JP2011123841A - Information processing device, policy applying method, program and system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing device and the like by which a policy of a user managing a Windows server is applied as easily as possible to a non-Windows system when the non-Windows system is introduced under a Windows network environment. <P>SOLUTION: The information processing device is the first information processing device having a first operating system connected via a network to a server having the first operating system and applying the policy to the information processing device or the user of the information processing device, and to the second information processing device having a second operating system, and includes: a policy management means which acquires the policy from the server and stores the policy; and a filter means which filters the stored policy based on the filter policy defining the policy applicable from the first operating system to the second operating system. The filtered policy is applied to the second information processing device or a user or the like of the second information processing device. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to the fields of an information processing apparatus, a policy application method, a program, and a system.

  Conventionally, it is known that a Windows (registered trademark: hereinafter, the notation is omitted) server can construct a domain using Active Directory. Active Directory provides a directory service. In network terms, a directory means a container for storing information on network objects. The Active Directory object includes the user count used when the user logs in, the computer account of the computer used by the user, the shared folder that shares files on the computer, and the printer that the user prints over the network. A directory service is a service that enables an administrator, a user, and the like to use information in a directory. The directory service enables searching and accessing of network objects, and central management of the network objects.

  Active Directory can also centrally manage policies for each user or user group. Security policies, Windows desktop customization, application distribution, etc. can be performed according to the prescribed policies. For example, as specific examples of policies, there are a password policy, an account lock policy, a Windows Update (registered trademark: notation), a shared folder policy, and the like.

  Using such an Active Directory function, the administrator can centrally manage user information such as a user name, a password, and a policy in a network server environment by a Windows server in units of users or user groups. Here, in the case of introducing an MFP (Multifunction Peripheral), for example, in the above network environment, particularly in a system in which the MFP is mounted with an OS (for example, Unix (registered trademark) system) different from Windows. If there is, the policy managed by the existing Windows server includes the policy specific to Windows, so it is difficult to apply the user information that the administrator centrally manages to the MFP and enter into the management of the Windows server as it is There's a problem.

  As a technology related to this, Patent Document 1 automatically synchronizes user information managed by an OS (Operating System) such as Windows (R) and user information managed by a job account system. An invention of a job management apparatus that can be used is described.

  Note that the MFP is often recognized as an abbreviation for a multifunction printer. Accordingly, the MFP in this specification is an image forming apparatus in which the functions of each apparatus such as a fax machine, a printer, a copy machine, and a scanner are housed in one housing.

  Actually, in a network environment (under customer network environment) in which a Windows server has already been constructed as described above and user management and operation is being performed while applying various policies specified for Windows client users, a non-Windows OS MFPs may be introduced. As long as the MFP is connected to the existing network environment, the administrator manages the user information on the Windows server as much as possible for the MFP to be introduced, and the policy specified for the user (or user group) also applies There was a request to do.

  However, in practice, it is difficult to apply the Windows server policy to the MFP as it is due to the difference in the OS. There is a problem in that the MFP cannot be easily applied to an existing Windows network environment.

  In other words, when a non-Windows OS MFP is installed in a Windows network environment in which user information such as user names, passwords, policies, and the like is centrally managed for each user or user group, the threshold for MFP installation can be lowered. Thus, a configuration is desired in which the MFP can easily participate in the existing Windows policy framework.

  In the present invention, in view of the above problems, when a non-Windows system is introduced under a Windows network environment, a policy such as a user managed by a Windows server can be applied to the non-Windows system as easily as possible. It is an object of the present invention to provide an information processing apparatus, a policy application method, a program, and a system.

  In order to solve the above problems, an information processing apparatus according to the present invention includes a first OS, a server that applies a policy to an information processing apparatus and a user or a user group of the information processing apparatus, A second information processing apparatus having an OS, and a first information processing apparatus having a first OS connected via a network, the policy management means for acquiring and storing the policy from the server, Filter means for filtering a policy stored by the policy management means based on a filter policy in which a policy applicable from the first OS to the second OS is defined, and the filtered policy is The present invention is applied to the second information processing apparatus or the second information processing apparatus user or user group.

