Authentication Server metadata in the Active Directory

Installation of the metadata 

The Authentication Server does not modify or change the AD schema with extensions, instead, it uses existing LDAP fields; therefore it can be completely removed if required.

When Authentication Server is installed with Active Directory the following items are created on the Primary Authlogics domain:

  • A Container object called Authlogics in the CN=System. This container includes the following tree structure:
    • Authentication Server
      • Administrators Hit
      • Global Settings
      • Hash Database (only if the domain has been configured for PSM)
      • Operators Hit
      • One Time Code Database
    • Realms
      •  (custom-created realms)
  • 3 Universal Security Groups:
    • Authlogics Administrators
    • Authlogics Operators
    • Authlogics Servers

The following object will exist for each Authentication Server deployed:

  • A serviceConnectionPoint object called AuthlogicsServer on the Active Directory Computer Account the Authlogics Authentication server software is installed onto.

The ServiceConnectionPoint object is used by agents, such as the Domain Controller Agent and Windows Desktop Agent, to automatically detect and locate an Authentication Server in the Active Directory.

Further information regarding the groups is available in the Authlogics Authentication Server Installation and Configuration Guide.

The Authlogics Container can be browsed to and the contents viewed using ADSIEdit. The distinguished name for the parent object would be:



Removal of the metadata

In some scenarios, it may be required to remove some or all of the Authentication Server data from the Active Directory. This is NOT done automatically by uninstalling the Authentication Server software. This is by design to cater for upgrade and server migration scenarios without losing data.

To remove user metadata from Active Directory:

  1. Delete the required user accounts from within the Authentication Server MMC (NOT Active Directory Users and Computers) which will remove the metadata from the user account objects. To remove all user account metadata, delete all of the user accounts.

To remove all Authentication Server shared metadata:

  1. Remove the CN=Authlogics,CN=System,DC={Domainname} entry, and all its sub-objects, from the Default Naming Context using ADSI Edit.
  2. Delete the following Authentication Server groups from Active Directory using Active Directory User and Computers Management Console:
    • Authlogics Administrators
    • Authlogics Operators
    • Authlogics Servers

To remove an instance of the Authentication Server:

  1. Uninstall the Authlogics Authentication Server software using the Windows Control Panel.



Have more questions? Submit a request


Please sign in to leave a comment.