Frequently Asked Questions
- Who is ITCS Hawaii?
ITCS Hawaii is a small Exchange and
Active Directory consulting company. We were founded by
an Exchange consultant, MVP, and author. We are purely a technical services
company; no sales people, no marketing, and no professional web site
designer (as you can see.) See the
page. Ithicos Solutions
is a new company that we have founded as a partnership between the designers
and developers of our software. We are a small company, but we are not
"pushy" about sales. We don't even make you register for an evaluation
or talk to a sales person for 15 minutes before you look at the product.
- Can Directory Update assign a manager the ability to change other user's
Directory Update is completely a "self-service" application. It was
designed to be simple to use, cost effective, and easy to deploy. It does
not have any "delegation" features. Our Directory Manager product allows you
to designate administrators that can modify other user's information.
However, Directory Manager does not have 'self service' capabilities.
- I am going to rename or merge my domain in the future. Do I need to
buy a new license?
No, just let us know what the new DNS domain name of your new Active
Directory is and we will transfer your license to the new domain and issue
you a new license key.
- Does Directory Update support resource forests?
Not really. Directory Update is designed to authenticate a user against a
single Active Directory forest and to update the attributes of that user in
the forest that authenticated the user. The Exchange Global Address List,
however, shows the user attribute information from the resource forest. We
recommend implementing some type bi-directional of sync process between your
accounts domain and your resource domain such as Microsoft's Identity Life
Cycle software (formerly known as MIIS or IIFP.)
- Do you allow the user to reset or change their password?
writing a password change/reset feature as
well as a "forgotten password". This feature will be an optional "add-on" feature and we will be charging a nominal additional fee (probably in the range of $200.00) Contact us if you are interested and
let us know what features you would like to see. support (at)
- Can you replace the drop-down list fields with text boxes?
Yes. Almost all the fields on User Information form can be either a drop-down list
or a text field. In each fields "tag" in the APPSETTINGS.XML file, look for
the type=" " field. This can be set to either type="text" or
type="dropdown". If you set it to "dropdown", you need to include
<value>XXX</value> tags. See the documentation for more information.
We prefer dropdown lists for as much information as possible. This helps to ensure users
enter only specific data in to those attributes; many organizations use
these for Exchange Address List and Dynamic Distribution Group creation and they must be accurate.
- Do you license you source code?
No. We considered it. Talked to the lawyers. Too costly from a legal
perspective and too much potential risk.
- I want custom feature X - Will you include that for me?
Custom changes and extensions are available for customers at the rate of
$75.00 per hour. Most simple changes requires one to two hours.
No work is performed without a mutually agreed upon estimate and work to be
performed. Please contact us if you are interested in customizing the
interface further to suit your needs. Our standard customization
agreement requires that we retain all rights to the actual code and that we
retain the option to incorporate the features in the future in to the
commercial product. The quickest way to reach us is via
the Support alias: support (@) ithicos.com.
- Will you incorporate feature X in to a future release?
If a customer asks for something, more than likely we will include it in a
future version. The product has been "customer driven" since its inception.
Almost all of the features in the current version were suggested by our
- What are the limitations of Directory Update?
Limitations section on this page.
- We have X domains in our organization; do you offer a site or enterprise
We have a number of site license customers for Directory Update and
Directory Manager. The site license will save you money if you have more
than about 6 or 7 domains in your organization. Directory Search is licensed
on a per-forest basis.
- What are the requirements for Directory Update, Directory Manager,
and Directory Search?
Our applications are simple Web applications based on the Microsoft .NET
Framework v2.0 running on Windows Server 2003 or Windows Server 2008.
Requirements section on this page
- We extended our schema. Can you include X field on the User
We have tried hard to get most all
in the User Information form. Make sure you review the current version
and the current documentation. Custom programming can be contracted at the custom rate of $75.00 per hour.
Most new fields we add to the User Information form take between 1 and 2
- Will I get free updates?
