9.3Settings

The settings section provide access to OVERLAPS’ main configuration options.

9.3.1Security

9.3.1.1Organizational Unity Visibility

By default, if a user does not have permission to access a container above the current container, it will still appear in the breadcrumbs on the computer list screen so that users are given a more complete view of the Active Directory structure. Any containers for which they do not have access cannot be clicked on, they are simply there for reference, as shown below.

Breadcrumbs showing containers which the user does not have permission to view

However, by checking the Hide Organizational Units that a user doesn’t have permission to access box these containers will no longer appear in the breadcrumbs, instead only the containers that the user has permission to read will be shown.

9.3.1.2Notifications Require "View History" Permission

If unchecked, any user with permission to read computer passwords (with or without authorisation) can set up notifications for events occuring in a container (such as other users reading a computer's password). By checking this box, they will only be allowed to do this if they also have permission to view the History page.

9.3.1.3Authorisation Requests

9.3.1.3.1Authorisation Request Expiry

By default, requests to view a computer’s password which have been authorised will expire as soon as that password is viewed by the Requestor. This means that if the Requestor attempts to view the password again, they will need to submit another request first.

If you would like to add a grace period to this, change this value to the number of minutes you would like the Requestor to be able to continue to view the password again after viewing it the first time.

This does not prevent a user from keeping the view password window open but will stop them from re-opening it once the expiry period has passed.

9.3.1.3.2Authorisation Request Maximum Age

Change this value (shown in minutes) to specify how long Authorisation Requests are kept before they are automatically cleaned up (deleted). This defaults to 1440 minutes (24 hours).

Authorisation Requests older than this will be deleted regardless of their status.

9.3.1.3.3Send a copy of all Authorisation Requests to this email address

By default, when a user submits an Authorisation Request to view or expire a computer's password, the request is emailed to all users marked as an Authorisor for that container. This option allows you to also send a copy of the request to another email address, such as a shared mailbox.

You can combine this with the Do not email Authorisers individually checkbox to only use this address to send requests to.

9.3.1.4Two Factor Authentication Settings

9.3.1.4.1OVERLAPS Identification for Authenticator Apps

By default, when a user enables Two Factor Authentication (2FA), OVERLAPS will identify itself in their Authenticator app as “OVERLAPS”. However, if you are running more than one OVERLAPS server, this can become confusing.

Changing this setting allows you to specify a custom identifier that will be used whenever a user enables 2FA. Note that this only works when using the QR code to register OVERLAPS in an authenticator app as the manual code allows you to enter any text as the identifier.

9.3.1.4.2Enforce Two Factor Authentication for All Users

If this option is ticked, the next time any user without 2FA currently enabled logs in they will be prompted to enable it and given a QR Code to enter into their Authenticator app. Once done, they will then be required to enter a code from that app before they can complete the login.

Any users without an access to an authenticator app will be unable to login if this option is enabled.

9.3.1.4.3Maximum Days to Remember Devices

Set how long (in days) a device will be remembered when the user selected the "Remember this Device" option when completing a 2FA login. Once this period has expired the user will be required to enter a 2FA code again. This is 30 days by default, and can be set to any value between 1 and 90 days.

9.3.1.4.4Recommended Authenticator Apps

Enable or disable which TOTP authenticator apps are shown to users when they go to enable Two Factor Authentication.

9.3.1.4.5Custom Authenticator App

If the Authenticator app used by your company is not shown in the list above you can add it yourself by supply its name, and a link to where it can be downloaded on either the Apple App Store and/or the Google Play Store.

If you want this included in the main list instead, just email us the details to support@int64software.com and we will check to make sure it is appropriate and add it to the list if approved.

9.3.2Password Expiration Options

9.3.2.1Automatic Password Expiry

By default, Microsoft LAPS will automatically reset your passwords based on the schedule defined in Group Policy. Instead of waiting for this, you can use these settings to automatically expire passwords after a certain amount of time has passed from when they were last accessed.

There are two values to set: one for the normal accessing of passwords through the Computer Browser, and one for users who access passwords through Self Service.

Note that this will set the passwords to expire after the given amount of time from when they are accessed, but passwords are only actually reset on a Group Policy update on the computer itself.

