You can see the list of Users in the Console together with their Token statuses. The list is searchable and can be tweaked with the help of the toolbar.
By assigning a Token to a User, you enable that User for SystoLOCK.
Be sure to install SystoLOCK Client on the User's workstation prior to enabling the User.
You can assign a token to a user at various stages and places:
You need to be a memeber of either Domain Admins group or SystoLock Administrators group in order to be able to assign tokens to users.
While assigning a Token to a User, you can set a new PIN or leave the PIN unset. The later case is called Delayed Initialization and is used to signal to the system that the user can complete the provisioning on their own and select the PIN themselves:
If, for any reason, you need to keep the user's password, you can select Retain Windows password checkbox.
Please, bear in mind that setting this option reduces the security of that user's account considerably!
You can also use PowerShell to assign a Token:
PS C:\> $Token = Get-SystoLockToken -TokenId YSB2EA27DAB7 PS C:\> $User = Get-ADUser -Identity VassiliyPupkine PS C:\> Add-SystoLockAssignment -Token $Token -User $User # or: Add-SystoLockAssignment -Token $Token -User $User -Pin 12345 UserDN : CN=Vassiliy Pupkine,OU=Users,DC=company,DC=local TokenId : YSB2EA27DAB7 Class : Software Algorithm : TotpSha1 HasConstraints : False IsActive : True HasPin : False LastUsed : 01/12/2019 21:37:36 Drift : -1
You can assign more than one Token to a User.
SystoLOCK MMC will assist you if there is a rights problem in AD with the accounts you are trying to assign a token to. If you stil encounter an 'Access denied' error, consult this chapter.
Once you assigned a Token to a User, you can perform various tasks upon this assignment:
All these tasks can be performed from the Console as well as from PowerShell.
You can enable self-provisioning for the users, so that they can assign tokens to themselves and create PINs. There are two modes of self-provisioning: delayed initialization and smartphone provisioning, the later involves SystoLOCK Companion (recommended) or any other compatible smartphone-based OTP generator (See Token Compatibility).
In both modes, after administrators prepare Tokens and/or accounts, users execute "SystoLOCK Self-Provisioning" from the start menu or click on "First time smartphone-user" on the login screen or window.
|Click here ...||... to open this|
Delayed initialization means that no PIN was provided for the Token Assignment when it was created. This Assignment, until the initialization is complete, cannot be used for authentication, the User must first complete the initialization and create a PIN for that Assignment.
To complete the initialization, the user needs to invoke the smartphone provisioning wizard as shown above, key in the following information:
After the user clicks on OK, the Server completes the delayed initialization and the Token is enabled for authentication.
Smartphone self-provisioning means that, although no token was pre-assigned, the user was enabled for self-provisioning by assigning that user to a special SystoLOCK AD group - "SystoLOCK Self-Provisioning Users". Members of this group can self provision their accounts with SystoLOCK Companion without involving any administrator.
There are two ways of smartphone provisioning: with smartphone provisioning wizard shown above or with smartphone alone. The later requires either SystoLOCK be published to the Internet or SystoLOCK Servers be accessible from the smartphone within the internal network.
The user needs to perform the following actions to invoke smartphone self-provisioning:
To self-provision the user just by using SystoLOCK Companion, the user needs to start the app, tap on the + sign and select "SystoLOCK Account". On the resulting screen the user keys in their user name, password and the new PIN:
If the user is allowed to self-provision, the new account is added the SystoLOCK Companion and the self-provisioning completes.
It is only possible to self-provision an account once, since the password is then deleted from the account.