Active Directory Update - Allow users to update their own Active Directory information

Frequently Asked Questions

We have a new Ithicos Solutions web site!   Please visit the Ithicos Solutions new site.  This site will no longer be maintained after December 10, 2011. 

  1. Who is ITCS Hawaii? 
    ITCS Hawaii is a small Exchange and Active Directory consulting company. We were founded by Jim McBee, an Exchange consultant, MVP, and author.  We are purely a technical services company; no sales people, no marketing, and no professional web site designer (as you can see.) See the About page. Ithicos Solutions is a new company that we have founded as a partnership between the designers and developers of our software. We are a small company, but we are not "pushy" about sales.  We don't even make you register for an evaluation or talk to a sales person for 15 minutes before you look at the product.
     
  2. Can Directory Update assign a manager the ability to change other user's attributes?
    Directory Update is completely a "self-service" application.  It was designed to be simple to use, cost effective, and easy to deploy. It does not have any "delegation" features. Our Directory Manager product allows you to designate administrators that can modify other user's information. However, Directory Manager does not have 'self service' capabilities.
     
  3. I am going to rename or merge my domain in the future. Do I need to buy a new license?
    No, just let us know what the new DNS domain name of your new Active Directory is and we will transfer your license to the new domain and issue you a new license key.
     
  4. Does Directory Update support resource forests?
    Not really. Directory Update is designed to authenticate a user against a single Active Directory forest and to update the attributes of that user in the forest that authenticated the user. The Exchange Global Address List, however, shows the user attribute information from the resource forest. We recommend implementing some type bi-directional of sync process between your accounts domain and your resource domain such as Microsoft's Identity Life Cycle software (formerly known as MIIS or IIFP.)
     
  5. Do you allow the user to reset or change their password?
    We are writing a password change/reset feature as well as a "forgotten password".  This feature will be an optional "add-on" feature and we will be charging a nominal additional fee (probably in the range of $200.00) Contact us if you are interested and let us know what features you would like to see.  support (at) ithicos.com.
     
  6. Can you replace the drop-down list fields with text boxes? 
    Yes. Almost all the fields on User Information form can be either a drop-down list or a text field. In each fields "tag" in the APPSETTINGS.XML file, look for the type=" " field. This can be set to either type="text" or type="dropdown". If you set it to "dropdown", you need to include <value>XXX</value> tags. See the documentation for more information.  We prefer dropdown lists for as much information as possible. This helps to ensure users enter only specific data in to those attributes; many organizations use these for Exchange Address List and Dynamic Distribution Group creation and they must be accurate.
     
  7. Do you license you source code?
    No. We considered it. Talked to the lawyers. Too costly from a legal perspective and too much potential risk. 
     
  8. I want custom feature X - Will you include that for me? 
    Custom changes and extensions are available for customers at the rate of $75.00 per hour.  Most simple changes requires one to two hours.  No work is performed without a mutually agreed upon estimate and work to be performed.  Please contact us if you are interested in customizing the interface further to suit your needs.  Our standard customization agreement requires that we retain all rights to the actual code and that we retain the option to incorporate the features in the future in to the commercial product. The quickest way to reach us is via the Support alias:  support (@) ithicos.com.
     
  9. Will you incorporate feature X in to a future release?
    If a customer asks for something, more than likely we will include it in a future version. The product has been "customer driven" since its inception. Almost all of the features in the current version were suggested by our customers.
     
  10. What are the limitations of Directory Update?
    See the Limitations section on this page.
     
  11. We have X domains in our organization; do you offer a site or enterprise license?
    We have a number of site license customers for Directory Update and Directory Manager. The site license will save you money if you have more than about 6 or 7 domains in your organization. Directory Search is licensed on a per-forest basis.
     
  12. What are the requirements for Directory Update, Directory Manager, and Directory Search?
    Our applications are simple Web applications based on the Microsoft .NET Framework v2.0 running on Windows Server 2003 or Windows Server 2008. See the Requirements section on this page
     
  13. We extended our schema.  Can you include X field on the User Information form? 
    We have tried hard to get most all common attributes in the User Information form.  Make sure you review the current version and the current documentation. Custom programming can be contracted at the custom rate of $75.00 per hour. Most new fields we add to the User Information form take between 1 and 2 hours.
     