9.3.2.2Allow All Users to Specify an Expiry Date and Time

If enabled, when expiring a computer’s LAPS-managed password, all users will be able to specify a date and time that the password should expire (instead of immediately).

9.3.2.3Maximum Expiry Period

Specifies how many days in the future that a password can be set to expire. This should not be more than your Group Policy setting for LAPS password age.

9.3.3Logging and History

9.3.3.1Log Level

Specifies what level of information is saved to the log file. This is Information by default but can be increased to Verbose when debugging is required or lowered to keep the size of the log file down.

This can also be set to the absolute highest level of Debug when an extra level of detail is required, but as this may output confidential information to the log file (not passwords), it should only be enabled for short periods of time.

Note that the log level is automatically increased to Verbose for one week after any new installation or upgrade to aid our Support Team in case of any installation issues that may arise.

9.3.3.2Delete History Data Older Than This

The amount of time to keep data in the History log before it is deleted. You can customise this depending on your space limitations, amount of activity, and Data Protection laws. The valid values are anywhere from a single day up to 5 years.

9.3.3.3Windows Event Log

To improve support for Security Information and Event Management (SIEM) products, you can check individual event types in this section to have them automatically written to the server’s Windows Event Log as well as OVERLAPS’ own history log. These can then be more easily captured or monitored for security alerts and auditing purposes.

Simply check the box for each event you want to have added to the Event Log or use the Select All/None links to enable/disable all events being sent to the Event Log.

9.3.3.4Password History

Occasionally the need arises to see what a computer's password used to be, such as when System Restore is used and the password in AD is no longer correct. Enabling this option (by setting its value to more than 0) tells OVERLAPS that you would like it to store a copy of the passwords so that you can look back using the Password History tab and page.

If enabled, OVERLAPS scans Active Directory each night for computers that have changed. It then retrieves their passwords, encrypts them, and writes them to its database for access later.

This is currently an experimental feature.

9.3.4Active Directory

9.3.4.1Active Directory Structure Update Frequency

Change this to modify how often OVERLAPS performs a full scan of Active Directory for changes to its structure. Changes it looks for include: new Organisational Units (OUs), removed OUs, and moved or renamed OUs.

Finding the correct values for this will depend on many things including the overall size of your domain, and how frequently it changes.

Note that this only covers the full scan and refresh of the AD structure. In addition to this, OVERLAPS attempts to scan AD for specific changes every 30 minutes.

By default this is set to "Every day (during the night only)".

9.3.4.2Automatically Scan On Service Start

Check this box to have OVERLAPS automatically carry out a full Active Directory structure scan whenever the service reloads. This is not usually needed but can be used in combination with the Update Frequency to more accurately control when a scan takes place.

9.3.4.3Schedule Scan Now

Check this box to request an Active Directory structure scan at the next available opportunity (usually within a few minutes).

9.3.4.4Group Refresh Frequency

To decrease overhead on the login process, OVERLAPS periodically scans any groups that have been added for new users or users that have been removed. Set this value to control how often this happens.

Note that this is not required for new group members logging in the first time, but is more important for preventing users who have been removed from a group from logging in.

9.3.4.5Active Directory Domains

Here you will see a list of all domains that OVERLAPS has detected in your forest, and any forests with which you have a trust relationship. Each domain can be enabled or disabled for use or access within OVERLAPS.

Note that the current root domain cannot be disabled.

9.3.4.6Active Directory Credentials

By default, the OVERLAPS server’s LOCAL SYSTEM account is used to query Active Directory. However, in environments where this is not practical, you can provide the credentials of an alternate Service Account here. OVERLAPS will then use this account when retrieving any information from Active Directory.

Note that these credentials are stored encrypted in the OVERLAPS database.

9.3.4.7Directory Connection Priority

In order to maximum the level of support for all possible Active Directory configurations, OVERLAPS supports all three principal means of querying it:

Lightweight Directory Access Protocol (LDAP)
Directory Searchers
Security Principals

By default, OVERLAPS will prefer the more direct LDAP protocol, but have Security Principals setup as a failover should this not work for some reason. However, you can select the primary and secondary methods used for User, Group and Computer operations as best suit your environment.

Generally speaking, these should be left as the defaults unless you are experiencing problems when adding users or getting the members of groups. If you have any doubts, please contact our Support Team for assistance (Getting Support).

