Password Manager 4

Deployment Guide
Note: Before using this information and the product it supports, read the general information in Appendix A
Notices on page 13.

First Edition (September 2012)

Copyright Lenovo 2012.

LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration
GSA contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.
Contents
Preface . . . . . . . . . . . . . . . . . . ii Chapter 3. Command line tool . . . . . 7
Chapter 1. Overview. . . . . . . . . . . 1 Chapter 4. Active Directory support . . 9
Defining manageable settings . . . . . . . . . . 9
Chapter 2. Installation . . . . . . . . . . 3 Authentication policies . . . . . . . . . . . 10
Installation requirements . . . . . . . . . . . . 3 User interface policies. . . . . . . . . . . . 10
Custom public property . . . . . . . . . . . . 3
Upgrade and compatibility . . . . . . . . . . . 3 Appendix A. Notices . . . . . . . . . . 13
Manual upgrade . . . . . . . . . . . . . 4 Trademarks . . . . . . . . . . . . . . . . 14
Auto upgrade . . . . . . . . . . . . . . 5

Copyright Lenovo 2012 i

Preface
Information presented in this guide is to support Lenovo computers installed with the ThinkVantage
Password Manager 4 program (hereafter refer to as Password Manager).

This guide is intended for IT administrators, or those responsible for deploying Password Manager 4
throughout their organizations. If you have suggestions or comments, communicate with your Lenovo
authorized representative. This guide is updated periodically, and you can check the latest version on the
Lenovo Web site at http://www.lenovo.com/support.

For questions and information about using Password Manager, refer to the Password Manager help system.
Chapter 1. Overview
This chapter provides an overview of Password Manager 4. Password Manager enables you to manage
easy-to-forget account information for accessing and managing applications and Web sites, such as user
IDs, passwords, and other personal information. Password Manager protects your personal information so
that the access to your applications and Web sites remain secure. Password Manager also saves you time
and effort because you only have to remember the Windows password or provide your fingerprint.

Password Manager enables you to perform the following:

Encrypt all stored information through the Windows CAPI
Password Manager automatically encrypts all of your information through Windows Computer Assisted
Personal Interviewing (CAPI). Your sensitive password information is secured by 256-bit key Advanced
Encryption Standard (AES) with Microsoft CryptoAPI.
Autofill user IDs and passwords
Password Manager automates your login process when you access an application or a Web site. If your
logon information has been stored into Password Manager, Password Manager can automatically fill in
the required fields and enable you to log in to the Web site or application.
Edit entries using the Password Manager interface
Password Manager enables you to edit your account entries and set up all optional features in one
easy-to-use interface. This interface makes managing your passwords and personal information quick
and easy. At the same time, most entry-related changes can be detected automatically by Password
Manager, which enables the user to update their entries with less work.
Save your information without any extra steps
Password Manager can automatically detect when sensitive information is being sent to a Web site or an
application. When the detection is made, Password Manager prompts the user to save the information,
thus simplifying the process of storing sensitive information.
Save any information into a secure note
With Password Manager, you can save any textual data in secure notes. The secure notes can be
protected with the same level of security as any of the other Web site or application entries.
Export and import logon information
Password Manager enables you to export your sensitive personal information so that you can securely
carry it from one computer to another. When you export your logon information from Password Manager,
a password-protected export file that can be stored on removable media is created. You can use this
export file to access your personal information anywhere you go, or to import your entries into another
computer with Password Manager.

Copyright Lenovo 2012 1

2 Password Manager 4 Deployment Guide
Chapter 2. Installation
This chapter provides instructions for installing Password Manager.

Before installing Password Manager, it is recommended that you understand the architecture of the program.
This chapter explains the architecture of Password Manager, and provides additional information that
you need before installing the program.

The Password Manager setup package was developed as a Basic MSI project using InstallShield.
InstallShield uses the Windows Installer to install applications, which gives administrators many capabilities
to customize installations, such as setting property values from the command line. This chapter describes
ways to use and execute the Password Manager setup package. For a better understanding, read the entire
chapter before you begin to install the package.

