Specops Authentication enrollment data in Active Directory

The Specops Authentication cloud platform is unique in that user data is stored in the customer’s on-prem Active Directory database. Usernames, passwords, and enrollment data/proofs for the various Identity Services provided by Specops Authentication are stored in the customer’s Active Directory database.

When a user enrolls in Specops Authentication (uReset, Key Recovery, etc.), enrollment data/proofs are written to a leaf object created under that user’s account in Active Directory. The leaf object is an Active Directory classStore object and all data is stored in attributes that are defined in the default schema; no 3rd party schema extensions are required. Empty SpecopsAuthentication leaf objects are also automatically created for each user in scope during the daily User Counting task.

When installing Specops Authentication, you will also see an option to “Allow Domain Admins to enroll.” This option is required in order to give the Gatekeeper service account the required access to create the leaf object under users who are members of Domain Admins and other AdminSDHolder protected groups.

Note: These leaf objects are not visible in the Active Directory Users and Computers MMC by default. To view them, enable the “Advanced Features” and “Users, Contacts, Groups and Computers as containers” options under the View menu. Alternatively use ADSIEdit or the PowerShell ActiveDirectory module to view and manage leaf objects.

The leaf objects are protected with additional security. Inheritance is disabled and the ACL is replaced with a much more restrictive one, which limits access to:

  • SYSTEM – Full Control
  • Domain Admins – Full Control
  • Specops Authentication Gatekeepers group (for Gatekeeper service account(s)) – Full Control
  • User account – each user account is granted read-only access to its own leaf object

Domain Admins may wish to take a peek at the data stored within this leaf object. What you will find is enrollment information for each Identity Service that requires it as well as a “proof” of the enrollment data, which is used to detect and prevent tampering of the enrollment data. The exact contents will vary based on the ID service. Note that some Identity Services, e.g. Manager ID, Duo Security, Mobile Code (if mobile code enrollment verification is disabled) will not store additional information in the leaf object. Specops does not support directly editing the attributes of the leaf object.

We are often asked how to remove enrollment information for a particular user in Active Directory. This is typically only done for testing/troubleshooting purposes; keep in mind users can always update their own enrollment information by revisiting the SA Enrollment webpage, and this is the preferred method for ongoing management of user enrollment data. If you do wish to reset a user’s enrollment back to default, simply delete the SpecopsAuthentication leaf object under that particular user. It will be recreated when the user re-enrolls or the next time the daily user counting runs; whichever happens first.

(Last updated on December 3, 2020)

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog

Related Articles

  • ADUC Menu Extensions in Specops Products

    A user in Active Directory may be affected by a Group Policy extended with Specops settings. Many Specops products add an extension to the Active Directory Users and Computers (ADUC) console. Right-clicking on a user object will display new options/menus with Specops settings. All Specops products that extend the Active Directory User and Computers (ADUC)…

    Read More
  • Specops Authentication Client and Duo Authentication for Windows Login

    The Specops Authentication Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL. The Specops Authentication Client also supports wrapping third party credential…

    Read More
  • Confessions of an IT admin – O365 implementation experience

    For its average user, over a 100 million of them, O365 equals seamless access to corporate data, and a ton of apps. For the IT administrator, it is a bigger attack surface, added complexities, and of course, a few surprises (no matter how many checklists you are following). In this blog post, I will be…

    Read More