  14. Will I get free updates? 
    Yes, for one year from date of purchase.  We are flexible, though. If we release a new release 13 months after the date of purchase, we will be inclined to give you an upgrade. Annual support is available for each product for approximately 20% of the cost of the software if you are still under your current maintenance period. However if your support expires we will ask that you renew your support for 2 more years.
     
  15. Can I use the software without customizing it? 
    No.  The Directory Update application is designed to be customized for each organization's needs.  The AppSettings.XML, DirectorySettings.XML, and the AddressSettings.XML files will need to be updated and customized for your organization. The version that ships with the product is generic and serves as a starting point. We STRONGLY recommend you get a text editor that shows XML tags in a friendly format.  We recommend NotePad++.
     
  16. Will Directory Update, Directory Manager, and Directory Search a domain controller? 
    Yes, many customers run the application on a domain controller with no problems.
     
  17. Will Directory Update run on an Exchange Server? 
    Yes, it has been tested with Exchange 2003 and Exchange Server 2007 and does not seem to interfere with Exchange.
     
  18. Will Directory Update, Directory Manager, and Directory Search run on a SharePoint Server? 
    We do NOT recommended running any of our applications on a SharePoint server. We have tested it and it can be made to work, but we do not support this configuration.  See Tech Notes.  Remember that the ASP.NET component of the Application Server is required.
     
  19. Why don't you support running your applications on SharePoint?
    SharePoint is also a .NET Framework application. Unfortunately, it tends to "take over" all web applications on the IIS server and can prove difficult to bypass the SharePoint services to get Directory Update, Directory Manager or Directory Search working.  In a few cases, we have spent 8+ hours helping customers get our applications working with SharePoint.
     
  20. Will Directory Search, Directory Manager, or Directory Update run on a Windows 2000 server?
    No. It requires features of IIS 6.0 (such as ASP.NET) and thus will not work. They do not run on Windows XP either. 
     
  21. Can you install more than one copy of Directory Update on the same IIS server?
    Multiple instances of Directory Update and Directory Manager can be configured on the same IIS server, but all instances must use the same service account. A single instance of Directory Update and Directory Manager can be configured to work with multiple domains.
     
  22. Will Directory Update run on Windows 2003 x64?
    Yes. .NET 2.0 applications are isolated from the platform and thus will run on either x32 or x64 versions of Windows. The Windows installer bombs out on the installation sometimes, though.  We may have to give you the files to install manually.
     
  23. Does the service account have to be a member of Administrators or Domain Admins? 
    Not necessarily. An Account Operator can do most everything the service account requires (except update members of Administrative or Operator groups). You can even delegate the service account management permission to a single OU, if you wish.  Keep in mind, if you cannot logon as the service account and make a change through Active Directory Users and Computers, then Directory Update or Directory Manager will NOT be able to make the update either.
     
  24. Should I use SSL for my web site that hosts Directory Update? 
    Yes, we recommend using SSL. Forms-based authentication credentials are passed over the network in "clear text".
     
  25. Can Directory Update be used against other LDAP directories?
    No. We are considering a Microsoft ADAM version. Let us know if you are interested!
     
  26. Why are you using a logon form instead of allowing for Integrated Windows Authentication?
    Original design called for the software to work with other web browsers, though it still works best with Internet Explorer.  Starting in v1.2.5, we support Integrated Windows Authentication.  Please see the current version of the documentation for how to enable Integrated Windows Authentication support; this is done in the web.config file. 
     
  27. Do you have plans for a graphical configuration utility instead of having to edit the XML files using a text editor?
    Surprisingly, very few people have actually asked for this feature so the priority has been fairly low.
     
  28. Does Directory Update, Directory Manager, or Directory Search run under a virtual machine?
    Yes, our entire lab and development environment runs under VMWare Workstation, VMWare Server, and Virtual PC virtual machines.
     
  29. Why is your documentation further behind than the releases of the software?
    Documentation is our Achilles' heel. We try to keep the programmers busy programming rather than writing documentation.   That means that often the documentation lags behind the releases of the software.  Fortunately, the software is easy to configure even without it.  And you are welcome to contact us with any customization questions.
     
  30. Do your applications run in a virtual machine such as VMWare or HyperV?
    Yes, they run just fine.
     
  31. Can you speed up the time it takes to load the applications the first time they are used each day? 
    This is a weakness of the .NET Framework.  If an application is not used for a while, IIS clears its cache. The next time the application is used, it must be reloaded in to memory. You can use an application that periodically reloads the Web application in to memory, though. 
     