Installation requirements
This topic explains the system requirements for installing the Password Manager setup package. For best
results, go to the following Web site to ensure that you have the latest version:
http://support.lenovo.com/en_US/downloads/detail.page?LegacyDocID=MIGR-61432

Lenovo-branded computers must meet or exceed the following requirements to install Password Manager:
Operating system: Microsoft Windows 8 or Windows 7 (.NET Framework 3.5 or a later version is required)
Memory: 256 MB
In shared memory configurations, the BIOS setting for maximum shared memory must be set to no
less than 8 MB.
In non-shared memory configurations, 120 MB of non-shared memory is required.
300 MB of free space on your hard disk drive
VGA-compatible video that supports a resolution of 800 by 600 pixels and 24-bit color
The user must have administrative privileges to install Password Manager.

Custom public property

The Password Manager setup package contains a custom public property that can be set on the command
line when running the installation. The following table explains the custom public property for the Windows
operating systems.

Table 1. Custom public property

Property Description
CREATESHORTCUT Set CREATESHORTCUT=1 on the command line to add an entry to the Start menu.

Upgrade and compatibility

If you are going to install Password Manager 4 on a computer with Password Manager 3 or Client Security
Solution installed, a message will be displayed indicating that the upgrade is not supported. You will be
prompted to manually export your data to a password-protected export file and then uninstall Password
Manager 3 or Client Security Solution from your computer. After you install Password Manger 4, you can
manually import your data into Password Manager 4 using the export file.

Copyright Lenovo 2012 3

If you are going to install Password Manager 3 or Client Security Solution on a computer with Password
Manager 4 installed, an error will be displayed and the installation will be stopped.

Manual upgrade
This topic provides instructions on how to manually install Password Manager 4 on a computer with
Password Manager 3 or Client Security Solution installed.

To manually install Password Manager 4, do the following:

1. Export your password entry list.
a. Log in to your computer with the user account in which your password entry list has been saved.
b. Launch Password Manager 3 or Client Security Solution installed on your computer.
c. Click Import/Export on the menu bar, and select Export Entry List.
d. Provide the file name, and save it as an EXE file or a PWM file.
e. Enter a password to protect the export file.

Notes:
The EXE file is a portable export file. You can browse your saved password entry list by running
the EXE file without installing Password Manager. You can use either the EXE file or the PWM file
to import your password entry list into Password Manager 4.
If there are other user accounts on this computer, log in to each user account and repeat the
above steps to export the password entry lists.
2. Uninstall Password Manager 3 or Client Security Solution.
a. Click Uninstall a program from Control Panel.
b. Double-click Client Security - Password Manager, and click Uninstall.
c. Follow the instructions on the screen to complete the uninstall process, and restart your computer.
3. Install Password Manager 4.
a. Go to:
http://support.lenovo.com/en_US/downloads/detail.page?LegacyDocID=MIGR-61432
b. Go to the Password Manager section and click the version link.
c. Open the Password Manager readme file and follow the instructions in the file to install the program.
d. Restart your computer.
4. Import your password entry list.
a. Launch Password Manager 4.
b. Click Import/Export on the menu bar. The Import/Export wizard starts.
c. Click Import passwords from a back-up file and click Next.
d. Type the export file name or click Browse to locate and select the export file. Click Next.
e. Select Merge with existing passwords or Overwrite existing passwords depending on your
needs.
f. Click Next. Then, type the password that protects your export file in the Enter the password field.
g. Click Finish. A message is displayed to indicate that your logon information has been imported
successfully. Click OK to close the Import/Export wizard.

Notes: If you forget to export the password entry list before upgrading to Password Manager 4, do the
following:
1. Uninstall Password Manager 4.
2. Install Password Manager 3 or Client Security Solution.

4 Password Manager 4 Deployment Guide

 3. Follow the instructions in this topic to export your password entry list from Password Manager 3 or
Client Security Solution and then import it into Password Manager 4.

Auto upgrade
This topic provides instructions on how to automatically install Password Manager 4 on a computer with
Password Manager 3 or Client Security Solution installed.

Note: The following procedure can migrate the password entries of the urrent logged-in user only.