  In order to solve the above problem, in the information processing apparatus, a synchronization unit that synchronizes user information managed by the server and user information managed by the second information processing apparatus and user information managed by the own apparatus; It is characterized by having.

  In order to solve the above-mentioned problem, in the information processing apparatus, a plurality of the second information processing apparatuses are connected, and the filtered policy is defined by a plurality of the second information processing apparatuses or a plurality of the second information processing apparatuses. Applies to information processing device users or user groups.

  In addition, what applied the arbitrary combination of the component of this invention, expression, or a component to a method, an apparatus, a system, a computer program, a recording medium, etc. is also effective as an aspect of this invention.

  According to the present invention, when a non-Windows system is introduced in a Windows network environment, an information processing apparatus and policy that can apply a policy of a user managed by a Windows server to a non-Windows system as easily as possible. Application methods, programs, and systems can be provided.

An example of the network environment which concerns on this embodiment is shown. 2 is a functional block diagram showing main functional configurations of a Windows server 100, an IT-BOX 200, and an MFP 300 according to the present embodiment. FIG. Specific examples of various policies will be shown. Shows the specifics of the filtered policy. 4 is a flowchart for describing processing of the MFP 300, the IT-BOX 200, and the Windows server 100. 3 is a functional block diagram illustrating main functional configurations of a Windows server 100, an IT-BOX 220, and an MFP 320 according to the present embodiment. FIG. A specific example of the user information 211 is shown. 10 is a flowchart for explaining processing of the MFP 320, the IT-BOX 220, and the Windows server 100. An example of event information is shown. An example of the network environment which concerns on this embodiment is shown.

  DESCRIPTION OF EMBODIMENTS Embodiments for carrying out the present invention will be described in each embodiment with reference to the drawings. In describing the present invention, an example in which the present invention is applied to an MFP (image forming apparatus) which is an embodiment of an information processing apparatus will be described below. An MFP is an image forming apparatus in which a plurality of functions such as a printer, a copy, and a scanner are housed in a single casing. In addition to these basic functions, various functions are provided in the user environment with various functions as the digital image technology is advanced and the technology related to MFP is advanced.

[Embodiment 1]
<Network environment>
FIG. 1 shows an example of a network environment according to this embodiment. As shown in the figure, a Windows server 100, an information processing apparatus (hereinafter referred to as IT-BOX) 200, and an MFP 300 are connected via a network.

  The Windows server 100 is a server that has an Active Directory function by an administrator and manages users, user groups, and policies (details will be described later) under a Windows network environment. The IT-BOX 200 is an information processing apparatus introduced accompanying the introduction of the MFP 300, and the OS is a system that operates on Windows (eg, Windows XP Professional). The IT-BOX 200 causes the MPF 300, which is a non-Windows system, to apply the user and user group policies managed by the Windows server 100 through an intermediary operation (described in detail later). The MFP 300 is an image forming apparatus introduced under a Windows network environment, and is a system that operates on a non-Windows OS (for example, Unix (registered trademark), Linux, or the like). For example, a Windows client that operates on a Windows OS such as Windows XP Professional can be connected to the network (not shown).

  As described above, in the network environment according to the present embodiment, the IT-BOX 200 operating on the Windows OS and the MFP 300 operating on the non-Windows OS are connected to the Windows network of the Windows server 100.

<Function>
FIG. 2 is a functional block diagram showing main functional configurations of the Windows server 100, the IT-BOX 200, and the MFP 300 according to the present embodiment. Hereinafter, each device will be described in order.

(Windows server)
As shown in the figure, the Windows server 100 has a policy management unit 101 and a setting information management unit 105 as main functions, and includes a password policy 102, an account lockout policy 103, a Windows update policy 104, a shared filter policy 107, User information 106 is held. In the Windows server 100, the policy management unit 101 and the setting information management unit 105 are realized by Active Directory, and a domain is constructed by Active Directory.

