New Active Directory Enrollment Feature Embraced by Schools
April 25, 2008
A new Sphinx card synchronization feature automatically enrolls new end-users in Active Directory and updates the accounts of existing users upon card issuance. Once end-users have the cards in their hands, all cards can immediately be used to logon to network computers.
This feature is especially convenient for organizations who have a steady turnover of cardholders, such as schools, since new end-users never need to be directly added to Active Directory. An example of how this feature was used at a recent school installation is described below.
SAMPLE SCHOOL INSTALLATION
THE GOAL: The school wanted a simple, secure solution that would enable students to logon to Windows at campus computers with their ID cards, without needing to know their Windows user name and password.
THE SOLUTION: They purchased the Sphinx Enterprise software, Atmel smart cards for all their students, and contact card readers for the PCs in their computer centers. Although the Atmel cards are chip cards, the school would use them in "server only mode", meaning that all the card data would be stored on the Sphinx secure server.
Preparation: In preparation for card issuance, the school imported all of the existing students from Active Directory into the Sphinx CardMaker administrator software and activated the synchronized Active Directory enrollment feature. Then they specified card settings so that students would not be allowed to view or change their Windows logon data, and when students pulled their cards out of the card reader they would be automatically logged off of the computer.
Issuance: When the students came to get their ID cards, it was easy to issue cards to both existing and new students, as follows:
Existing students: Administrator looked up student in CardMaker software, clicked on Issue Card, and handed new card to student.
At the same time in a transparent process, Sphinx automatically generated a new Windows password for the student and reset their Active Directory password, so that the card and Active Directory were synchronized.
New students: Administrator simply entered the student's first and last name into the corresponding fields in the CardMaker software, filled the Cardholder ID field with the name that would be used as the Windows "user logon name", then clicked on Issue Card.
At the same time in a transparent process, Sphinx caused a new Active Directory account to be created for the student, and generated a new Windows password which it loaded to the new account, so that the card and Active Directory were synchronized.
THE RESULT: Students simply presented their cards to the card readers at campus computers, specified a card PIN as prompted by Sphinx Logon Manager, and were logged on to the school's network. School administrators were very pleased with the hands-free functionality, since card issuance is an ongoing process for them.
Note that in order to use this feature, card data must be stored on the CardMaker server. This feature is not available for smart cards that store data on the card.
All trademarks are property of their respective owners.
Open Domain Sphinx Solutions, firstname.lastname@example.org