Active directory object management methods and systems

US 8,255,507 B2
Filed: 08/21/2009
Issued: 08/28/2012
Est. Priority Date: 08/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing, by a web server subsystem that is part of a first domain, a web-based interface for display on a client device;

receiving, by the web server subsystem, a request via the web-based interface from an end-user to perform a management activity that creates or modifies active directory object;

acquiring, by the web server subsystem, authorization from an object security subsystem to ensure that the end-user is authorized to perform the management activity that creates or modifies the active directory object;

transmitting, by the web server subsystem, the request to perform the management activity that creates or modifies the active directory object to a web services subsystem that is part of a second domain independent of the first domain;

performing, by the web services subsystem that is part of the second domain, the management activity that creates or modifies the active directory object; and

updating in real-time, by the web services subsystem that is part of the second domain, an active directory maintained by a domain controller subsystem in accordance with the performed management activity such that the updated active directory is accessible to the client device substantially immediately upon completion of the real-time update.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary method includes providing, by a web server subsystem, a web-based interface for display on a client device within a domain associated with the web server subsystem, receiving, by the web server subsystem, a request via the web-based interface from an end-user to perform a management activity associated with an active directory object, acquiring, by the web server subsystem, authorization from an object security subsystem to perform the management activity associated with the active directory object, transmitting, by the web server subsystem, the request to a web services subsystem that is independent of the domain associated with the web server subsystem, performing, by the web services subsystem, the management activity associated with the active directory object, and updating in real-time, by the web services subsystem, an active directory maintained by a domain controller subsystem in accordance with the performed management activity. Corresponding methods and systems are also disclosed.

Citations

23 Claims

1. A method comprising:
- providing, by a web server subsystem that is part of a first domain, a web-based interface for display on a client device;
  
  receiving, by the web server subsystem, a request via the web-based interface from an end-user to perform a management activity that creates or modifies active directory object;
  
  acquiring, by the web server subsystem, authorization from an object security subsystem to ensure that the end-user is authorized to perform the management activity that creates or modifies the active directory object;
  
  transmitting, by the web server subsystem, the request to perform the management activity that creates or modifies the active directory object to a web services subsystem that is part of a second domain independent of the first domain;
  
  performing, by the web services subsystem that is part of the second domain, the management activity that creates or modifies the active directory object; and
  
  updating in real-time, by the web services subsystem that is part of the second domain, an active directory maintained by a domain controller subsystem in accordance with the performed management activity such that the updated active directory is accessible to the client device substantially immediately upon completion of the real-time update.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the active directory object comprises a global group, and wherein the management activity comprises at least one of adding one or more users to the global group and removing one or more users from the global group.
  - 3. The method of claim 1, wherein the active directory object comprises a distribution list, and wherein the management activity comprises at least one of adding one or more users to the distribution list and removing one or more users from the distribution list.
  - 4. The method of claim 1, wherein the active directory object comprises a service account associated with a user, and wherein the management activity comprises modifying one or more settings associated with the service account.
  - 5. The method of claim 1, wherein the management activity comprises enumerating the active directory object.
  - 6. The method of claim 1, wherein the management activity comprises assigning administrative authority over the active directory object to one or more users.
  - 7. The method of claim 1, further comprising maintaining, by the object security subsystem, data representative of one or more authorization relationships between one or more users and the active directory object.
  - 8. The method of claim 7, wherein the acquiring of authorization from the object security subsystem comprises determining whether the end-user has authorization to perform the management activity that creates or modifies the active directory object based on the data representative of the one or more authorization relationships maintained by the object security subsystem.
  - 9. The method of claim 1, wherein the acquiring of authorization from the object security subsystem comprises acquiring one or more communication protocols and network paths used to access the active directory object.
  - 10. The method of claim 1, further comprising recording a transaction log that indicates successful completion of the performed management activity within the object security subsystem.
  - 11. The method of claim 10, further comprising automatically notifying one or more users of the transaction log.
  - 12. The method of claim 10, further comprising maintaining the transaction log for a predetermined amount of time for use in an auditing procedure.
  - 13. The method of claim 1, further comprising:
    - receiving, by the web server subsystem, notification of the performed management activity; and
      
      providing, by the web server subsystem, data representative of one or more results of the performed management activity for display within the web-based interface.
  - 14. The method of claim 1, wherein a domain of the web server subsystem is untrusted.