  The setting information management unit 105 manages user information 106. In the user information 106, a computer account of a client computer used by the user and a user count (user name and password) used when the user logs in are registered. A Windows client participating in the Active Directory domain inquires of the user information 106 via the setting information management 105 of the Windows server 100 when the computer is started or when the user logs in, and authentication is performed as to whether or not the user can log in with the input account. Then, an authentication result indicating that login to the Windows server 100 is permitted or not permitted is returned to the Windows client. The user information 106 includes user group information composed of a plurality of user members when the user count is grouped.

  The policy management unit 101 manages policies to be applied to users and user groups (hereinafter simply referred to as groups). The policy defines rules to be applied according to each user or group. In this embodiment, as an example, a password policy 102, an account lock policy 103, a Windows update policy 104, a shared folder policy 107 are provided. It is shown. FIG. 3 shows specific examples of various policies.

  The password policy 102 defines, for example, “password length”, “password change prohibition period”, “password validity period”, “password history record”, “password complexity”, and the like. In the account lock policy 103, for example, “account lock threshold” indicating how many times login fails and the account is locked so that login cannot be performed, “reset lockout count” indicating how many minutes the logon failure is to be reset, A “lockout period” for how many minutes after a locked-out account is automatically unlocked is specified. The Windows Update policy 104 sets whether to automatically update Windows system software updates, “build automatic update”, set the detection time for the software to be updated, “automatic update detection frequency”, and install software. “Allow automatic installation of immediate updates” is specified to set whether or not to perform immediately after downloading. In the shared folder policy 107, a setting as to whether or not the user publishes the shared folder to Active Directory is defined.

  As described above, the policy management 101 sets various policies and reads the policy to be applied according to the user and the group and the specified value of the policy.

  The policies can be classified into the following two types. One is a policy relating to “computer configuration” which is reflected when a Windows client (for example, IT-BOX 200) is started and is applied to the Windows client regardless of the user count. The other is a “user configuration” policy that is applied at the time of login by user count after startup, and applied to the user count regardless of which Windows client logs in. The password policy 102 and the account lock policy 103 can be classified into a “computer configuration” policy, and the Windows Update policy 104 and the shared folder policy 107 can be classified into a “user configuration” policy. The timing at which the “computer configuration” policy and the “user configuration” policy are applied can be applied periodically (for example, every 90 minutes) in addition to the above.

(IT-BOX)
As shown in the figure, the IT-BOX 200 has a session management unit 203, a Windows server authentication processing unit 204, a policy management unit 205, a registry 206, a filter unit 207, a policy filter 208, and a registry 209 as main functions. Yes.

  The IT-BOX 200 is an information processing apparatus introduced accompanying the introduction of the MFP 300, and the OS is a system that operates on Windows (eg, Windows XP Professional). Therefore, the IT-BOX 200 has the function of the Windows 201 that participates in the Windows domain (including the Active Directory domain). On the other hand, function blocks (session management 203, filter unit 207, filter policy 208, registry 209, etc.) shown outside the frame of Windows 201 are functions incorporated as IT-BOX software.

  The session management unit 203 mainly manages session management, and is a functional unit that manages sessions with the Windows server 100 and the MFP 300, for example.

  The Windows server authentication processing unit 204 in the Windows 201 has a function of joining the Active Directory domain of the Windows server 100. For example, the session management 203 is performed using the user name and password input from the operation unit 308 of the MFP 300. Log in to the Windows server 100 via In other words, using the user name and password input in the MFP 300, the setting information management 105 of the Windows server is intermediated to authenticate whether the user can log in to the Directory domain. When participation in the Windows domain is permitted (or failed), the fact is displayed on the operation unit 308 of the MFP 300.