To automatically install Password Manager 4, do the following:

1. Download the Auto Upgrade Tool package from the following Lenovo Support Web site:
http://support.lenovo.com/en_US/downloads/detail.page?LegacyDocID=MIGR-61432
2. Double-click the downloaded package.
3. Follow the instructions on the screen to complete the upgrade.

Chapter 2. Installation 5
6 Password Manager 4 Deployment Guide
Chapter 3. Command line tool
Password Manager features also can be implemented locally or remotely by corporate IT administrators
through the command-line interface. This chapter provides information about the command line tool.

Import/Export password database file

Use the following command to import and export password entries:

"C:\Program Files <x86>\Lenovo\Password Manager\pwm_utility.exe" /?

The following table explains the parameters.

Parameters Results
/h or /? Display the help message
FilePath Specify the file name and file path of the password database to be imported or exported
/e Export the password database file
/i Import the password database file
password Specify the password for the password-protected database file
merge Merge the imported password database record with existing password entries.

The following command is an example showing how to import the password database file
mypassword_upgrade.pwm with a protected password as 123456:

pwm_utility.exe /i filepath="%temp%\mypassword_upgrade.pwm" password="123456"

Note: The password database file exported from Password Manager 3 or Client Security Solution can be
imported into Password Manager 4. However, the password database file exported from Password Manager
4 cannot be imported into Password Manager 3 or Client Security Solution.

Copyright Lenovo 2012 7

8 Password Manager 4 Deployment Guide
Chapter 4. Active Directory support
The ADM (Administrative) template file defines policy settings used by applications on client computers.
Policies are specific settings that govern the application behavior. Policy settings also define whether the
user will be allowed to set specific settings through the application.

Settings defined by an administrator on the server are defined as policies. Settings defined by a user on the
client computer for an application are defined as preferences. As defined by Microsoft, policy settings take
precedence over preferences. For example, a user might put a background image on the desktop. This is
a user preference. An administrator might define a setting on the server dictating that a user must use a
specific background image. The administrators policy setting overrides the user preference.

When a ThinkVantage program checks for a setting, it looks for the setting in the following order:
Computer policies
User policies
Default user policies
Computer preferences
User preferences
Default user preferences

As described previously, all policies, including computer policies and user policies, are defined by the
administrator. These settings can be initialized through the XML configuration file or through a Group Policy
in Active Directory. Computer and user preferences are set by the user on the client computer through
options in the application interface. Default user preferences are initialized by the XML configuration script.

Users do not change the values directly. Changes made to these settings by a user will be updated in the
user preferences. Customers not using Active Directory can create a default set of policy settings to be
deployed to client computers. Administrators can modify XML configuration scripts and specify that they be
processed during the installation of the program.

Defining manageable settings

You can set the Password Manager policies in the Group Policy editor. The following example shows the
location where you can find the Fingerprint Frequency option in the Group Policy editor.

Example:
Computer Configuration Administrative Templates ThinkVantage Password Manager
Authentication Policies Fingerprint Frequency

The ADM files indicate where in the registry the settings will be reflected. These settings will be in the
following registry locations:

Settings Registry locations

Computer policies HKLM\Software\Policies\Lenovo\Password Manager\
User policies HKCU\Software\Policies\Lenovo\Password Manager\
Default user policies HKLM\Software\Policies\Lenovo\Password Manager\User defaults
Computer preferences HKLM\Software\Lenovo\Password Manager\

Copyright Lenovo 2012 9

 Settings Registry locations
User preferences HKCU\Software\Lenovo\Password Manager\
Default user preferences HKLM\Software\Lenovo\Password Manager\User defaults

Authentication policies
You can set the authentication policies in the following directory in the Group Policy editor:
For computer policies: Computer Configuration Administrative templates ThinkVantage
Password Manager Authentication policies
For user policies: User Configuration Administrative templates ThinkVantage Password
Manager Authentication policies

The following table provides values and settings for the preceding authentication levels.

Table 2. Authentication policy settings

Policy Description
Fingerprint Frequency Controls whether fingerprint is required.

You can set the frequency to either Every time or Once per logon.
Override Defines back-up authentication requirements if the normal authentication fails.