15. A method comprising:
- providing, by a web server subsystem that is part of a first domain, a web-based interface for display on a client device;
  
  receiving, by the web server subsystem, a request via the web-based interface from an end-user to perform a management activity that creates or modifies an active directory object;
  
  acquiring, by the web server subsystem, authentication from an object security subsystem to ensure that the end-user is authorized to perform the management activity that creates or modifies the active directory object;
  
  transmitting, by the web server subsystem, the request to perform the management activity that creates or modifies the active directory object to a web services subsystem that is part of a second domain independent of the first domain, the web services subsystem configured to perform the management activity that creates or modifies the active directory object and update in real-time an active directory maintained by a domain controller subsystem in accordance with the performed management activity such that the updated active directory is accessible to the client device substantially immediately upon completion of the real-time update; and
  
  recording, by the web server subsystem, a transaction log that indicates successful completion of the performed management activity within a database maintained by the object security subsystem.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the active directory object comprises a global group, and wherein the management activity comprises at least one of adding one or more users to the global group and removing one or more users from the global group.
  - 17. The method of claim 15, wherein the active directory object comprises a distribution list, and wherein the management activity comprises at least one of adding one or more users to the distribution list and removing one or more users from the distribution list.
  - 18. The method of claim 15, wherein the management activity comprises assigning administrative authority over the active directory object to one or more users.

19. A system comprising:
- a web server subsystem that is part of a first domain and configured to provide a web-based interface for display on a client device; and
  
  a web services subsystem that is part of a second domain independent of the first domain and selectively and communicatively coupled to the web server subsystem;
  
  wherein the web server subsystem that is part of the first domain is further configured toreceive a request via the web-based interface from an end-user to perform a management activity that creates or modifies an active directory object,acquire from an object security subsystem authorization to ensure that the end-user is authorized to perform the management activity that creates or modifies the active directory object, andtransmit the request to perform the management activity that creates or modifies the active directory object to the web services subsystem; and
  
  wherein the web services subsystem that is part of the second domain is configured toperform the management activity that creates or modifies the active directory object, andupdate in real-time an active directory maintained within an active directory database in accordance with the performed management activity such that the updated active directory is accessible to the client device substantially immediately upon completion of the real-time update.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19, wherein the active directory object comprises a global group, and wherein the management activity comprises at least one of adding one or more users to the global group and removing one or more users from the global group.
  - 21. The system of claim 19, wherein the active directory object comprises a distribution list, and wherein the management activity comprises at least one of adding one or more users to the distribution list and removing one or more users from the distribution list.
  - 22. The system of claim 19, wherein the management activity comprises assigning administrative authority over the active directory object to one or more users.

23. A system comprising:
- a web server that is part of a first domain and configured to provide a web-based interface for display on a client device;
  
  a web services server that is part of a second domain independent of the first domain and selectively and communicatively coupled to the web server;
  
  an object security server selectively and communicatively coupled to the web server and configured to maintain data representative of one or more authorization relationships between one or more users and an active directory object; and
  
  a domain controller selectively and communicatively coupled to the web services server and configured to maintain the active directory object within an active directory;
  
  wherein the web server that is part of the first domain is further configured toreceive a request via the web-based interface from an end-user to perform a management activity that creates or modifies the active directory object located in a particular domain,acquire authorization from the object security server to ensure that the end-user is authorized to perform the management activity that creates or modifies the active directory object, the authorization based on the data representative of the one or more authorization relationships, andtransmit the request to perform the management activity that creates or modifies the active directory object to the web services server; and
  
  wherein the web services server that is part of the second domain is configured toperform the management activity that creates or modifies the active directory object, andupdate in real-time the active directory maintained by the domain controller such that the updated active directory is accessible to the client device substantially immediately upon completion of the real-time update.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Spears, Steven E.
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
HENRY, MARIEGEORGES A

Application Number

US12/545,743
Publication Number

US 20110047206A1
Time in Patent Office

1,103 Days
Field of Search

709/203, 709/223, 707/792
US Class Current

709/223
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/102   Entity profiles

Active directory object management methods and systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Active directory object management methods and systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links