  Here, when the IT-BOX 200 succeeds in logging in to the Windows server 100, it logs in with the function of joining the Active Directory domain of the Windows server 100. Therefore, the policy management unit 205 reads the policy applied to the logged-in user (in this case, the Windows Update policy and the shared folder policy that are “user configuration” policies) from the Windows server 100 via the policy management 101, and Is stored (reflected) in the registry 206.

  Further, the password policy and the account lock policy, which are “computer configuration” policies, are already stored (reflected) in the registry 206 by the policy management 205 in the Windows 201 after authentication by the computer account when the IT-BOX 200 is activated. Since the IT-BOX 200 is a system based on Windows, the policy from the Windows server 100 is reflected in the IT-BOX 200 itself. For example, when the IT-BOX 200 successfully logs in to the Windows server 100 at startup, the “Computer Configuration” policy is applied. Therefore, if the password policy is not met, the IT-BOX 200 operates to satisfy the policy, and the shared folder Active If the setting for publishing to Directory is set to “valid”, the shared folder in the IT-BOX 200 is published to Active Directory.

  The filter unit 207 performs policy filtering of the registry 206 based on the filter policy 208. As described above, the policy of the Windows server 100 is stored in the registry 206. Here, the password policy 102, the account lockout policy 103, and the shared folder policy are policies that can be applied to the MFP 300, but the Windows Update policy 104 is a policy that cannot be applied to the MFP 300 of a non-Windows OS. Thus, since the filter policy 208 prescribes policies that can be applied to and cannot be applied to the MFP 300 in advance, the filter unit 207 refers to the filter policy 208 and applies it to the MFP 300 from the policy stored in the registry 206. Filter policies that cannot. The filtered policy is stored in the registry 209.

  FIG. 4 shows the specifics of the filtered policy. Password policies, account lockout policies, and shared folder policies are described as filtered policies that can be applied to the MFP 300. The policy that is filtered and applied to the MPF 300 is reflected in the policy management 308 of the MFP 300.

(MFP)
As described above, the MFP 300 is an image forming apparatus system using an OS different from the Windows server 100 and the IT-BOX 200. As shown in the figure, the MFP 300 includes a request management unit 302, a session management unit 305, an authentication processing unit 306, a policy management unit 307, and an operation unit 308 as main functions.

  The operation unit 308 displays a login screen for inputting a user count (user name and password). When a user count is input from the operation unit 308, an authentication request is sent to the Windows server authentication processing unit 204 of the IT-BOX 200 via the request management unit 302 and the session management unit 305. The Windows server authentication processing unit 204 of the IT-BOX 200 logs in to the Windows server 100 via the session management 203 using the user name and password input from the operation unit 308 of the MFP 300.

  The policy management unit 307 acquires and refers to the filtered policy from the registry 209 of the IT-BOX 200. And it will act to follow the policy. When authentication is performed in the Windows server 100 through the IT-BOX 200 mediation (authentication success), the filtered policy for the MFP 300 is stored in the registry 209 in the IT-BOX 200 as described above. In step S307, the filtered policy is acquired from the registry 209 of the IT-BOX 200. When the policy does not conform to the policy, the MFP 300 operates so as to follow the policy. For example, in the policy filtered from the registry 209 of the T-BOX 200, when the “password expiration date” of the password policy is applied to the MPF 300 and the password of the user count has expired, the password is displayed in the operation unit 308. A message indicating that the expiration date of the password has expired is displayed to prompt the user to change the password. Also, for example, when a shared folder policy is applied to the user count, data stored in the MFP 300 (such as document data) can be used if the public folder public directory setting is set to “valid”. Publish to Active Directory.

  The authentication processing unit 306 performs a login process to the MFP 300 itself when authenticated (authenticated successfully) by the Windows server 100 through the mediation of the IT-BOX 200. If it does not conform to the policy, the MFP 300 operates so as to comply with the policy, and after conforming to the policy, login processing to the MFP 300 itself is performed.

<Operation>
FIG. 5 is a flowchart for explaining processing of the MFP 300, the IT-BOX 200, and the Windows server 100. Although there is a point overlapping with the above, the following explanation will be given in a confirming manner.

