1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. Administration Tools

Administration Tools

The DigitalPersona LDS Administration Tools includes the following components, which are installed by default through the installation wizard.

  • The DigitalPersona GPMC Extensions and the User Query Tool ADUC snap-ins may be deselected during installation by choosing a Custom install.
  • The Hardware Token Management Utility is not shown in the Custom installation dialog and cannot be deselected.

Additional DigitalPersona LDS administrative functions are implemented through the use of VBScript. These scripts are automatically copied to your computer during installation of the DigitalPersona LDS Administration Tools. Finally, the ADSI Edit tool can be used to directly configure certain attributes in the DigitalPersona database.

User Query Snap-in

The DigitalPersona User Query Snap-in is a component within the DigitalPersona Administration Tools. These tools are a separate installation and are located in the DigitalPersona LDS Administration Tools folder of your product package. This tool provides a means for the administrator to query the DigitalPersona user database for information about DigitalPersona users and to perform certain operations and to set values associated with a selected user.

It has three separate implementations, as described in the following topics.

  • ActiveX control
  • Interactive dialog-based application
  • Command line utility

The User Query Tool can only be successfully run on the computer where DigitalPersona LDS Server is installed. Once installed, the Interactive dialog-based application can be run from the Start menu by selecting DigitalPersona, User Query Tool.

ActiveX control

The ActiveX control provides the most functionality, including performing operations against the user record and setting certain flags and values. The dialog-based and CLI applications are reporting tools only.

Examples of the types of query information that can be accessed by the ActiveX control are:

  • Number of installed licenses
  • Number of licenses used
  • Number of enrolled credentials for each user
  • Types of credentials enrolled for each user
  • Number of users accessing managed logons
  • Dates of first and last fingerprint enrollment

Additionally certain operations may be performed against the DigitalPersona user database through the ActiveX control, such as:

  • Lock user account
  • Set user logon policy
  • Delete specific authentication credentials
  • Delete user Secrets

The DigitalPersona User Query Tool ActiveX control provides two interfaces that can be implemented through Visual Basic or Java script.

IDPUserQueryControlInterface

This interface is used to return licensing information and create an instance of the DPUserControl object described in the next section.

[

object,

uuid(4AC9BCDA-7C6F-4919-A885-D533CBA447DF),

dual, nonextensible,

helpstring(“IDPUserQueryControl Interface: “), pointer_default(unique)

]

valuesActiveX control

interface IDPUserQueryControl : IDispatch

{

[propget, id(1), helpstring(“Returns number of licenses installed.”)] HRESULT NumberOfLicensesInstalled([out, retval] LONG* pVal);

[propget, id(2), helpstring(“Returns number of licenses used.”)] HRESULT NumberOfLicensesUsed([out, retval] LONG* pVal);

[id(3), helpstring(“Creates an instance of DPUserControl object based on user DN.”)]

HRESULT GetUser([in] BSTR UserDN, [out,retval] IDispatch** ppUser);

};

IDPUserControl

The IDPUserControl is used to get or set a number of different user properties.

[

object,

uuid(C6AAB663-EA2A-4195-940F-1C56C5736924),

dual, nonextensible,

helpstring(“IDPUserControl Interface: “), pointer_default(unique)

]

interface IDPUserControl : IDispatch{

[propget, id(1), helpstring(“Returns a flag that indicates if the account is locked because of intruder detection.”)]

HRESULT IsAccountLocked([out, retval] VARIANT_BOOL* pfIsAccountLocked); [propput, id(1), helpstring(“Sets a flag that indicates if the account is

locked because of intruder detection.”)]

HRESULT IsAccountLocked([in] VARIANT_BOOL fIsAccountLocked); [propget, id(2), helpstring(“Returns a user account control value.”)]