Getting Support

Most common questions and issues are answered here on the web site or in the documentation.  "Next business day" e-mail support is available for customers, though we usually try to return e-mails the same day.  Contact support @ ithicos.com for support. You are always welcome to contact us and we will make every attempt to respond to you as soon as possible. Sometimes we may need to talk to you on the phone or establish a Live Meeting session in order to get a better idea of how to help solve your problem.  To save you some time, here are the things we are probably going to ask you:

  1. What version of Directory Update, Directory Manager, or Directory Search are you using?
  2. Please send us your XML files
  3. Did the software ever work?
  4. Can you logon interactively with your service account?
  5. What other Web applications are running on the IIS server? (e.g. SharePoint or TrackIt! Web)
  6. Have you tried to "re-install" the .2.0 NET Framework in "repair" mode?
  7. Can you open your XML files in Internet Explorer without errors? (missing "close tag options" will cause errors)
  8. Is the /DirectoryUpdate, /DirectoryManager, or /DirectorySearch virtual directory set to use ASP.NET 2.0?

Common Problems

  • Not reading the installation or customization instructions. :-)
  • Service account password expires
  • Someone has blocked permissions to particular objects or OUs so the service account does not have the necessary permissions.
  • If your service account is an Account Operator (or less permissions), it CANNOT update other Administrators, Domain Admins, or other operators.  This is a Windows security feature that we cannot bypass.
  • Cannot update some users.  If the service account you are using is a member of Account Operators instead of Domain Admins, it will NOT be able to update other Operator or Admin level accounts.
  • Forgetting to install the .NET 1.1 (for v1.1 and earlier) or .NET 2.0 Framework
  • Forgetting to include the ASP.NET component when installing IIS
  • Forgetting to change the ASP.NET version for the /DirectoryUpdate, /DirectoryManager, or /DirectorySearch virtual directories

Limitations

The Directory Update application currently has the following limitations and restrictions:

  • The application can update user information only in a single Active Directory domain. If you have multiple domains, you need multiple copies. 
  • A user can only update their own attributes; they cannot update attributes for other users. We do not currently have a version that allows a user to update other user's attributes.
  • Telephone number fields have a maximum field length of 64 characters. The phone number format is not validated in versions earlier than v1.3.
  • For attributes that use drop-down list of validated data (such as the list of valid states), if the current value in Active Directory does not exist in the validated list, the Directory Update application will clear that value from Active Directory.
  • Application uses a static domain controller / global catalog server name; it does not auto-discover all available domain controllers in a domain
  • Logging in via a UPN name is not supported
  • The User Information form looks best in Internet Explorer.  Firefox is supported in Directory Update v1.3. We have not extensively tested Safari even though Apple is now making it available to all iTunes users.

 

Requirements

Prior to installing the Directory Update application, the directory administrator must designate a computer on which this web application will be installed. This server can be a domain controller or a member server. The following are the requirements:

  • Windows 2003 Server SP1 or Windows 2003 R2
  • IIS World Wide Web Service must be installed
  • ASP.NET component must be selected in Add/Remove Programs -> Add/Remove Windows Components -> Application Server
  • The .NET Framework 2.0 (for versions 1.2 and later)
  • Server must be a member of the Active Directory
  • A service account must be created
  • --- The service account password should have a strong password
  • --- The service account password must not expire
  • --- The account must be a member of a group such as Account Operators, the domain’s Administrators group, or other group that has permissions to update user accounts in the Active Directory. Note that the installation program currently checks for Domain Admins membership.
  • The person installing the Directory Update, Directory Manager, or Directory Search application must be a domain account AND the domain account must be a member of the local Administrators group on the computer it is being installed
  • SSL is recommended but not required. If you do not use SSL, then this application should only be visible from within your own Internet since user information will passed over your network in clear-text.

While this is not required, we recommend that the Directory Update application be on its own web server. While it should interoperate fine with other web-based applications, all of our testing has been on an IIS server running on a domain controller or a member server and using the Default Web Site.

Documentation

More detailed documentation and information on customizing the interface to suit your organization's needs, see the Directory Update documentation. Links to the documentation can be found on the downloads page. Please read the documentation. Directory Update is not the sort of application you can customize without looking at the documentation!


Google
WWW Directory Update site