  The operation unit 308 of the MFP 300 displays a login screen for inputting a user count (user name and password). When the user count is input from the operation unit 308 by the user (S501), an authentication request is made to the Windows server authentication processing unit 204 of the IT-BOX 200 via the request management unit 302 and the session management unit 305 (S502).

  The Windows server authentication processing unit 204 of the IT-BOX 200 makes a login request to the Windows server 100 via the session management 203 using the user name and password input from the operation unit 308 of the MFP 300 (S503).

  The setting information management unit 105 of the Windows server 100 performs login authentication based on the user information 106 using the input user name and password (S504). Here, the input user name and password are registered in the user information 106, and the authentication is successful. If authentication fails, the IT-BOX 200 may be notified to that effect. Finally, the MFP 300 is notified, and an authentication failure message is displayed on the operation unit 308 of the MFP 300.

  When the authentication is successful, the policy management unit 101 of the Windows server 100 notifies the IT-BOX 200 of a policy to be applied to the user count (or group to which the user belongs) (S505).

  The policy management unit 205 of the IT-BOX 200 saves (reflects) the notified policy in the registry 206 in the Windows 201 (S506).

  The filter unit 207 of the IT-BOX 200 refers to the filter policy 208, and filters a policy that cannot be applied to the MFP 300 from the policy stored in the registry 206 (S507). The filtered policy is saved in the registry 209 (S508).

  Further, the session management unit 203 of the IT-BOX 200 notifies the authentication result to the session management unit 305 of the MFP 300 (S509).

Upon receiving the notification of successful authentication, the policy management unit 307 of the MFP 300 acquires and refers to the filtered policy from the registry 209 of the IT-BOX 200 (S510).
The filtered policy may be notified together with the authentication result (when authentication is successful).

  Then, the policy management unit 307 determines conformity with the policy (S511). If it does not conform to the policy, the MFP 300 performs an adaptation processing operation so as to comply with the policy (S512). For example, in the policy filtered from the registry 209 of the IT-BOX 200, when the “password expiration date” of the password policy is applied to the MPF 300 and the password of the user count has expired, the password is displayed in the operation unit 308. A message indicating that the expiration date of the password has expired is displayed, and the user is prompted to change the password so as to comply with the policy.

  On the other hand, when conforming to the policy (S511), the authentication processing unit 306 of the MFP 300 is authenticated (authenticated successfully) by the Windows server 100 through the mediation of the IT-BOX 200, and subsequently logs in to the MFP 300 itself. Processing is performed (S513). If it does not conform to the policy, the MFP 300 operates so as to comply with the policy, and after conforming to the policy, login processing to the MFP 300 itself is performed.

  As described above, when the multi-function peripheral device MFP is already installed in a user environment in which user information such as user names / passwords and policies is already managed on a Windows server in units of users and groups, the MFP is particularly If an OS different from Windows is installed, the policies managed by the Windows server include policies specific to Windows, and it is difficult for the administrator to keep the MFP in the user information managed by the administrator. It is. According to the present embodiment, the IT-BOX is mediated between the Windows server and the MFP, so that the MFP can be connected to the Windows server without giving the IT-BOX special participation for participation in the domain managed by the Windows server. You can join a domain and apply a policy managed by a Windows server.

  In addition, since IT-BOX acts as an intermediary, there is only one IT-BOX that can be managed from either the Windows server or MFP, so future systems (Windows server, IT-BOX, MFP) Even when considering the expansion of the system, the IT-BOX can absorb differences due to version upgrades in the system.

[Embodiment 2]
In the first embodiment described above, the IT-BOX 200 applies various policies under the Windows domain to the MFP 300 of a non-Windows OS by performing an intermediary operation regarding the exchange between the MFP 300 and the Windows server 100. In the second embodiment, the present invention is applied after making the IT-BOX 200 closer to the mounting level.

