Policy Server Guides › Policy Design Guide › Password Policies › Enhanced Active Directory Integration with Password Services › Enhanced Active Directory Integration Considerations

Enhanced Active Directory Integration Considerations

This topic covers factors to consider when enabling enhanced Active Directory integration.

When to Use Enhanced Active Directory Integration

Use Enhanced Active Directory Integration in the following case:

• The Policy Server needs access to an Active Directory user store that stores domain users for a Windows domain.
• You want Policy Server authentication and Windows domain authentication to operate simultaneously.
• You want Windows security policies to apply to the Active Directory user store.

User Attribute Mapping

To integrate Windows Password Policy with SiteMinder Password Services, map Active Directory user attributes to SiteMinder user attributes on the User Attributes tab on the User Directory Properties pane in the Policy Server User Interface. Without user attribute mapping, however, you can still integrate Active Directory with SiteMinder user account management.

Windows Security Policies

When Enhanced Active Directory Integration is selected, the Policy Server can read and enforce the Windows domain lockoutDuration and maxPwdAge settings. While the Policy Server cannot read the Windows domain controller's local security settings, the settings do affect the Policy Server.

How Windows Password Policy and SiteMinder Password Services Work Together

When users log in through Windows, only Windows Password Policy takes effect. When users log in through the Policy Server, Windows works together with the Policy Server to provide Password Services. In this case, the Policy Server enforces the maxPwdAge setting. When users change passwords, the Policy Server validates the new password, and the Windows domain controller authorizes or denies the new password.

When the Policy Server Does Not Recognize Users Locked Out by Windows

If the Policy Server does not recognize users locked out by Windows, check the following settings:

1. Verify that the Enhance Active Directory Integration check box is selected on the Global Settings dialog, which can be accessed through the Tools menu in the Policy Server User Interface.
2. Verify that the default Windows domain DN is typed in the Root field on the User Directory Properties pane corresponding to the Active Directory.

   Example: dc=WindowsDomain,dc=com

3. If account lockout duration is defined on the Policy Server, verify that the setting is the same value as the lockoutDuration setting in the Windows domain.