HRESULT AccountControl([out, retval] LONG* pVal);

[propput, id(2), helpstring(“Sets a user account control value.”)] HRESULT AccountControl([in] LONG newVal);

[propget, id(3), helpstring(“Returns a user logon policy value.”)] HRESULT LogonPolicy([out, retval] LONG* pVal);

[propput, id(3), helpstring(“Sets a user logon policy value.”)] HRESULT LogonPolicy([in] LONG newVal);

[propget, id(4), helpstring(“Returns a flag that indicates if the specific authentication token is enrolled.”)]

HRESULT IsTokenEnrolled([in] BSTR TokenID, [out] VARIANT_BOOL* pfIsTokenEnrolled);

[propget, id(5), helpstring(“Returns a flag that indicates fingerprints enrolled mask.”)]

HRESULT FingerprintMask([out, retval] LONG* pVal);

[propget, id(6), helpstring(“Returns user recovery password.”)] HRESULT RecoveryPassword([in] BSTR EncryptedPassword, [out, retval] BSTR* pVal);

[id(7), helpstring(“Deletes specific authentication token credentials.”)] HRESULT DeleteToken([in] BSTR TokenID);

[id(8), helpstring(“Deletes enrolled fingerprints.”)] HRESULT DeleteFingerprints(void);

[id(9), helpstring(“Deletes user Secrets.”)] HRESULT DeleteSecrets(void);

[id(10), helpstring(“Returns date and time of first fingerprint enrollment.”)]

HRESULT FingerprintFirstEnrollmentTime([out, retval] DATE* pVal); [id(11), helpstring(“Returns date and time of last fingerprint

enrollment.”)]

HRESULT FingerprintLastEnrollmentTime([out, retval] DATE* pVal); [propget, id(12), helpstring(“Returns a flag that indicates if the specific

authentication token is enrolled.”)]

HRESULT IsTokenEnrolledEx([in] BSTR TokenID, [in] BSTR Prefix, [out] VARIANT_BOOL* pfIsTokenEnrolled);

[propget, id(13), helpstring(“Returns a flag that indicates if license taken by this user.”)]

HRESULT IsLicenseTaken([out, retval] VARIANT_BOOL* pfIsLicenseTaken); [id(14), helpstring(“Clear license by deleting all DigitalPersona data for

this user.”)]

HRESULT ClearLicense(void);

};

Sample VB Script

This is a sample of a VB script that returns the date and time of the first and last fingerprint enrollments for a user.

Dim objUser

Set objQueryControl = CreateObject(“DPUserQuery.DPUserQueryControl”)

Set objUser = objQueryControl.GetUser(“cn=testuser,CN=Users,DC=testdomain,DC=COM”) wscript.echo objUser.FingerprintFirstEnrollmentTime

wscript.echo objUser.FingerprintLastEnrollmentTime

Interactive dialog-based application

To run the interactive dialog-based application:

  • On the Start menu, point to All Programs, DigitalPersona, User Query Tool.
  • In the application dialog, select the type of information you would like to display and enter or browse to the location where you want to save the resulting log file.
  • Click the Run
  • The file is saved as a .csv file with the default name of csv, which can be opened in Notepad or programs like Microsoft Excel and other spreadsheet programs.

DPQuery.csv format

The file resulting from the use of either the Interactive User Query Tool described above, or the command line interface User Query Tool described below, has the format shown in the image , and described in the table below.

ColumnDescription
User NameName of the user being reported against.
Logon Options0 – No log on option is set.
1 – User provides only Windows credentials to log on.
2 -Randomize user’s Windows Password.
4 – User must provide Fingerprint and PIN to log on.
8 – Account is locked out from use of fingerprints credentials.
FingerprintsNumber of fingerprints enrolled by the user.
Smart CardsYes or No. Indicates whether this credential has been enrolled by the specified user.
Contactless CardsYes or No. Indicates whether this credential has been enrolled by the specified user.
Proximity CardsYes or No. Indicates whether this credential has been enrolled by the specified user.
BluetoothYes or No. Indicates whether this credential has been enrolled by the specified user.
PINYes or No. Indicates whether this credential has been enrolled by the specified user.
LicensesYes or No. Indicates whether a DigitalPersona User license is being utilized by the specified user.
Password RecoveryYes or No. Indicates whether the Self Password Recovery questions have been answered by the specified user.

