Using the ADUC Snap-Ins

The ADUC snap-ins described below are part of the DigitalPersona LDS Administration Tools component.DigitalPersona LDS

For installation instructions, see DigitalPersona LDS Administration Tools.

User Query Snap-In

The DigitalPersona User Query Snap-in is a component within the DigitalPersona LDS Administration Tools.

These tools are a separate installation and are located in the DigitalPersona LDS Administration Tools folder of your product package. This tool provides a means for the administrator to query the DigitalPersona LDS user database for information about DigitalPersona LDS users and to perform certain operations and to set values associated with a selected user.

It has three separate implementations, as described in the following topics:

The User Query Tool can only be successfully run on the computer where DigitalPersona LDS Server is installed.

Once installed, the Interactive dialog-based application can be run from the Start menu by clicking DigitalPersona, User Query Tool.

ActiveX Control

The ActiveX control provides the most functionality, including performing operations against the user record and setting certain flags and values. The dialog-based and CLI applications are reporting tools only.

Examples of the types of query information that can be accessed by the ActiveX control are:

  • Number of installed licenses

  • Number of licenses used

  • Number of enrolled credentials for each user

  • Types of credentials enrolled for each user

  • Number of users accessing managed logons

  • Dates of first and last fingerprint enrollment

Additionally, certain operations may be performed against the DigitalPersona user database through the ActiveX control. For example:

  • Lock user account

  • Set user logon policy

  • Delete specific authentication credentials

  • Delete user Secrets

The DigitalPersona LDS User Query Tool ActiveX control provides two interfaces that can be implemented through Visual Basic or Javascript.

IDPUserQueryControlInterface

This interface is used to return licensing information and create an instance of the DPUserControl object described in the next section.

Copy
[    object,
    uuid(4AC9BCDA-7C6F-4919-A885-D533CBA447DF),
    dual,
    nonextensible,
    helpstring("IDPUserQueryControl Interface: "),
    pointer_default(unique)
]

valuesActiveX control
    interface IDPUserQueryControl : IDispatch
    {
    [propget, id(1), helpstring("Returns number of licenses installed.")] 
        HRESULT         NumberOfLicensesInstalled([out, retval] LONG* pVal);
    [propget, id(2), helpstring("Returns number of licenses used.")] 
        HRESULT NumberOfLicensesUsed([out, retval] LONG* pVal);
    [id(3), helpstring("Creates an instance of DPUserControl object based on user
        DN.")]
        HRESULT GetUser([in] BSTR UserDN, [out,retval] IDispatch** ppUser);
    };

IDPUserControl

The IDPUserControl is used to get or set a number of different user properties.

Copy
[
    object,
    uuid(C6AAB663-EA2A-4195-940F-1C56C5736924),
    dual,
    nonextensible,
    helpstring("IDPUserControl Interface: "),
    pointer_default(unique)
]

