Every 90 days, you get that annoying reminder that your work computer password is about to expire. You then frantically think of what password to use next, but you decide to put it off for another day because that quarterly review is due at 4 p.m.!
I certainly do not want to talk about that quarterly business review, I would rather talk about you logging into your system(s), what drives those password expiration reminders, and Active Directory. Keep in mind that most personal laptops and systems will not use Active Directory for user authentication but rather local or cloud services that we won’t cover in this article.
Active Directory and Logging in
When you enter your username and password at your computer login screen (or that server on the network) at your company, that info is sent to your Active Directory server to verify your credentials. This Active Directory service, also known as AD, resides on a Windows Server Class Operating System. Active Directory is a technology from Microsoft, so I have not seen it on any other OS. The server or virtual machine that is running this Active Directory service will require other services, like domains or DHCP, to be enabled to support its operation. Luckily, your IT team handles all of this, so we don’t need to go down that rabbit hole.
Active Directory Overview
When you look at the Active Directory service running in the Microsoft Server Class Operating System, you can see that there are different parts to the user directory such as the domain controller (DC), organizational unit (OU), and common name or container name (CN). The DC is your top tier unless you have an advanced system that contains forests. The OU is equivalent to a folder that stores CNs that could also be linked to your user account – although most newer systems will show them as a user within the interface. Typically users are found under CNs, and CNs are found under OUs. OUs are found under DCs. This is really just a way to organize your user database. I bring up these abbreviations, not to hurt your head, but because they are important. When you connect equipment to your Active Directory server, it will require some of this information so the device knows what it is looking for and where your server is located.
Active Directory Security
When data is stored within the Active Directory service, it is a good idea to make sure you have your data encrypted using a one-way hash (hash and salt). If you try to use an AES encryption on the database, and someone gets to your hard drive, they would likely soon discover the key to decrypt the data. When you connect other systems to your Active Directory service, they would transfer the data using something like Lightweight Directory Access Protocol (LDAP), which is an unencrypted protocol to transfer your username and password from the client back to the Active Directory service. Some of these systems have an option for TLS/SSL that, when enabled, will encrypt your data before it sends it down the wire. Otherwise, your data will be in its raw form.
So, why do you get that annoying password expiration message? Your company more than likely has a policy that says your password expires in a set number of days. This policy also probably says your password must contain at least eight characters, one upper or lower case letter, a number, and a special character. Your IT team implements these configuration changes, and that’s what is sparking these messages. In the Active Directory service, the IT manager can change all of these settings to enforce these policies.
Active Directory User Access and Authentication
Through Active Directory, the IT manager can quickly add or remove accounts as necessary. The top feature that Active Directory brings to the table is a one-stop-shop for user access and authentication to corporate assets. Could you imagine trying to manage 100 computers with local accounts from your employees? What happens if an employee named Dr. Evil gets fired and decides to go back to their desk, log in, and steal company information about the missiles because you were not fast enough to get to that physical machine and deactivate their account? Bad things could happen, so this is an awesome way to manage your users and company assets.
Black Box has several systems that share users with computers (switching and extension) over a dedicated fiber or CATx connection, or over the network. If you need to manage physical access to computers by your users (tens, hundreds, thousands of users and computers), and you want to use an Active Directory service for your user accounts, check these links out for more information.
Black Box Resources
About the Author
Garrett Swindell has 20+ years’ experience programming, implementing server to client communications, and designing intricate control system. As a product engineer, his primary focus is developing connections between users and computers/servers though the use of hardware and software. Garrett assist local and international projects from start to finish with compliance regulations and performing product compliance testing with recognized test houses.