Command line utility

The User Query Tool command line utility must be run from an elevated command prompt. To run the User Query Tool command line utility

  • Open an elevated command prompt by right-clicking any Command Prompt shortcut on the Windows Start menu (located by default in the Accessories folder) and selecting Run as administrator.
  • In the Command Prompt window, enter [Installation path\Bin]DPQuery.exe using the following syntax and parameters. (The default location is C:\Program Files\DigitalPersona\Bin.

Syntax

DPQuery.exe [-noui] [-dn=”BaseDN”] [-out=”FileName”] [-ac] [-fp] [-sc] [-cc] [-pc] [-bt] [-pin] [-lic] [-rec]

Parameters

ParameterDescription
-nouiRun utility silently with no graphical interface, writing results to the DPQuery.csv file the [Installation path]Bin folder, where the default location would be “C:\ Program Files\DigitalPersona\Bin.”
-dn= “BaseDN”Sets the Distinguished Name of the search base for the query. If this parameter is not present, the query runs against all users.

  • Non AD users – To query DigitalPersona Non AD users only, copy and modify the string found in the AzMan.txt file created during the DigitalPersona LDS installation. The AzMan.txt file is located in the [Installation path]Bin folder, where the default location would be “C:\ Program Files\DigitalPersona\Bin.”The AzMan text string will be similar to the following:MSLDAP://127.0.0.1:50000/CN=Authorization Store,CN={893B81EE-7764- 44FF-8561-8377580B9B03},O=DigitalPersona,C=USRemove the MS from the front of the string and replace the words Authoriza- tion Store with AltusUsers.
  • AD users – To query DigitalPersona AD users only, copy and modify the AzMan.txt string as follows.Remove the MS from the front of the string and replace the words Authoriza- tion Store with AltusAD Users.
  • Other user groups – To query other user groups that may have been created, copy and modify the AzMan.txt string as follows.Remove the MS from the front of the string and replace the words Authoriza- tion Store with the name of the group. To determine the exact name of any additional groups, you can use ADSI Edit to connect to the AD LDS instance.
-out=”FileName”Identifies the path and file name for the output log file. If missing, the file DPQuery.csv will be created in the directory containing the utility.
-fpAdd information about the number of fingerprints enrolled for each user in a query.
-acAdd information about user account control flags like password randomization.
-scAdd information about smart cards enrolled for each user in a query.
-ccAdd information about contactless cards enrolled for each user in a query.
-pcAdd information about proximity cards enrolled for each user in a query.
-btAdd information about Bluetooth credentials enrolled for each user in a query.
-pinAdd information about PINs enrolled for each user in a query.
-licAdd information about licenses utilized for each user in a query.
-recAdd information about Self Recovery Password enrolled for each user in a query.

Examples

Show the User Interface (interactive dialog) for selecting query parameters.

DPQuery.exe

Do not use the UI, but report license information for all users

DPQuery.exe –noui –lic

Report license information and fingerprints enrolled for Non AD users only.

DPQuery.exe -noui -dn=”LDAP://127.0.0.1:50000/CN= Altus Users,CN={893B81EE-7764-44FF-

8561-8377580B9B03},O=DigitalPersona,C=US” -lic -fp

Report information about Bluetooth credentials enrolled for AD users only.

DPQuery.exe -noui -dn=”LDAP://127.0.0.1:50000/CN= Altus AD Users,CN={893B81EE-7764- 44FF-8561-8377580B9B03},O=DigitalPersona,C=US” -bt

GPMC Extensions

DigitalPersona Server and its associated clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers.

The DigitalPersona GPMC Extensions component includes the Administrative Templates listed in the table below, and the following GPMC extensions, which are not actually Administrative Templates (i.e. admx/.adm files), but provide additional policies and settings in basically the same manner.