interface IDPUserControl : IDispatch{
    [propget, id(1), helpstring("Returns a flag that indicates if the account
        is locked because of intruder detection.")]
        HRESULT IsAccountLocked([out, retval] VARIANT_BOOL* pfIsAccountLocked);
    [propput, id(1), helpstring("Sets a flag that indicates if the account is
        locked because of intruder detection.")]
        HRESULT IsAccountLocked([in] VARIANT_BOOL fIsAccountLocked);
    [propget, id(2), helpstring("Returns a user account control value.")]
        HRESULT AccountControl([out, retval] LONG* pVal);
    [propput, id(2), helpstring("Sets a user account control value.")]
        HRESULT AccountControl([in] LONG newVal);
    [propget, id(3), helpstring("Returns a user logon policy value.")]
        HRESULT LogonPolicy([out, retval] LONG* pVal);
    [propput, id(3), helpstring("Sets a user logon policy value.")]
        HRESULT LogonPolicy([in] LONG newVal);
    [propget, id(4), helpstring("Returns a flag that indicates if the specific
        authentication token is enrolled.")]
        HRESULT IsTokenEnrolled([in] BSTR TokenID, [out] VARIANT_BOOL*
        pfIsTokenEnrolled);
    [propget, id(5), helpstring("Returns a flag that indicates fingerprints
        enrolled mask.")]
        HRESULT FingerprintMask([out, retval] LONG* pVal);
    [propget, id(6), helpstring("Returns user recovery password.")]
        HRESULT RecoveryPassword([in] BSTR EncryptedPassword, [out, retval]
        BSTR* pVal);
    [id(7), helpstring("Deletes specific authentication token credentials.")]
        HRESULT DeleteToken([in] BSTR TokenID);
    [id(8), helpstring("Deletes enrolled fingerprints.")]
        HRESULT DeleteFingerprints(void);
    [id(9), helpstring("Deletes user Secrets.")]
        HRESULT DeleteSecrets(void);
    [id(10), helpstring("Returns date and time of first fingerprint         
        enrollment.")]
        HRESULT FingerprintFirstEnrollmentTime([out, retval] DATE* pVal);
    [id(11), helpstring("Returns date and time of last fingerprint
        enrollment.")]
        HRESULT FingerprintLastEnrollmentTime([out, retval] DATE* pVal);
    [propget, id(12), helpstring("Returns a flag that indicates if the specific
        authentication token is enrolled.")]
        HRESULT IsTokenEnrolledEx([in] BSTR TokenID, [in] BSTR Prefix, [out]
        VARIANT_BOOL* pfIsTokenEnrolled);
    [propget, id(13), helpstring("Returns a flag that indicates if license
        taken by this user.")]
        HRESULT IsLicenseTaken([out, retval] VARIANT_BOOL* pfIsLicenseTaken);
    [id(14), helpstring("Clear license by deleting all DigitalPersona data for
        this user.")]
        HRESULT ClearLicense(void);
};

Sample VB Script

This is a sample of a VB script that returns the date and time of the first and last fingerprint enrollments for a user.

Copy
Dim objUser
Set objQueryControl = CreateObject("DPUserQuery.DPUserQueryControl")
Set objUser = objQueryControl.GetUser("cn=testuser,CN=Users,DC=testdomain,DC=COM")
wscript.echo objUser.FingerprintFirstEnrollmentTime
wscript.echo objUser.FingerprintLastEnrollmentTime

Interactive Dialog-based Application

To run the interactive dialog-based application:

  1. From the Start menu, select All Programs, DigitalPersona, and then User Query Tool.

  2. In the application dialog that displays, select the type of information you would like to display.

  3. Optionally, Browse to the location where you want to save the resulting log file.

  4. Click Run .

The file is saved as a .csv file with the default name of DPQuery.csv, which can be opened in Notepad or programs such as Microsoft Excel and other spreadsheet programs.

DPQuery.csv Format

The file resulting from the use of either the Interactive User Query Tool described above, or the command line interface User Query Tool, is illustrated below and described more fully in the table that follows.

Column Description

User Name

Name of the user being reported against.

Display Name

Display Name of the user being reported against.

User Type

Type of user - that is, Administrator or Standard.

Logon Options

0 - No logon option is set.

1 - User provides only Windows credentials to log on.

2 - Randomize user’s Windows Password.

4 - User must provide Fingerprint and PIN to log on.

8. - Account is locked out from use of fingerprints credentials.

Fingerprints

Number of fingerprints enrolled by the user.

Contactless Writable Cards

YES or NO. Indicates if this credential has been enrolled by the specified user.

Contactless ID Cards

YES or NO. Indicates if this credential has been enrolled by the specified user.

PIN

YES or NO. Indicates if this credential has been enrolled by the specified user.

Licenses

YES or NO. Indicates if a DigitalPersona User license is being utilized by the specified user.

Self Password Recovery

YES or NO. Indicates if the Self Password Recovery questions have been answered by the specified user.

OTP

YES or NO. Indicates if this credential has been enrolled by the specified user.

Device-bound passkey

YES or NO. Indicates if this credential has been enrolled by the specified user.

Face

YES or NO. Indicates if this credential has been enrolled by the specified user.