  The IT-BOX 220 is a device based on Windows 201 and is an optional positioning device of the MFP 320. Various image forming functions are mounted on the MFP 320. In general, the MFP 320 focuses on basic functions such as copy, fax, scan, and print, and software that performs H / W control. On the other hand, the IT-BOX 220 mounted so as to cooperate with the MFP 320 uses the image data and information acquired from the basic functions of the MFP 320 such as copy, fax, scan, and print to store large amounts of image data and perform advanced operations. Value-added functions such as image processing can be provided. In view of the role of the mounting level of the IT-BOX 220, it is desirable that a general-purpose Windows OS is adopted as the OS. This is because it is easy to develop and provide high-quality value-added functions (software) in a short period of time.

  In other words, in the second embodiment, the IT-BOX 220 is an information processing apparatus that is introduced in association with the introduction of the MFP 320 in order to provide a more value-added image forming processing function. (For example, Windows XP Professional). This will be described below.

<Function>
FIG. 6 is a functional block diagram showing main functional configurations of the Windows server 100, the IT-BOX 220, and the MFP 320 according to the present embodiment. Compared with the first embodiment (FIG. 2) described above, the Windows server 100 is the same, and the IT-BOX 220 and the MFP 320 have slightly different configurations. The network environment assumed in this embodiment is the same as that in the first embodiment (FIG. 1). Although the description will proceed below, the description of the same points as in the first embodiment may be omitted or simplified.

(IT-BOX)
As shown in the figure, the IT-BOX 220 has, as main functions, a session management unit 203, a Windows server authentication processing unit 204, a policy management unit 205, a registry 206, a filter unit 207, a policy filter 208, a registry 209, an MFP An authentication processing unit 210, a setting information management unit 212, a password filter unit 213, a log management unit 215, an account management unit 214, an operation unit 216, and user information 211 are included.

  The IT-BOX 220 is an information processing apparatus introduced accompanying the introduction of the MFP 320, and the OS is a system that operates on Windows (eg, Windows XP Professional). Therefore, the IT-BOX 220 has a function of the Windows 201 that participates in the Windows domain (including the Active Directory domain). On the other hand, function blocks (session management 203, filter unit 207, filter policy 208, registry 209, MFP authentication processing unit 210, setting information management unit 212, operation unit 216, etc.) shown outside the frame of Windows 201 are used as IT-BOX software. It is a built-in function.

  The IT-BOX 220 is a device based on Windows 201 and is an optional positioning device of the MFP 320. Various image forming functions are mounted on the MFP 320. In general, the MFP 320 focuses on basic functions such as copy, fax, scan, and print, and software that performs H / W control. On the other hand, the IT-BOX 220 mounted so as to cooperate with the MFP 320 uses the image data and information acquired from the basic functions of the MFP 320 such as copy, fax, scan, and print to store large amounts of image data and perform advanced operations. Value-added functions such as image processing can be provided.

  The reason why the general-purpose Windows OS is adopted for the IT-BOX 220 is that it is easy to develop and provide a high-quality value-added function in a short period of time. The reason is that the debugging environment such as the fact that Windows-based software and drivers that have already been commercialized and standard Windows functions can be adopted as they are, the development population is large, and the remote debugging function of development integrated environments (Visual Studio, etc.) There are many points.

  The setting information management unit 212 manages user information 211 managed by the IT-BOX 220. The user information 106 of the Windows server 100 and the user information 211 of the IT-BOX 220 are managed separately, but the information for identifying the user such as the user name is basically the same. That is, the user is common, but the user information 211 managed by the IT-BOX 220 includes information unique to the IT-BOX software. FIG. 7 shows a specific example of the user information 211. For example, it includes user count and user related information.

  The MFP authentication processing unit 210 issues a login request to the MFP 320 via the session management unit 203.

  The operation unit 216 displays a login screen for inputting a user name and a password. When the IT-BOX 220 logs in to the Windows server 100, the user inputs the user name and password from the operation unit 216.

  The session management unit 203 mainly manages session management, and is a functional unit that manages sessions with the Windows server 100 and the MFP 320, for example.