  • Authentication Policy extension – Settings for specifying the credentials that may be used to log in to Windows and to log in to DigitalPersona security applications during the Windows sessions.
  • Kiosk Administration extension – Settings for configuring the Kiosk Shared Account and additional kiosk-specific settings.

Additional extensions or templates may be provided as new components are released, and will be specified in the readme file for each component.

Adding an administrative template to a container applies the DigitalPersona policies and settings to the computers and users in that container.

The GPMC Extension are installed as part of the DigitalPersona LDS Administration Tools.

File Name (.admx)Desription
DPAltusRootCreates a root-level folder and categories for all DigitalPersona products,
and if not already present, is installed automatically with any DigitalPersona product.
DPAltusServerCreates GPO settings on the DigitalPersona LDS Server. Installed
automatically with DigitalPersona LDS Server installation.
DPAltusClientCreates GPO settings for DigitalPersona LDS clients. Installed
automatically with DigitalPersona LDS Server installation.
DPAltusPasswordManagerCreates GPO settings for DigitalPersona Password Manager. Installed
automatically with DigitalPersona LDS Server installation.
DPAltusEvForwardingCreates GPO settings for DigitalPersona clients. Installed automatically with DigitalPersona LDS Server installation.

Implementation Guidelines

Before you add any Administrative Templates to your GPOs, give some thought to your Active Directory structure, where GPOs are placed, and which GPOs the Administrative Templates should be added to.

Policy configuration needs will vary from network to network and specific policy recommendations are beyond the scope of this guide. You may want to refer to Microsoft’s documentation on Group Policy Object configuration for more information.

Organizational Units and GPOs

Although the use and configuration of organizational units and GPOs varies widely among corporations, we have provided some general guidelines for structuring Active Directory organizational units.

  • There are two key factors in deciding how to structure your network:
    • How you group your users and computers, and
  • Where the DigitalPersona LDS GPOs are set.
    For example, if users and computers are to be grouped according to authentication policies, you should group them into separate OUs (Organizational Units) and then set specific GPOs for each OU.
  • However, when authentication policies within organizational units vary, as they often do among department heads and subordinates, then you should group your users and/or computers into child organization units reflecting the necessary authentication

Structuring your organizational units based on authentication policies is the easiest way to administer DigitalPersona LDS.

  1. Plan your network structure by identifying the settings you intend to configure.
  2. Determine whether to apply the settings to all users and computers in a site or domain, or just to the users and computers in an organizational unit.
  3. Create the organizational units required to implement your design.
  4. Add the respective users and computers to the organizational unit.

GPO behavior

Here are a few guidelines to keep in mind when configuring DigitalPersona LDS GPOs.

  • If a GPO setting is not configured, the default value set in the software is
  • If a superior (higher-level) GPO has a value for a setting and a subordinate GPO has a conflicting value for that setting, the setting in the subordinate is
  • If a GPO has a value for a setting and a subordinate (lower-level) container has the GPO setting with no value, the setting in the superior (high-level) GPO is
  • GPOs can only be linked to the following three generic Active Directory containers: Sites, Domains and Organizational units (OUs). They cannot be linked to the default Users or Computers
  • A single GPO can be applied to one or more
  • A GPO affects all users and computers in the container, and subcontainers, it is linked

The DigitalPersona GPO settings apply only to computers with DigitalPersona software installed on them. In very basic Active Directory deployments, one can simply make an DigitalPersona GPO, linked at the domain, and set the DigitalPersona Server and DigitalPersona Workstation settings here for all users and computers alike.

Install Workstation Administrative Templates Locally

For local administration of a DigitalPersona LDS Workstation, the dpAltusClient Administrative Template can be added to the local policy object of any computer running DigitalPersona LDS Workstation by using the Microsoft Management Console (MMC) Group Policy Editor.

