password Policy Enforcer (PPE) rules before submitting the password change to Windows. + +If the password passes all client-side PPE rules but fails a Windows password policy rule (history, minimum age, maximum age, minimum length, or complexity), Windows rejects the change before PPE processes it on the domain controller. PPE did not reject the password and cannot log a rejection event or provide a detailed rejection message. + +## How Password Changes Are Processed + +The following steps occur in order when you change your password: + +1. **Password Policy Client** — If the Password Policy Client is installed, it evaluates the password against the subset of PPE rules that the client can enforce. + - If the password fails a client-side rule, the Password Policy Client displays a detailed rejection message and cancels the change request. + - If the password passes all client-side rules, the change request proceeds to Windows. +2. **Windows password policy rules** — Windows Local Security Authority Subsystem Service (LSASS) checks the new password against Windows password policy rules: history, minimum age, + maximum age, minimum length, and complexity. + - If the password fails any Windows rule, LSASS rejects the change immediately. PPE does not see the password on the domain controller. + - If the password passes all Windows rules, LSASS sends it to PPE for additional checks. +3. **Password Policy Server** — On the domain controller, PPE evaluates the password against all its rules except [Similarity](pathname:///docs/passwordpolicyenforcer/11_2/admin/manage-policies/rules/similarity_rule), and accepts or rejects the password. + +### Effect on the Password Policy Client + +The Password Policy Client can only display a detailed rejection message in two cases: + +- A client-enforced PPE rule rejects the password. +- The PPE server rejects the password on the domain controller. + +If the password passes all client-side rules and Windows then rejects it, the Password Policy Client has no rejection detail from PPE to display and falls back to the generic message. + +### Effect on the Event Log + +PPE can only log rejection events if PPE rejects the password, either on the client or server side. + +## Resolution + +To ensure PPE evaluates all passwords and can provide detailed rejection messages, disable the Windows password policy rules. You must then satisfy only the PPE rules. + +See [Disable Windows Rules](pathname:///docs/passwordpolicyenforcer/11_2/installation/disable_windows_rules) for instructions. + +> **NOTE:** If your organization requires both Windows and PPE rules, you must satisfy both. A password that passes all client-side PPE rules but fails a Windows rule will always produce a generic rejection message, and PPE logs no event for that rejection. This is expected behavior. + +## Related Links + +- [Similarity](pathname:///docs/passwordpolicyenforcer/11_2/admin/manage-policies/rules/similarity_rule) +- [Disable Windows Rules](pathname:///docs/passwordpolicyenforcer/11_2/installation/disable_windows_rules) diff --git a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md index cdc59b152f..c9613683a6 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md +++ b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md @@ -1,56 +1,33 @@ --- -title: "Upgrading Password Policy Enforcer" -description: "Upgrading Password Policy Enforcer" +title: "Upgrading" +description: "Upgrade the Password Policy Enforcer server components and Password Policy Client to the latest version." sidebar_position: 60 --- -# Upgrading Password Policy Enforcer +# Upgrading -Upgrades are supported for versions 9.0 and above. Contact Customer Support at -[https://www.netwrix.com/support.html](https://www.netwrix.com/support.html) if you need assistance -upgrading older versions +Check the [Introduction](/docs/passwordpolicyenforcer/11.2/index.md) to ensure your system meets the minimum requirements before upgrading Password Policy Enforcer (PPE). Also check the [Release Notes and Bug Fix List](https://community.netwrix.com/c/products/password-policy-enforcer/news/) for any upgrade considerations. -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md#automated-deployment). +You can upgrade Password Policy Enforcer by running the installer manually, with [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) or another deployment tool, or by running msiexec. If you use Group Policy to automate the deployment, then copy the new .msi files to the distribution point and add them to the same Group Policy Object (GPO) you used to install the older version. Don't remove the older version from the GPO. Group Policy automatically detects that the new version is an upgrade for an existing package and upgrades it accordingly. -**Upgrading the Password Policy Server** +## Upgrade the server components -The Password Policy Enforcer installer detects existing installations and upgrades them to 11. See -the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) topic for additional -information. If you are performing an automated installation with Group Policy, then add the new -**.msi** installer files to the same Group Policy Object used to install the older version. See the -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topic for additional information. +The Password Policy Enforcer server installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Server Components](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. -:::note -Upgrade all your servers and domain controllers. Configuration changes performed with the -new version don't affect servers running an older version. If you have multiple versions, you must -make configuration changes in both configuration consoles until all domain controllers are upgraded -to 11. Failure to do so may lead to inconsistent enforcement of the password policy. -::: - - -Open the [License](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#license) settings on the Configuration Console -after an upgrade to check your license details. Password Policy Enforcer reverts to a 30-day -evaluation license if it can't import the license key. +:::warning +If the upgrade is major, for example, from 10.x to 11.x, then you should immediately open the PPE Configuration Console after upgrading the first domain controller in each domain. This automatically imports the configuration settings from the old version to the new one. -**Upgrading the Password Policy Client** +You should also click **Settings** in the Configuration Console, then **License** to check your license key. If the **License type** is _Evaluation_, then you must install a new license key before the **Valid to** date. You can download your license key from the [Netwrix Customer Portal](https://customer.netwrix.com/sign_in.html?rf=customer-portal.html). If you don't install a new key, then Password Policy Enforcer will stop checking passwords when the evaluation license expires. -The Password Policy Client installer detects existing installations and upgrades them to 11. See the -[Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md)[Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md) -topic for additional information. If you are distributing the Password Policy Client with Group -Policy, then add the new client **.msi** file to the same Group Policy Object used to install the -older version. Upgrade and reboot the Password Policy Servers before upgrading the clients. +Upgrade and restart all the Password Policy Servers in a domain before upgrading the Password Policy Clients. The Password Policy Server handles backwards compatibility for older clients, but newer clients may not communicate with an older server. -The Password Policy Enforcer 11 Password Policy Server is backwards compatible with the V10.x and -V9.x Password Policy Client. You aren't required to update the Password Policy Clients, but it is -recommended. - -**Upgrading the Mailer** +Don't run multiple versions of the Password Policy Server in a domain for an extended time. Maintain both versions only for a short time while you roll out the new version. Configuration changes you make in the Configuration Console apply only to that console's major version. If you have more than one major version of PPE running in a domain and need to make a configuration change, then make the same change for every major version. Failure to do so may lead to inconsistent enforcement of the password policy. +::: -The Password Policy Enforcer installer detects existing installations of the Password Policy -Enforcer Mailer and upgrades them to 11. See [Install the Password Policy Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) -for information on installing the Mailer Service feature. +## Upgrade the Password Policy Client -**Upgrade Notes** +The Password Policy Client installer detects existing installations and upgrades them to version 11.2. Follow the [Install the Password Policy Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md) instructions to upgrade an existing installation. You don't need to uninstall the old version first. -- Versions 9.x and above don't support perpetual license keys. +:::warning +Don't use any new features while running older Password Policy Enforcer components that may not fully support the new features. Netwrix develops and tests all PPE components together as a single version. For the best experience, use all the components from one version together. +:::