Windows / Active Directory Integration
AD target system
Hitachi ID Password Manager includes two connectors for Active Directory:
- A domain-level connector, that can address objects on one domain at a time.
- A forest-level connector, that can address objects across multiple domains.
Either connector will work with all available versions of Windows
and Active Directory. Both include advanced features:
- Enumerate accounts, attributes, groups and group memberships.
- Reset passwords and optionally set them to expire.
- Detect and clear intruder lockouts.
- Detect and set password expiry dates.
- Filter in-scope users by group or OU.
Triggering Password Synchronization
Native password changes made on Windows servers and
domain controllers can trigger
transparent password synchronization.
Updating Cached Credentials
After a password change with a web-based password management
system, the cached credentials on a user's PC will be
different than the user's new domain password:
- When a user signs into Windows, Windows stores his domain
login ID and password in a cache in memory and in the registry.
- When the user signs into other Windows resources (e.g., shares,
printers, Outlook/Exchange mail boxes, IIS web sites), Windows
first tries its cached domain password and, if this fails, Windows
prompts the user to type the correct password.
- If the user changes his domain password from the PC with
the Ctrl-Alt-Delete process, Windows updates both the domain password
and the locally cached password -- there is no problem.
- If the help desk, another PC or a web application
changes the user's password on the domain, then the cached password
on the user's PC will be wrong. Subsequent attempts by the user to
access network resources will cause the OS to provide the (wrong)
cached password, will fail and will increment the user's "failed
login attempts" counter. This pattern of activity can ultimately
trigger an intruder lockout for the user.
- Intruder lockouts feed back to the help desk as increased call
If a user signs off and back-on after a web-based password change,
the Windows cache is refreshed and the intruder lockout problem
described above is averted. This approach is not user friendly,
To eliminate this problem without forcing users to sign off and back
on, Password Manager includes an ActiveX component that can silently update
the user's Windows password cache after a web-based password change.
The cache-updating ActiveX component works on Windows XP, Vista and 7
Clearing intruder lockouts - quickly
Active Directory does not propagate cleared intruder lockout flags
on an expedited schedule. This can create problems for remote users
who inadvertently trigger a lockout and subsequently call a central
help desk for assistance. The help desk will typically clear the
user's lockout on a domain controller near the help desk. This
lockout may take hours to reach the domain controllers
against which the user wishes to authenticate or which support
network services that the user wishes to access.
This problem is especially acute in global organizations, with hundreds
of domain controllers that employ a global IT support function.
Note that AD password change replication is described here:
Password Manager uniquely circumvents the problem of slow replication of
cleared intruder lockouts between Active Directory domain controllers
by automatically directing password resets and cleared intruder lockouts
to a select set of domain controllers, which the user is most likely
- DCs on the user's home site, based on the user's home directory
UNC and the IP address of the server that hosts this UNC.
- DCs on the user's current site, based on the user's web browser
IP address (this only applies to self-service password reset).
- DCs mapped to either of these sites by an administrator-configured
rule set. For example, at global or regional data centers.