To add the Workstation Administrative Template locally

  1. On the Start menu, click Run. Type msc and press Enter to launch the Group Policy Editor.
  2. Right-click the Administrative Templates folder and select Add/Remove Templates on the Administrative Templates folder shortcut menu.
  3. Click the Add button on the Add/Remove Templates dialog box and then locate and select the DPAltusClient file from the default administrative templates directory.
  4. Click Close.

Hardware Tokens Management Utility

The Hardware Tokens Management Utility is a Windows command line utility copied to the target machine as part of a DigitalPersona Administration Tools installation. The utility imports a vendor-supplied XML file containing information about a set of hardware tokens that will be enrolled by users for generating One-Time Passwords. It can also be used to query information about the tokens and their users.

In order to use Time-based One-Time Password algorithm (TOTP) hardware tokens for the generation of One-Time Passwords, the serial numbers of these hardware tokens must first be registered with the DigitalPersona Server by using the Hardware Tokens Management Utility.

Note that the utility must be run from an elevated command prompt. To run the Hardware Tokens Management Utility

  • Open an elevated command prompt by right-clicking any Command Prompt shortcut on the Windows Start menu (located by default in the Accessories folder) and selecting Run as administrator.
  • In the Command Prompt window, run exe using the following syntax and parameters.By default, DPOTPMgr.exe is located in the following folder after installation of the DigitalPersona Administration Tools: C:\Program Files\DigitalPersona\Bin. Navigate to the folder where the file is located or enter the full path name to the file. Example:C:\Program Files\DigitalPersona\Bin\DPOTPMgr.exe /i /f tokenfilename /u MYDOMAIN\usernameNote that although the internal file format must be PKSC, the actual file extension may be PKSC, xml or there may be no extension.

Syntax

DPOTPMgr.exe [/i] [/f <FileName>] [/u <UserName> [/?]

Parameters

ParameterDesription
/iSpecifies import mode. The default mode is informational.
/f <FileName>Identifies the name of the file to be imported.
/u <UserName><UserName> Provides information about OTP tokens which are enrolled by a specific user.

NOTE: Name should be provided in SAM compatible format. For example: MYDOMAIN\myusername

/?/?   Displays help for this command.

Examples

DPOTPMgr.exe /i /f C:\temp\2308522200681-2308522200685.xml

The above example imports registration information for OTP tokens from an XML file provided by the hardware token vendor.

DPOTPMgr.exe

The above query example returns information about all hardware OTP tokens registered in the DigitalPersona instance.

DPOTPMgr.exe /u MYDOMAIN\myusername

The above query example returns information about any hardware OTP tokens enrolled by a specific user.

DigitalPersona LDS Administration Scripts

Some of the DigitalPersona LDS administrative functions are implemented through the use of VBScript. These scripts are automatically copied to your computer during installation of the DigitalPersona LDS Administration Tools.

By default, they will be located in the following directory on the target computer.

Program Files\DigitalPersona\Altus Administration Tools\Scripts

If a previous DigitalPersona product has been installed on the computer, scripts will be copied to

[Install Directory]DigitalPersona\Altus Administration Tools\Scripts

The available scripts are:

  • CountUtilizedLicenses
  • CreateUserList
  • DeleteCredentials*
  • DeleteUserList
  • FP+Pwd (Fingerprint plus Password)*
  • RandomizePassword*
  • UnlockAccount*

*Scripts designated by asterisks in the above list use text files (.csv) to input parameters to the These text files have the same name as the script with “UserList” added to the script name and a .csv extension. They require previous installation of the Microsoft Access Database Engine 2010 Redistributable in order to process the scripts. It is available for free download from the following web page.

http://www.microsoft.com/en-us/download/details.aspx?id=13255

CSV files

Each CSV file has a heading on the first line, “name.” This should not be changed. The names of users to be processed by the script are then listed, one to each line.

The user name listed must be the exact user names as shown in the DigitalPersona LDS database. These can be viewed and verified through the Microsoft ADSI Edit tool.

