VPN User Password Change Notification

& present a secure and customizable form to notify and change expiring password

 

 

Concurrent Login Restrictions

& allow users to logout from remote computer

& shutdown or restart remote computer where the current user is logged in

Group Policy Updates

& apply policy updates when VPN connection is established

Login Script execution upon VPN connection

& user login script execute upon workstation unlock

Offline OU join all versions of Windows

& MS DJoin.exe will only join Windows 7 to AD, and only once !

& ADOM will ensure domain membership is always maintained

& Ideal for OSD and for day 2 maintenance of computer objects

Secure dormant & inactive user accounts

& User account expiration value is updated dynamically

Maintain group membership of computers by chassis type

& In custom Domain Laptops, Domain Desktops groups

& Use for GPO Security Filtering

& Update computer description using AD object attribute values or registry

and more ...

Active Directory Object Manager (ADOM), by Synergix is a unique software solution that allows VPN connected users to change their domain password seamlessly.  The user login behavior to their Windows based laptop, off the corporate network, remains the same so no special instructions need to be provided.  User are prompted to change the expiring password and presented with a secure form to change their domain credentials. Additionally, ADOM keeps the Group Policy Objects on laptops updated as soon as VPN connection is established.

ADOM is VPN client software agnostic and supported on Windows 2000, Windows XP, Windows Vista and Windows 7.0 operating systems.

ADOM helps organizations secure their user login by restricting their interactive and concurrent login sessions to specified number only.

• Seamless method to change password for VPN users; no change required in user login behavior

• No Active Directory schema changes are required !

• No software installation on domain controllers !

• Apply Group Policy Objects to VPN connected computers

• Concurrent Login Restrictions

• Expired credential synchronization

• Realize targeted ROI on Systems Management Software

  MS SMS, LANDesk, HP Radia etc.

• Track and manage dormant and inactive user objects

• Maintain link between computer object and last logged on users

• Helps meet security compliance requirements

• Maintain domain membership of computer objects

• Associate computer object with primary user

 

 

Microsoft® Active Directory™ built-in functionality falls short on managing VPN connected users, in terms of password expiration notification and group policy deployment. Additionally, it falls short on user and computer object management.  Although the default container to add computer and user objects can be changed in Windows 2003 based Active Directory installations, all computer and user objects can end up in the same container unless the OS deployment tools use custom scripts to put them in specific Organizational Units.

For desktop application management and for security policy implementation, IT staff in large organizations typically depend upon third party applications like LANDesk, HP Radia, MS SMS, CA Unicenter, etc.  Most of these systems management tools leverage the Organizational Unit in Active Directory to define the scope of system management. Keeping the computer objects properly organized in specific Organizational Unit (by business units, or in relation to OU containing the user object or by chassis type ) can become challenging. If the objects are not well placed in the right OU, it can yield unexpected results when systems management software tasks are run, causing major outages and possibly failing on the service level agreements.  It is critical that computer objects are managed correctly to reap maximum benefit from the investments made in systems management software and to ensure policies are applied correctly to computer objects. Active Directory Object Manager fills that gap; the post OS deployment and day 2 computer object management is totally automated.  In addition, ADOM automates the task of managing and enforcing password policies for users who log in with cached credentials ( typically VPN users ) without requiring any [schema] changes to the Active Directory environment or installing any software on domain controllers.

Applications / Key Benefits

Security Policies

VPN Password Expiration Notification

Password policies, specifically the password expiration policy, can cause resource access issues to VPN users who typically login using cached credentials.  When their password is about to expire, they do not receive password change notification, which ultimately results in their account being locked out.  This typically gets resolved by the users having to call the help desk to have their password reset, adding to the help desk cost and also, causing disruption of services to business users.

With ADOM™, VPN users, logging in with cached credentials, are prompted for password change and presented with a custom dialog box to change the Active Directory password.

Customers may optionally customize a web page that can be launched via ADOM™ notifying the users to change password on other systems at the same time. Other system may include VPN client software password and other non-ADE applications such as Oracle, eRooms, SAP etc.

Security Audit

On VPN segments

It is typical that most third party (Cisco, MCI, Nortel etc) VPN client users log into their computers using cached credentials.  And then, fire up the VPN client to gain access to corporate resources.  Under this scenario, neither the security log on the domain controller(s) nor the Last Logon attribute of the user object is updated.  Under these circumstances, an audit of active directory environment can report VPN users as inactive users.  This scenario can make the SOX, HIPAA and other compliance exercises laboriously and costly.

With ADOM, VPN users logging in with cached credentials and later connecting to corporate resources are tracked in Active Directory Security logs ( just like LAN connected desktop and laptop users ).  The Last Logon attribute is also updated.  This enables the auditors to generate accurate usage reports and take appropriate actions to stay compliant with industry IT security requirements.

Computer Object Management

Domain Membership

Users with elevated privileges may remove their computers from the domain, for non-business / experimental purposes or for business reasons, such as during product demonstration purposes at client sites or tradeshows or conferences.  ADOM helps maintain domain membership.  If the computer object in the Active Directory domain becomes defunct or the user removes the computer object from the domain and puts its in a workgroup or another domain ( at home, internet cafe, etc.), the computer rejoins the domain next time it is put back on the corporate network.  All this is achieved without granting the user elevated privileges on his / her workstation or in Active Directory environment.

Computer account migration

ADOM may also be used to migrate computer accounts from one trusted domain to another trusted domain.

Hostname

The hostname assigned to a Windows based computer at built time may be retained using ADOM.  When the user with elevated privileges decides to change the hostname, it is rolled back to the original hostname when the computer is put back on the corporate network (LAN or VPN)

Description

The description attribute of the computer object can be customized and maintained dynamically. 

e.g. John Smith, OS Version = 5.1, AV Definition = 5/7/2007 Rev 25

Managed By / Primary User

The 'Managed By' attribute of the computer object is updated and can be used to link the computer object to the primary user's user object. 

Organize by Chassis Type

Computer objects are moved in the Active Directory environment and organized in an Organization Unit that reflects the Chassis Type (Desktops or Laptops) and is set relative to the OU where the user object resides.

+ Finance

+ Users         -If the primary user's user ID exists here,

+ Desktops    -Desktops are automatically moved here &

+ Laptops      -Laptops are automatically moved here.

+ Printers

+ Servers

User Object Management

Account Expiration

Systems Administrators can easily keep track of dormant accounts by enabling the user Account Expiration feature.  Microsoft Active Directory allows a static entry for Account Expiration, however, ADOM dynamically updates it based upon preconfigured value.  For instance, the Systems Administrator can grant 7 days of access from the last successful login.

This feature allows system administrators expire dormant user accounts thus safeguarding corporate data from unauthorized use.  Active users continue to have access to active directory resources without any interruptions.

Group Objects

Computer Groups

ADOM maintains computer object membership in a group that easily differentiates the computer based upon Chassis Type. For instance, all desktop class computers are added to 'Chassis Type - Desktops' group and all laptop class computers are added to 'Chassis Type - Laptops'

This feature allows the systems administrator to configure Group Policy Objects and enable them using Security Filtering option and make use of the chassis specific groups.

Group Policy Objects

Security Filtering

Desktop class and laptop class computers are added to appropriate groups in Active Directory i.e. 'Chassis Type - Desktops' and 'Chassis Type - Laptops'.

These two groups can be used to assign GPO at the domain level and use the Security Filtering option to assign policy to appropriate computer objects only.

Related links