Windows / Active Directory Integration

Integration between Hitachi ID Password Manager and Windows servers and Active Directory.

AD target system

Hitachi ID Password Manager includes two connectors for Active Directory:

  • A domain-level connector, that can address objects on one domain at a time.
  • A forest-level connector, that can address objects across multiple domains.

Either connector will work with all available versions of Windows and Active Directory. Both include advanced features:

  • Enumerate accounts, attributes, groups and group memberships.
  • Reset passwords and optionally set them to expire.
  • Detect and clear intruder lockouts.
  • Detect and set password expiry dates.
  • Filter in-scope users by group or OU.

Triggering Password Synchronization

Native password changes made on Windows servers and domain controllers can trigger transparent password synchronization.

Updating Cached Credentials

After a password change with a web-based password management system, the cached credentials on a user's PC will be different than the user's new domain password:

  • When a user signs into Windows, Windows stores his domain login ID and password in a cache in memory and in the registry.

  • When the user signs into other Windows resources (e.g., shares, printers, Outlook/Exchange mail boxes, IIS web sites), Windows first tries its cached domain password and, if this fails, Windows prompts the user to type the correct password.

  • If the user changes his domain password from the PC with the Ctrl-Alt-Delete process, Windows updates both the domain password and the locally cached password -- there is no problem.

  • If the help desk, another PC or a web application changes the user's password on the domain, then the cached password on the user's PC will be wrong. Subsequent attempts by the user to access network resources will cause the OS to provide the (wrong) cached password, will fail and will increment the user's "failed login attempts" counter. This pattern of activity can ultimately trigger an intruder lockout for the user.

  • Intruder lockouts feed back to the help desk as increased call volume.

If a user signs off and back-on after a web-based password change, the Windows cache is refreshed and the intruder lockout problem described above is averted. This approach is not user friendly, however.

To eliminate this problem without forcing users to sign off and back on, Password Manager includes an ActiveX component that can silently update the user's Windows password cache after a web-based password change.

The cache-updating ActiveX component works on Windows XP, Vista and 7 PCs.

Clearing intruder lockouts - quickly

Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This can create problems for remote users who inadvertently trigger a lockout and subsequently call a central help desk for assistance. The help desk will typically clear the user's lockout on a domain controller near the help desk. This lockout may take hours to reach the domain controllers against which the user wishes to authenticate or which support network services that the user wishes to access.

This problem is especially acute in global organizations, with hundreds of domain controllers that employ a global IT support function.

Note that AD password change replication is described here:

Password Manager uniquely circumvents the problem of slow replication of cleared intruder lockouts between Active Directory domain controllers by automatically directing password resets and cleared intruder lockouts to a select set of domain controllers, which the user is most likely to access:

  • DCs on the user's home site, based on the user's home directory UNC and the IP address of the server that hosts this UNC.
  • DCs on the user's current site, based on the user's web browser IP address (this only applies to self-service password reset).
  • DCs mapped to either of these sites by an administrator-configured rule set. For example, at global or regional data centers.