The settings section provide access to OVERLAPS’ main configuration options.
By default, if a user does not have permission to access a container above the current container, it will still appear in the breadcrumbs on the computer list screen so that users are given a more complete view of the Active Directory structure. Any containers for which they do not have access cannot be clicked on, they are simply there for reference, as shown below.
However, by checking the Hide Organizational Units that a user doesn’t have permission to access box these containers will no longer appear in the breadcrumbs, instead only the containers that the user has permission to read will be shown.
If unchecked, any user with permission to read computer passwords (with or without authorisation) can set up notifications for events occuring in a container (such as other users reading a computer's password). By checking this box, they will only be allowed to do this if they also have permission to view the History page.
By default, requests to view a computer’s password which have been authorised will expire as soon as that password is viewed by the Requestor. This means that if the Requestor attempts to view the password again, they will need to submit another request first.
If you would like to add a grace period to this, change this value to the number of minutes you would like the Requestor to be able to continue to view the password again after viewing it the first time.
This does not prevent a user from keeping the view password window open but will stop them from re-opening it once the expiry period has passed.
Change this value (shown in minutes) to specify how long Authorisation Requests are kept before they are automatically cleaned up (deleted). This defaults to 1440 minutes (24 hours).
Authorisation Requests older than this will be deleted regardless of their status.
220.127.116.11.1OVERLAPS Identification for Authenticator Apps
By default, when a user enables Two Factor Authentication (2FA), OVERLAPS will identify itself in their Authenticator app as “OVERLAPS”. However, if you are running more than one OVERLAPS server, this can become confusing.
Changing this setting allows you to specify a custom identifier that will be used whenever a user enables 2FA. Note that this only works when using the QR code to register OVERLAPS in an authenticator app as the manual code allows you to enter any text as the identifier.
18.104.22.168.2Enforce Two Factor Authentication for All Users
If this option is ticked, the next time any user without 2FA currently enabled logs in they will be prompted to enable it and given a QR Code to enter into their Authenticator app. Once done, they will then be required to enter a code from that app before they can complete the login.
Any users without an access to an authenticator app will be unable to login if this option is enabled.
22.214.171.124.3Maximum Days to Remember Devices
Set how long (in days) a device will be remembered when the user selected the "Remember this Device" option when completing a 2FA login. Once this period has expired the user will be required to enter a 2FA code again. This is 30 days by default, and can be set to any value between 1 and 90 days.
By default, Microsoft LAPS will automatically reset your passwords based on the schedule defined in Group Policy. Instead of waiting for this, you can use these settings to automatically expire passwords after a certain amount of time has passed from when they were last accessed.
There are two values to set: one for the normal accessing of passwords through the Computer Browser, and one for users who access passwords through Self Service.
Note that this will set the passwords to expire after the given amount of time from when they are accessed, but passwords are only actually reset on a Group Policy update on the computer itself.
If enabled, when expiring a computer’s LAPS-managed password, all users will be able to specify a date and time that the password should expire (instead of immediately).
Specifies how many days in the future that a password can be set to expire. This should not be more than your Group Policy setting for LAPS password age.
Specifies what level of information is saved to the log file. This is Information by default but can be increased to Verbose when debugging is required or lowered to keep the size of the log file down.
This can also be set to the absolute highest level of Debug when an extra level of detail is required, but as this may output confidential information to the log file (not passwords), it should only be enabled for short periods of time.
Note that the log level is automatically increased to Verbose for one week after any new installation or upgrade to aid our Support Team in case of any installation issues that may arise.
The amount of time to keep data in the History log before it is deleted. You can customise this depending on your space limitations, amount of activity, and Data Protection laws. The valid values are anywhere from a single day up to 5 years.
To improve support for Security Information and Event Management (SIEM) products, you can check individual event types in this section to have them automatically written to the server’s Windows Event Log as well as OVERLAPS’ own history log. These can then be more easily captured or monitored for security alerts and auditing purposes.
Simply check the box for each event you want to have added to the Event Log or use the Select All/None links to enable/disable all events being sent to the Event Log.
Change this to modify how often OVERLAPS performs a full scan of Active Directory for changes to its structure. Changes it looks for include: new Organisational Units (OUs), removed OUs, and moved or renamed OUs.
Finding the correct values for this will depend on many things including the overall size of your domain, and how frequently it changes.
Note that this only covers the full scan and refresh of the AD structure. In addition to this, OVERLAPS attempts to check AD for specific changes every 30 minutes.
Check this box to have OVERLAPS automatically carry out a full Active Directory structure scan whenever the service reloads. This is not usually needed but can be used in combination with the Update Frequency to more accurately control when a scan takes place.