Yes, for one year from date of
purchase. We are flexible, though. If we release a new release 13
months after the date of purchase, we will be inclined to give you an
upgrade. Annual support is available for each product for approximately 20%
of the cost of the software if you are still under your current maintenance
period. However if your support expires we will ask that you renew your
support for 2 more years.
- Can I use the software without customizing it?
The Directory Update application is designed to be customized for each
organization's needs. The AppSettings.XML, DirectorySettings.XML,
and the AddressSettings.XML files will need to be
updated and customized for your organization. The version that ships with
the product is generic and serves as a starting point. We STRONGLY recommend
you get a text editor that shows XML tags in a friendly format. We
- Will Directory Update, Directory Manager, and Directory Search a
Yes, many customers run the application on a domain controller with no
- Will Directory Update run on an Exchange Server?
has been tested with Exchange 2003 and Exchange Server 2007 and does not seem to interfere with
- Will Directory Update, Directory Manager, and Directory Search run on a SharePoint Server?
We do NOT recommended running any of our applications on a SharePoint
server. We have tested it and it can be made to work, but we do not support
this configuration. See
Tech Notes. Remember that the ASP.NET component of the Application Server is required.
- Why don't you support running your applications on SharePoint?
SharePoint is also a .NET Framework application. Unfortunately, it tends to
"take over" all web applications on the IIS server and can prove difficult
to bypass the SharePoint services to get Directory Update, Directory Manager
or Directory Search working. In a few cases, we have spent 8+ hours
helping customers get our applications working with SharePoint.
- Will Directory Search, Directory Manager, or Directory Update run on a Windows 2000 server?
requires features of IIS 6.0 (such as ASP.NET) and thus will not work. They
do not run on Windows XP either.
- Can you install more than one copy of Directory Update on the same
Multiple instances of Directory Update and Directory
Manager can be configured on the same IIS server, but all instances must use
the same service account. A single instance of Directory Update and
Directory Manager can be configured to work with multiple domains.
- Will Directory Update run on Windows 2003 x64?
Yes. .NET 2.0 applications are isolated from the platform and thus will run
on either x32 or x64 versions of Windows. The Windows installer bombs out on
the installation sometimes, though. We may have to give you the files
to install manually.
- Does the service account have to be a member of Administrators or
Not necessarily. An Account Operator can do most
everything the service account requires (except update members of
Administrative or Operator groups). You can even delegate the service
account management permission to a single OU, if you wish. Keep in
mind, if you cannot logon as the service account and make a change through
Active Directory Users and Computers, then Directory Update or Directory
Manager will NOT be able to make the update either.
- Should I use SSL for my web site that hosts Directory Update?
Yes, we recommend using SSL. Forms-based authentication credentials are passed over the network in
- Can Directory Update be used against other LDAP directories?
No. We are considering a Microsoft ADAM version. Let us know if you are
- Why are you using a logon form instead of allowing for Integrated
Original design called for the
software to work with other web browsers, though it still works best with
Internet Explorer. Starting in v1.2.5, we support Integrated Windows
Authentication. Please see the current version of the documentation
for how to enable Integrated Windows Authentication support; this is done in
the web.config file.
- Do you have plans for a graphical configuration utility instead of
having to edit the XML files using a text editor?
few people have actually asked for this feature so the priority has been
- Does Directory Update, Directory Manager, or Directory Search run
under a virtual machine?
Yes, our entire lab and development environment runs under VMWare
Workstation, VMWare Server, and Virtual PC virtual machines.
- Why is your documentation further behind than the releases of the
Documentation is our Achilles' heel. We try to keep the programmers busy
programming rather than writing documentation. That means that
often the documentation lags behind the releases of the software.
Fortunately, the software is easy to configure even without it. And
you are welcome to contact us with any customization questions.
- Do your applications run in a virtual machine such as VMWare or
Yes, they run just fine.
- Can you speed up the time it takes to load the applications the first
time they are used each day?
This is a weakness of the .NET Framework. If an application is not
used for a while, IIS clears its cache. The next time the application is
used, it must be reloaded in to memory. You can use an application that
periodically reloads the Web application in to memory, though.