9.3.4.8Workarounds

This section is provided for current and future workarounds we may deploy to resolve issues in very specific domain environments. These options should generally only be modified if you encounter an issue that you feel may be related. If you have any doubts, or would like to know more about a specific setting, please contact our Support Team (Getting Support).

9.3.4.8.1Enable Multi-Forest Authentication

For environments with more than one Active Directory forests and the need for users of different (trusted) forests to login to OVERLAPS. Enabling this feature will allow you to add groups and users from the other forests in your network.

9.3.4.8.2Measure Query Performance

If checked, most Active Directory operations will be measured to help locate bottlenecks. This information is only written to the log, and only if the Log Level is set to Debug. Note that enabling this feature may also impact the performance of your OVERLAPS server.

9.3.4.8.3Allow users with the Read Computer Information permission to access Bitlocker Recovery Keys

If checked, any users who have the "Read Computer Information" permission to a container will also be able to retrieve a computer's Bitlocker Recovery Key from the Computer Information window.

This requires additional Active Directory permissions for the OVERLAPS service. For more information on the permissions and how to set them, see Active Directory -> Bitlocker Recovery Key Permissions.

9.3.4.8.4Default Search Container

Sets the default container that the Search window will be set to use when looking up computers (this container and any children beneath it). Note that users can override this setting when performing a search.

The Container Limit Dropdown when Searching

Click Browse to show a tree for you to select a container from. Clicking Clear Setting removes this default.

9.3.5Customisation

9.3.5.1Branding

This section allows you to modify the branding text in the main menu.

9.3.5.2Password Phonetic Alphabet

The View Password window in OVERLAPS supports showing the password using a Phonetic Alphabet (e.g. Alpha, Bravo, etc.). We have provided a series of standard phonetic alphabets to choose between here.

The Phonetic Alphabet information is loaded from text files located in:

C:\Program Files (x86)\OVERLAPS\Lang\PasswordAlphabets

You can modify these or create your own in any text editor (such as Notepad). The format required is:

One character per line.
First enter the character to be replaced, then a tab character, and then the phonetic alternative to replace the character with.
The case of the letter is shown by changing the case of the phonetic replacement, so only lowercase values are permitted (everything is converted to lowercase on load).
Some punctuation is allowed, but to avoid display errors some characters may be removed or encoded.

9.3.5.3Use Large Password Dialog

If you have configured LAPS to generate particularly long random passwords (27 characters or more), the password view dialog may require users to scroll to see the full password. Checking this box will tell OVERLAPS to use a wider window on displays that support it so that the full password can be viewed.

9.3.5.4System Language

You can use this to modify the default system language used by OVERLAPS. This will act as the default language in cases where a user has not selected a language in their profile, and where their web browser does not suggest a valid language code to use.

9.3.5.5Date Format

Change this to your preferred local date format.

If the format you prefer is not found in the list, it can be customised using standard Date format notation in the Configuration Utility’s Settings tab (remember to reload the OVERLAPS service after modifying it).

9.3.5.6Use Local Time (Server Time)

By default, OVERLAPS will use the local time zone of the server it is installed on when displaying times. However, if you operate across multiple time zones and would prefer to use UTC then simply uncheck this box.

9.3.6Computer Management

9.3.6.1Management Thread Settings

Allows you to configure the Computer Management worker to match the performance of your server. If you notice many Computer Management tasks backing up, you can try increasing this to process them faster if your server has sufficient resources.

9.3.6.2Computer Management Tools

This globally enables or disables the different Computer Management Task tools. Permission must be granted to use the tools on a per-container basis from the Permissions screen.

This document was last updated on the 23rd September 2021

No part of this documentation may be reproduced or transmitted in any form or by any means, or stored in any retrieval system of any nature without the prior written permission of Int64 Software Limited, except for permitted fair dealing under the Copyright, Designs and Patents Act 1988.

Int64 Software Limited does not assume or accept any liability for any loss or damage of any kind to any person that may arise as a result of that person (or any other person) using this documentation or acting or refraining from action in reliance on any information (including expressions of opinion) contained in this document. This limitation/exclusion of liability does not apply in the case of death or personal injury caused by negligence on the part of Int64 Software Limited, or to the extent (if any) that a limitation and/or exclusion in these terms is not permitted under applicable law.