Specops Authentication enrollment data in Active Directory
(Last updated on December 3, 2020)
The Specops Authentication cloud platform is unique in that user data is stored in the customer’s on-prem Active Directory database. Usernames, passwords, and enrollment data/proofs for the various Identity Services provided by Specops Authentication are stored in the customer’s Active Directory database.
When a user enrolls in Specops Authentication (uReset, Key Recovery, etc.), enrollment data/proofs are written to a leaf object created under that user’s account in Active Directory. The leaf object is an Active Directory classStore object and all data is stored in attributes that are defined in the default schema; no 3rd party schema extensions are required. Empty SpecopsAuthentication leaf objects are also automatically created for each user in scope during the daily User Counting task.
When installing Specops Authentication, you will also see an option to “Allow Domain Admins to enroll.” This option is required in order to give the Gatekeeper service account the required access to create the leaf object under users who are members of Domain Admins and other AdminSDHolder protected groups.
Note: These leaf objects are not visible in the Active Directory Users and Computers MMC by default. To view them, enable the “Advanced Features” and “Users, Contacts, Groups and Computers as containers” options under the View menu. Alternatively use ADSIEdit or the PowerShell ActiveDirectory module to view and manage leaf objects.
The leaf objects are protected with additional security. Inheritance is disabled and the ACL is replaced with a much more restrictive one, which limits access to:
- SYSTEM – Full Control
- Domain Admins – Full Control
- Specops Authentication Gatekeepers group (for Gatekeeper service account(s)) – Full Control
- User account – each user account is granted read-only access to its own leaf object
Domain Admins may wish to take a peek at the data stored within this leaf object. What you will find is enrollment information for each Identity Service that requires it as well as a “proof” of the enrollment data, which is used to detect and prevent tampering of the enrollment data. The exact contents will vary based on the ID service. Note that some Identity Services, e.g. Manager ID, Duo Security, Mobile Code (if mobile code enrollment verification is disabled) will not store additional information in the leaf object. Specops does not support directly editing the attributes of the leaf object.
We are often asked how to remove enrollment information for a particular user in Active Directory. This is typically only done for testing/troubleshooting purposes; keep in mind users can always update their own enrollment information by revisiting the SA Enrollment webpage, and this is the preferred method for ongoing management of user enrollment data. If you do wish to reset a user’s enrollment back to default, simply delete the SpecopsAuthentication leaf object under that particular user. It will be recreated when the user re-enrolls or the next time the daily user counting runs; whichever happens first.