Active Directory self service refers to any set of capabilities that enable users to manage their own Active Directory identities, credentials and security entitlements. The idea is to provide a mechanism whereby users can perform, on their own profile, some administrative tasks that normally require elevated privileges. This reduces IT support costs and improves user service. To do this, an intermediary application is required, to authenticate the user and limit what changes he can make, to whose profiles.

An Active Directory password reset system is the most common component of this. It allows users who may have forgotten or locked out their AD password to resolve the problem on their own, without calling the IT help desk.

Additional Active Directory self-service capabilities may include:

  • Enabling users to create, manage or join mail distribution lists.
  • Enabling users to request access to Windows shares, folders or printers, or to SharePoint resources, as these entitlements are normally assigned via membership in AD security groups.

Hitachi ID Password Manager is a complete solution for managing passwords and other credentials, intended for users in a medium to large enterprise. It includes self service password reset features, Active Directory integration and Self-Service -- a set of capabilities that enable self-service even anywhere -- including from pre-boot, from the Windows login prompt and while away from the office.

Hitachi ID Group Manager is a solution for managing membership in Active Directory groups. It allows users, who are often unfamiliar with AD groups, to initiate requests for access:

  • Users specify a resource such as a share or folder.
  • Group Manager offers the user a menu of access control options, each consisting of a group, access rights and an owner.
  • Users select the appropriate group to request membership.
  • An Group Manager workflow invites the group owner or another stake-holder to approve the change.
  • Approved requests are automatically fulfilled.
  • The user is notified of the change. Users may have to sign out of and back into Windows, for the change to take effect (via a new Kerberos token).

Return to Identity Management Concepts