Most common questions and issues are answered here on the web site or in the
documentation. "Next business day" e-mail support is available for
customers, though we usually try to return e-mails the same day. Contact
support @ ithicos.com for support. You are always welcome to contact us
and we will make every attempt to respond to you as soon as possible. Sometimes
we may need to talk to you on the phone or establish a Live Meeting session in
order to get a better idea of how to help solve your problem. To save you
some time, here are the things we are probably going to ask you:
- What version of Directory Update, Directory Manager, or Directory Search
are you using?
- Please send us your XML files
- Did the software ever work?
- Can you logon interactively with your service account?
- What other Web applications are running on the IIS server? (e.g.
SharePoint or TrackIt! Web)
- Have you tried to "re-install" the .2.0 NET Framework in "repair" mode?
- Can you open your XML files in Internet Explorer without errors?
(missing "close tag options" will cause errors)
- Is the /DirectoryUpdate, /DirectoryManager, or /DirectorySearch virtual
directory set to use ASP.NET 2.0?
- Not reading the installation or customization instructions. :-)
- Service account password expires
- Someone has blocked permissions to particular objects or OUs so the
service account does not have the necessary permissions.
- If your service account is an Account Operator (or less permissions), it
CANNOT update other Administrators, Domain Admins, or other operators.
This is a Windows security feature that we cannot bypass.
- Cannot update some users. If the service account you are using is
a member of Account Operators instead of Domain Admins, it will NOT be able
to update other Operator or Admin level accounts.
- Forgetting to install the .NET 1.1 (for v1.1 and earlier) or
- Forgetting to include the ASP.NET component when installing IIS
- Forgetting to change the ASP.NET version for the /DirectoryUpdate, /DirectoryManager,
or /DirectorySearch virtual directories
The Directory Update application currently has the following limitations and restrictions:
- The application can update user information only in a single Active Directory domain.
If you have multiple domains, you need multiple copies.
- A user can only update their own attributes; they cannot update attributes for other users.
We do not currently have a version that allows a user to update other user's
- Telephone number fields have a maximum field length of 64 characters. The
phone number format is not validated in versions earlier than v1.3.
- For attributes that use drop-down list of validated data (such as the list of valid states), if the current value in Active Directory does not exist in the validated list, the Directory Update application will clear that value from Active Directory.
- Application uses a static domain controller / global catalog server name; it does not auto-discover all available domain controllers in a domain
- Logging in via a UPN name is not supported
- The User Information form looks best in Internet Explorer. Firefox is
supported in Directory Update v1.3. We have not extensively tested Safari even
though Apple is now making it available to all iTunes users.
Prior to installing the Directory Update application, the directory administrator must designate a computer on which this web application will be installed. This server can be a domain controller or a member server. The following are the requirements:
- Windows 2003 Server SP1 or Windows 2003 R2
- IIS World Wide Web Service must be installed
- ASP.NET component must be selected in Add/Remove Programs -> Add/Remove
Windows Components -> Application Server
.NET Framework 2.0
(for versions 1.2 and later)
- Server must be a member of the Active Directory
- A service account must be created
- --- The service account password should have a strong password
- --- The service account password must not expire
- --- The account must be a member of a group such as Account Operators, the domain’s Administrators group, or other group that has permissions to update user accounts in the Active Directory. Note that the installation program currently checks for Domain Admins membership.
- The person installing the Directory Update, Directory Manager, or Directory
Search application must be a domain account AND the domain account must be a member of the local Administrators group on the computer it is being installed
- SSL is recommended but not required. If you do not use SSL, then this application should only be visible from within your own Internet since user information will passed over your network in clear-text.
While this is not required, we recommend that the Directory Update application be on its own web server. While it should interoperate fine with other web-based applications, all of our testing has been on an IIS server running on a domain controller or a member server and using the Default Web Site.
More detailed documentation and information on customizing the interface to suit your organization's needs, see the Directory Update documentation.
Links to the documentation can be found on the
Please read the documentation. Directory Update is not the sort of application
you can customize without looking at the documentation!