Synced passkey YES or NO. Indicates if this credential has been enrolled by the specified user.

Additionally, the following totals are provided at the end of the file:

  • Total number of users

  • Total number of Employee licenses used

  • Total number of Customer Facing licenses used

  • License ID, Product ID, Status, Activation Date, Expiration Date, Licensed Users

  • Total number of users with fingerprints enrolled

  • Total number of users with Contactless Writable cards enrolled

  • Total number of users with Contactless ID cards enrolled

  • Total number of users with PIN enrolled

  • Total number of users with Self Password Recovery enrolled

  • Total number of users with OTP enrolled

  • Total number of users with device-bound passkeys enrolled

  • Total number of users with Face enrolled

  • Total number of users with synced passkey enrolled

Command Line Utility

The User Query Tool command line utility must be run from an elevated command prompt.

To run the User Query Tool command line utility:

  1. Open an elevated command prompt by right-clicking any Command Prompt shortcut on the Windows Start menu (located by default in the Accessories folder) and selecting Run as administrator.

  2. In the Command Prompt window, enter [Installation path]\Bin\DPQuery.exe using the following syntax and parameters.

    The default location is C:\Program Files\DigitalPersona\Bin

Copy

Syntax

DPQuery.exe [-noui] [-dn=”BaseDN”] [-out=”FileName”] [-ac] [-fp] [-cw] [-ci] 
[-bt] [-pin] [-lic] [-rec]
Parameter Description

-noui

Run utility silently with no graphical interface, writing results to the DPQuery.csv file in the [Installation path]\Bin folder (where the default location would be C:\Program Files\DigitalPersona\Bin).

If -noui is not used, the Interactive Dialog-based Application displays.

-dn= “BaseDN”

Sets the Distinguished Name of the search base for the query. If this parameter is not present, the query runs against all users.

  • Non AD users - To query DigitalPersona Non AD users only, copy and modify the string found in the computer belongs to AzMan.txt file created during the DigitalPersona LDS installation.

    The AzMan.txt file is located in the [Installation path]\Bin folder, where the default location would be C:\Program Files\DigitalPersona\Bin

    The AzMan text string will be similar to the following:

    MSLDAP:/ 127.0.0.1:50000/CN=Authorization Store,CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US

    1. Remove the MS from the front of the string.

    2. Replace the words Authorization Store with AltusUsers.

  • AD users - To query DigitalPersona AD users only, copy and modify the AzMan.txt string as follows:

    1. Remove the MS from the front of the string.

    2. Replace the words Authorization Store with AltusAD Users.

  • Other user groups - To query other user groups that may have been created, copy and modify the AzMan.txt string as follows:

    1. Remove the MS from the front of the string.

    2. Replace the words Authorization Store with the name of the group.

    To determine the exact name of any additional groups, you can use ADSI Edit tool to connect to the AD LDS instance.

-out=”FileName”

Identifies the path and file name for the output log file. If missing, the file DPQuery.csv will be created in the directory containing the utility.

-fp

Add information about the number of fingerprints enrolled for each user in a query.

-ac

Add information about user account control flags like password randomization.

-cw

Add information about Contactless Writable cards enrolled for each user in a query.

-ci

Add information about Contactless ID cards enrolled for each user in a query.

-pin

Add information about PINs enrolled for each user in a query.

-lic

Add information about licenses utilized for each user in a query.

-rec

Add information about Self Recovery Password enrolled for each user in a query.

-otp

Add information about OTP credentials enrolled for each user in a query.

-u2f

Add information about device-bound passkey credentials enrolled for each user in a query.

-face

Add information about Face credentials enrolled for each user in a query.

-bh Add information about synced passkey credentials enrolled for each user in a query.

Examples

Copy

Show the User Interface (interactive dialog) for selecting query parameters.

DPQuery.exe
Copy

Do not use the UI, but report license information for all users

DPQuery.exe –noui –lic
Copy

Report license information and fingerprints enrolled for Non AD users only.

DPQuery.exe -noui -dn="LDAP://127.0.0.1:50000/CN= Altus Users,CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US" -lic -fp