Using the ADSI Edit Tool

Further administrative tasks can be accomplished by viewing and directly editing DigitalPersona LDAP database user attributes with the Active Directory Service Interfaces Editor (ADSI Edit).

ADSI Edit (Adsiedit.msc) is an MMC snap-in.

You can run ADSI Edit from a client computer or server. The computer does not have to be a member of a domain. However, to see domain objects using Adsiedit.msc, you must have the snap-in to view the Active Directory domain that you connect to.

By default, members of the Domain Users group have this snap-in.

Prerequisites: To modify objects using ADSI Edit, you must have at least the Edit permission on the Active Directory objects that you want to change. By default, members of the Domain Admins group have this permission.

To access the DigitalPersona LDS database from the ADSI Edit tool:

  1. Launch ADSI Edit by adding the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or by entering adsiedit.msc file in the command window.

  2. In the ADSI Edit window, right-click ADSI Edit and select Connect to ... to open the Connection Settings dialog.

  3. In the Connection Settings dialog, enter the Distinguished Name for the LDAP object that you want to connect to as the Connection Point.

    You can copy the Distinguished Name from the Azman.txt file created during the installation of the DigitalPersona LDSServer. This will be the part of the file content highlighted in the illustration below.

  4. Enter the IP Address and port of the Computer where your DigitalPersona LDS Server is installed.

    This can also be found in the Azman.txt file, as follows.

  5. Then click OK.

Once connected to the DigitalPersona AD LDS database, ADSI Edit should appear populated similar to the illustration below.

The DigitalPersona LDS attributes are as follows.

Attribute Description
dpAccountName (Altus User) Name of the DigitalPersona account, i.e. DigitalPersona user name.

dpLockoutTime

Stores the date and time (UTC) that this account was locked out.

This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC).

A value of zero means that the account is not currently locked out.
dpOmitReasons A multivalued attribute containing any reasons entered by a Security Officer for omitting credentials during the enrollment process.
dpUserAccountControl Specifies the flags to control fingerprint credentials behavior for the user.
dpUserCredentialsData Stores fingerprint registration templates for the user.
dpUserPayload Stores the user’s unified key data.
dpUserPublicKey Stores the user’s public key.
dpUserRecoveryKey The user’s recovery key.

To create a user-based logon policy through ADSI Edit:

  1. Connect to the DigitalPersona database as described above.

  2. Right-click on a specific user and select Properties.

  3. Select dpUserAccountControl and click Edit.

  4. The displayed value should be one of the following numbers:

    • 0 - No log on option is set.

    • 1 - User provides only Windows credentials to log on.

    • 2 - Randomize user’s Windows Password.

    • 4 - User must provide Fingerprint and PIN to log on.

    • 8 - Account is locked out from use of fingerprint credentials.

      Note: This is not used to lock the account, but only to indicate that if this value is displayed, the account has been programmatically locked for some reason. To unlock the account, change the value to one of the other provided values.

To delete DigitalPersona Non AD users through ADSI Edit:

  1. Connect to the DigitalPersona database as described above.

  2. Select the Altus Users object.

  3. Click on any users you want to delete and select Delete from the context menu.