  The Windows server authentication processing unit 204 in the Windows 201 has a function of joining the Active Directory domain of the Windows server 100. For example, session management is performed using a user name and password input from the operation unit 216 of the IT-BOX 220. Log in to the Windows server 100 via 203.

  Here, when the IT-BOX 220 succeeds in logging in to the Windows server 100, it logs in with the function of joining the Windows server 100 to the Active Directory domain. Therefore, the policy management unit 205 reads the policy applied to the logged-in user (in this case, the Windows Update policy and the shared folder policy that are “user configuration” policies) from the Windows server 100 via the policy management 101, and Is stored (reflected) in the registry 206.

  Further, the password policy and the account lock policy, which are “computer configuration” policies, are already stored (reflected) in the registry 206 by the policy management 205 in the Windows 201 after being authenticated by the computer account when the IT-BOX 220 is activated.

  The filter unit 207 performs policy filtering of the registry 206 based on the filter policy 208. As described above, the policy of the Windows server 100 is stored in the registry 206. Here, the password policy 102, the account lockout policy 103, and the shared folder policy are policies that can be applied to the MFP 320, but the Windows Update policy 104 is a policy that cannot be applied to the MFP 320 of a non-Windows OS. As described above, since the filter policy 208 prescribes policies that can and cannot be applied to the MFP 320 in advance, the filter unit 207 refers to the filter policy 208 and applies it to the MFP 320 from the policy stored in the registry 206. Filter policies that cannot. The filtered policy is stored in the registry 209.

(MFP)
The MFP 320 is an image forming apparatus system based on an OS different from the Windows server 100 and the IT-BOX 200. As shown in the figure, the MFP 320 includes a setting information management unit 303 and user information 304 in addition to an operation unit 308, a request management unit 302, a session management unit 305, an authentication processing unit 306, and a policy management unit 307. .

  The operation unit 308 displays a login screen for inputting a user count (user name and password).

  The policy management unit 307 reads out the filtered policy and confirms whether or not it conforms. If it does not conform to the policy, the MFP 320 operates so as to follow the policy.

  The authentication processing unit 306 performs login processing to the MFP 320 itself. If it does not conform to the policy, the MFP 320 operates so as to comply with the policy, and after conforming to the policy, login processing to the MFP 320 itself is performed.

  A setting information management unit 303 manages user information 304 managed by the MFP 320. The user information 106 of the IT-BOX 220, the user information 211 of the IT-BOX 220, and the user information 304 managed by the MFP 320 are managed separately, but information for identifying a user such as a user name is basically common. is there. That is, the user is common, but the user information 304 managed by the MFP 320 includes information unique to the MFP (such as image forming operation authority for each user).

<Operation>
FIG. 8 is a flowchart for explaining processing of the MFP 320, the IT-BOX 220, and the Windows server 100. A description will be given below.

  The operation unit 216 of the IT-BOX 220 displays a login screen for inputting a user count (user name and password). When a user count is input from the operation unit 216 by the user (S801), it is confirmed whether the user exists in the user information 211 of the IT-BOX 220 by using the input user name and password. A login request is made to the Windows server 100 via the session management 203 (S802).

  The setting information management unit 105 of the Windows server 100 performs login authentication based on the user information 106 using the input user name and password (S803). Here, the input user name and password are registered in the user information 106, and the authentication is successful. In the case of an authentication failure, the IT-BOX 220 is notified to that effect, and an authentication failure message is displayed on the operation unit 216.

  If the authentication is successful, the policy management unit 101 of the Windows server 100 notifies the IT-BOX 220 of the policy to be applied to the user count (or group to which the user belongs) (S804).

  The policy management unit 205 of the IT-BOX 220 saves (reflects) the notified policy in the registry 206 in the Windows 201 (S805).

  The filter unit 207 of the IT-BOX 220 refers to the filter policy 208 and filters a policy that cannot be applied to the MFP 320 from the policy stored in the registry 206 (S806). The filtered policy is saved in the registry 209 (S807).