Running the scripts

  • Run a script by double-clicking on it, or from a command prompt, for example:
    cscript vbs
  • You can also choose to output any script results to a text file, for example:
    cscript CountUtilizedLicenses.vbs >>results.txt

The purpose and use of each script is explained in the following text.

CountUtilizedLicenses

This script counts the number of utilized DigitalPersona LDS licenses, i.e. every user from either Active Directory or AD LDS consumes one license.

Requires Microsoft Access Database Engine 2010 Redistributable.

Instructions

  • In the CountUtilizedLicenses file, under the Constants section,
    Verify the server name and port specified for the constant C_Server. If you are unsure of the correct information, you can find it in the file AzMan.txt, located (based on default installation) atProgram Files\DigitalPersona\Bin\AzMan.txt

CreateUserList

This script creates a list of users specified in the CreateUserList.csv file.

DeleteCredentials

This script deletes credentials for those users specified in the DeleteCredentials.csv file. Requires Microsoft Access Database Engine 2010 Redistributable.

Instructions

  1. In the DeleteCredentials.vbs file, under the Constants section,
    • Verify the server name and port specified for the constant, C_Server. If you are unsure of the correct information, you can find it in the file AzMan.txt, located (based on default installation) at
      Program Files\DigitalPersona\Bin\AzMan.txt
    • Find the GUID for the credential that you want to delete and copy it to the DeleteToken parameter “guidCredential.”
  2. Under the Setup section,
    • Verify the location of the associated DeleteCredentialsUserList.csv file and revise the strCSVFolder string as necessary.
  3. In the associated text file, DeleteCredentials.cvs, list the user names whose specified credentials are to be deleted.

Note that only one credential may be specified and deleted at a time. To delete an additional credential for the same list of users, simply change the “guid credential” parameter and run the script again.

DeleteUserList

This script creates a list of users specified in the CreateUserList.csv file.

FP+Pwd

This script sets the “User must user Windows Password and Fingerprint to logon” flag for all users specified in the associated .csv file.

Requires Microsoft Access Database Engine 2010 Redistributable.

Instructions

  1. In the Fp+Pwd.vbs file, under the Setup section, edit the following variables.
    • strSearchAttribute – Enter the Active Directory attribute that is to be used to match rows in the CSV file to Active Directory user accounts. You should make sure to use unique attributes, e.g. sAMAccountName (Pre Windows 2000 Login) orOther attributes can be used but are not guaranteed to be unique. If multiple user accounts are found, an error is returned and no update is performed.
    • strCSVFolder – Enter (or leave as default) the folder where the associated .csv file is
    • strCSVFile – Enter (or leave as default) the name of the associated .csv
  2. Run this script from a command prompt in cscript mode, e.g. cscript Fp+Pwd.vbs or cscript Fp+Pwd.vbs >> results.txt to output the results to a text

RandomizePassword

This script sets the Randomize user’s Windows password and “User must change password at next logon” flags for all users specified in the associated .csv file.

To force the specified users to change their passwords on their next logon the Password never expires flag should not be set.

Requires Microsoft Access Database Engine 2010 Redistributable.

Instructions

  1. In the DeleteCredentials.vbs file, under the Constants section,
    • Verify the server name and port specified for the constant, C_Server. If you are unsure of the correct information, you can find it in the file AzMan.txt, located (based on default installation) atProgram Files\DigitalPersona\Bin\AzMan.txt
  2. Under the Setup section,
    • Verify the location of the associated RandomizePasswordUserList.csv file and revise the strCSVFolder string as
  3. In the associated text file, RandomizePassword.cvs, list the user names whose passwords are to be

UnlockAccount

This script removes the lock preventing the use of a fingerprint credential or DigitalPersona password for authentication, for any users specified in the associated .csv file.

Requires Microsoft Access Database Engine 2010 Redistributable.