User interface policies

You can set the user interface policies in the following directory in the Group Policy editor:
For computer policies: Computer Configuration Administrative templates ThinkVantage
Password Manager User interface
For user policies: User Configuration Administrative templates ThinkVantage Password
Manager User interface

The following table provides policy settings for the user interface.

Table 3. User interface policy settings

Policy Description
Import Export option Show, gray, or hide the Import/Export button in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.0 or a later version

Settings option Show, gray, or hide the Settings button in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.0 or a later version

General tab option Show, gray, or hide the General settings page in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

10 Password Manager 4 Deployment Guide

Table 3. User interface policy settings (continued)
Policy Description
Restricted Web sites tab option Show, gray, or hide the Restricted sites option in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Restricted applications tab option Show, gray, or hide the Restricted applications option in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Authentication tab option Show, gray, or hide the Authentication option in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Advanced tab option Show, gray, or hide the Advanced option in Password Manager.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

IE Support option Show, gray, or hide the option to enable or disable Internet Explorer support in
the Settings windows.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Firefox support option Show, gray, or hide the option to enable or disable Firefox support in the
Settings window.

Default: Show
Chrome support option Show, gray, or hide the option to enable or disable Google Chrome support in
the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Windows application support option Show, gray, or hide the option to enable or disable Windows application
support in the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Autofill option Show, gray, or hide the option to select domain or URL auto-fill in the Settings
window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Chapter 4. Active Directory support 11

Table 3. User interface policy settings (continued)
Policy Description
Number of shortcuts option Show, gray, or hide the list box for setting the number of Web site shortcuts in
the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Add restricted URL option Show, gray, or hide the edit box and button for adding restricted URL in the
Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Remove restricted URL option Show, gray, or hide the button for removing restricted URLs in the Settings
window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Always prompt for authentication Show, gray, or hide the Always prompt for authentication check box in the
option Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Option for enabling password use if Show, gray, or hide the controls for enabling password use if the fingerprint
fingerprint reader is not working reader is not working in the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Enable/Disable Password Manager Show, gray, or hide the option to enable or disable Password Manager in the
option Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Clear passwords option Show, gray, or hide the Clear passwords button in the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

Reset settings option Show, gray, or hide the Reset settings button in the Settings window.

Default: Show

Note: Applicable on Password Manager 4.1 or a later version

12 Password Manager 4 Deployment Guide

Appendix A. Notices
Lenovo may not offer the products, services, or features discussed in this document in all countries. Consult
your local Lenovo representative for information on the products and services currently available in your
area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that
Lenovo product, program, or service may be used. Any functionally equivalent product, program, or service
that does not infringe any Lenovo intellectual property right may be used instead. However, it is the users
responsibility to evaluate and verify the operation of any other product, program, or service.

Lenovo may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any license to these patents. You can send
license inquiries, in writing, to:
Lenovo (United States), Inc.
1009 Think Place - Building One
Morrisville, NC 27560
U.S.A.
Attention: Lenovo Director of Licensing

LENOVO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow
disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply
to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

The products described in this document are not intended for use in implantation or other life support
applications where malfunction may result in injury or death to persons. The information contained in this
document does not affect or change Lenovo product specifications or warranties. Nothing in this document
shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo
or third parties. All information contained in this document was obtained in specific environments and is
presented as an illustration. The result obtained in other operating environments may vary.

Lenovo may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.

Any references in this publication to non-Lenovo Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of
the materials for this Lenovo product, and use of those Web sites is at your own risk.

Any performance data contained herein was determined in a controlled environment. Therefore, the result
obtained in other operating environments may vary significantly. Some measurements may have been
made on development-level systems and there is no guarantee that these measurements will be the same
on generally available systems. Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should verify the applicable data for their
specific environment.

Copyright Lenovo 2012 13

Trademarks
The following terms are trademarks of Lenovo in the United States, other countries, or both:
Lenovo
ThinkVantage

Microsoft, Internet Explorer, and Windows are trademarks of the Microsoft group of companies.

Other company, product, or service names may be trademarks or service marks of others.

14 Password Manager 4 Deployment Guide

Part Number:

Printed in

(1P) P/N:

*1P*