Check this box to request an Active Directory structure scan at the next available opportunity (usually within a few minutes).
To decrease overhead on the login process, OVERLAPS periodically scans any groups that have been added for new users or users that have been removed. Set this value to control how often this happens.
Note that this is not required for new group members logging in the first time, but is more important for preventing users who have been removed from a group from logging in.
Here you will see a list of all domains that OVERLAPS has detected in your forest, and any forests with which you have a trust relationship. Each domain can be enabled or disabled for use or access within OVERLAPS.
Note that the current root domain cannot be disabled.
By default, the OVERLAPS server’s LOCAL SYSTEM account is used to query Active Directory. However, in environments where this is not practical, you can provide the credentials of an alternate Service Account here. OVERLAPS will then use this account when retrieving any information from Active Directory.
Note that these credentials are stored encrypted in the OVERLAPS database.
In order to maximum the level of support for all possible Active Directory configurations, OVERLAPS supports all three principal means of querying it:
- Lightweight Directory Access Protocol (LDAP)
- Directory Searchers
- Security Principals
By default, OVERLAPS will prefer the more direct LDAP protocol, but have Security Principals setup as a failover should this not work for some reason. However, you can select the primary and secondary methods used for User, Group and Computer operations as best suit your environment.
Generally speaking, these should be left as the defaults unless you are experiencing problems when adding users or getting the members of groups. If you have any doubts, please contact our Support Team for assistance (Getting Support).
This section is provided for current and future workarounds we may deploy to resolve issues in very specific domain environments. These options should generally only be modified if you encounter an issue that you feel may be related. If you have any doubts, or would like to know more about a specific setting, please contact our Support Team (Getting Support).
126.96.36.199.1Enable Multi-Forest Authentication
For environments with more than one Active Directory forests and the need for users of different (trusted) forests to login to OVERLAPS. Enabling this feature will allow you to add groups and users from the other forests in your network.
188.8.131.52.2Measure Query Performance
If checked, most Active Directory operations will be measured to help locate bottlenecks. This information is only written to the log, and only if the Log Level is set to Debug. Note that enabling this feature may also impact the performance of your OVERLAPS server.
184.108.40.206.3Allow users with the Read Computer Information permission to access Bitlocker Recovery Keys
If checked, any users who have the "Read Computer Information" permission to a container will also be able to retrieve a computer's Bitlocker Recovery Key from the Computer Information window.
This requires additional Active Directory permissions for the OVERLAPS service. For more information on the permissions and how to set them, see Active Directory -> Bitlocker Recovery Key Permissions.
220.127.116.11.4Default Search Container
Sets the default container that the Search window will be set to use when looking up computers (this container and any children beneath it). Note that users can override this setting when performing a search.
Click Browse to show a tree for you to select a container from. Clicking Clear Setting removes this default.
This section allows you to modify the branding text in the main menu.
The View Password window in OVERLAPS supports showing the password using a Phonetic Alphabet (e.g. Alpha, Bravo, etc.). We have provided a series of standard phonetic alphabets to choose between here.
The Phonetic Alphabet information is loaded from text files located in:
C:\Program Files (x86)\OVERLAPS\Lang\PasswordAlphabets
You can modify these or create your own in any text editor (such as Notepad). The format required is:
- One character per line.
- First enter the character to be replaced, then a tab character, and then the phonetic alternative to replace the character with.
- The case of the letter is shown by changing the case of the phonetic replacement, so only lowercase values are permitted (everything is converted to lowercase on load).
- Some punctuation is allowed, but to avoid display errors some characters may be removed or encoded.
If you have configured LAPS to generate particularly long random passwords (27 characters or more), the password view dialog may require users to scroll to see the full password. Checking this box will tell OVERLAPS to use a wider window on displays that support it so that the full password can be viewed.
You can use this to modify the default system language used by OVERLAPS. This will act as the default language in cases where a user has not selected a language in their profile, and where their web browser does not suggest a valid language code to use.
Change this to your preferred local date format.
If the format you prefer is not found in the list, it can be customised using standard Date format notation in the Configuration Utility’s Settings tab (remember to reload the OVERLAPS service after modifying it).
By default, OVERLAPS will use the local time zone of the server it is installed on when displaying times. However, if you operate across multiple time zones and would prefer to use UTC then simply uncheck this box.
Allows you to configure the Computer Management worker to match the performance of your server. If you notice many Computer Management tasks backing up, you can try increasing this to process them faster if your server has sufficient resources.
This globally enables or disables the different Computer Management Task tools. Permission must be granted to use the tools on a per-container basis from the Permissions screen.