Instructions

  1. In the DeleteCredentials.vbs file, under the Constants section,
    • Verify the server name and port specified for the constant, C_Server. If you are unsure of the correct information, you can find it in the file AzMan.txt, located (based on default installation) atProgram Files\DigitalPersona\Bin\AzMan.txt
  2. Under the Setup section,
    • Verify the location of the associated UnlockAccountUserList.csv file and revise the strCSVFolder string as necessary.
  3. In the associated text file, UnlockAccountUserList.cvs, list the user names whose accounts are to be

XML Configuration

Some of the DigitalPersona LDS components can be extensively customized through the use of XML files included with the components. These components are:

  • DigitalPersona Console
  • DigitalPersona Attended Enrollment

For full descriptions of these features, their syntax and parameters, see the following files.

  • exe.xml
  • exe.xml

The files will be located in the Bin subdirectory within the folder where the DigitalPersona LDS component was installed. By default, this is C:\Program Files (x86)\DigitalPersona\Bin.

Examples of the type of customization available through these files are:

  • Password Randomization
  • Authentication Rules & Policies
  • User Sources
  • Pages shown
  • Custom page elements

ADSI Edit tool

Further administrative tasks may be accomplished by viewing and directly editing DigitalPersona LDAP database user attributes with the Active Directory Service Interfaces Editor (ADSI Edit).

ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or launch it by entering adsiedit.msc file in the command window.

You can run ADSI Edit from a client computer or server. The computer does not have to be a member of a domain. However, to see domain objects using Adsiedit.msc, you must have the snap-in to view the Active Directory domain that you connect to.

By default, members of the Domain Users group have this snap-in. To modify objects using ADSIEdit, you must have at least the Edit permission on the Active Directory objects that you want to change. By default, members of the Domain Admins group have this permission.

To access the DigitalPersona LDS database from the ADSI Edit tool

  • Launch ADSI Edit (as described above).
  • In the ADSI Edit window, right-click ADSI Edit and select Connect to … to open the Connection Settings dialog.
  • In the Connection Settings dialog, enter the Distinguished Name for the LDAP object that you want to connect You can copy the Distinguished Name from the Azman.txt file created during the installation of DigitalPersona LDS Server. This will be the part of the file content highlighted in the illustration below.
    MSLDAP://127.0.0.1:50000/CN=Authorization Store,CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US
  • Also enter the IP Address and port of the computer where your DigitalPersona LDS Server is This too can be found in the Azman.txt file, as follows. Then click OK.
    MSLDAP://127.0.0.1:50000/CN=Authorization Store,CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US
  • Once connected to the DigitalPersona AD LDS database, ADSI Edit should appear populated.

The DigitalPersona LDS attributes are as follows.

  • dpAccountName – (Altus User) Name of the DigitalPersona account, i.e. DigitalPersona user
  • dpLockoutTime – Stores the date and time (UTC) that this account was locked This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
  • dpOmitReasons – A multivalued attribute containing any reasons entered by a Security Officer for omitting credentials during the enrollment
  • dpUserAccountControl – Specifies the flags to control fingerprint credentials behavior for the
  • dpUserCredentialsData – Stores fingerprint registration templates for the
  • dpUserPayload – Stores the user’s unified key
  • dpUserPublicKey – Stores the user’s public
  • dpUserRecoveryKey – The user’s recovery

To create a user-based logon policy through ADSI Edit

  1. Connect to the DigitalPersona database (see steps 1-5 above if not already connected).
  2. Right-click on a specific user and select Properties.
  3. Select dpUserAccountControl and click Edit.
  4. The displayed value should be one of the following

0 – No log on option is

1 – User provides only Windows credentials to log

2 – Randomize user’s Windows

4 – User must provide Fingerprint and PIN to log on.

8 – Account is locked out from use of fingerprints credentials. Note that this is not used to lock the account, but only to indicate that if this value is displayed that the account has been programmatically locked for some reason. To unlock the account, change the value to one of the other provided values.

To delete DigitalPersona Non AD users through ADSI Edit

  1. Connect to the DigitalPersona database (see steps 1-4 above).
  2. Select the Altus Users
  3. Click on any users you want to delete and select Delete from the context