  The MFP authentication processing unit 210 issues a login request to the MFP 320 via the session management unit 203 (S808).

  After confirming whether the user count exists in the user information 304 of the MFP 320, the policy management unit 307 of the MFP 320 acquires and refers to the filtered policy from the registry 209 of the IT-BOX 220 (S809).

  Then, the policy management unit 307 determines conformity to the policy (S810). If it does not conform to the policy, the MFP 320 performs a conforming process operation so as to comply with the policy (S811). For example, in the policy filtered from the registry 209 of the IT-BOX 220, when the password expiration date of the password policy is applied to the MPF 301 and the password of the user count has expired, the password is displayed in the operation unit 308. A message indicating that the expiration date of the password has expired is displayed, and the user is prompted to change the password so as to comply with the policy. In this case, the setting information management unit 303 changes the password.

  On the other hand, if it conforms to the policy (S810), the authentication processing unit 306 of the MFP 320 subsequently performs login processing to the MFP 320 itself (S812). If the policy does not conform to the policy, the MFP 320 operates so as to comply with the policy, and after conforming to the policy, login processing to the MFP 320 itself is performed.

<Supplement>
Here, in order to apply various policies (password policy 102, account lockout policy 103, shared folder policy 107) managed by the Windows server 100 to the MFP 320 equipped with a different OS, it is applied at the time of user login. Therefore, one of the realizing means is that the users are synchronized between the devices (Windows server 100, IT-BOX 220, MFP 320).

  In the above description, the user managed by the user information 106 of the Windows server 100 and the user managed by the user information 211 of the IT-BOX 220 are basically the same. -When a user is added, deleted, or user information is changed (such as a password change) in Windows 201 on the BOX 220 side, when the addition, deletion, or change occurs, each system (Windows server 100 and IT -BOX 220) does not know its addition, deletion, or change (hereinafter referred to as addition or the like). In such a case, a discrepancy occurs in user information. Therefore, a method for dealing with a case where a user is added between the Windows server 100 and the IT-BOX 220 will be described below. In addition, a response to the addition of a user between the IT-BOX 220 and the MFP 3 will be described.

  (1) A case where the addition of user information 106 or the like has occurred in the Windows server 100 is shown.

  When a user is added on the Windows server 100, the user name and password added to the Windows server 100 may be input when logging in from the operation unit 216 of the IT-BOX 220. The login to the Windows server 100 is successful. Thereafter, the user is added to the user information 211 of the IT-BOX 220 via the setting information management 212 of the IT-BOX 220. If the user does not exist in the user information 304 of the MFP 320 at the time of login request to the MFP 320 from the IT-BOX 220 to the MFP 320, the setting information management 212 of the IT-BOX 220 sends the setting information management 303 of the MFP 320 to the MFP 320. Request to add a user. Then, the setting information management 303 of the MFP 320 adds the user to the user information 304 of the MFP 320.

  When a user is deleted on the Windows server 100, even if an attempt is made to log in to the Windows server 100 with the deleted user name from the operation unit 207 of the IT-BOX 220, the user is deleted from the user information 106 of the Windows server 100. Login fails. In this case, the user is deleted from the user information 211 of the IT-BOX 220 via the setting information management (212) of the IT-BOX 220. For the MFP 320, the setting information management 212 of the IT-BOX 220 requests the setting information management 303 of the MFP 320 to delete the user. Then, the setting information management 303 of the MFP 320 deletes the user from the user information 304 of the MFP 320.

  When the user information is changed on the Windows server 100 and the password is changed, the user may input the password to the operation unit 207 of the IT-BOX 220. Thereafter, the password of the user is also changed to the user information 211 of the IT-BOX 220 via the setting information management 212 of the IT-BOX 220. When the IT-BOX 220 requests the MFP 320 to log in to the MFP 320, the setting information management 212 of the IT-BOX 220 requests the setting information management 303 of the MFP 320 to change the password of the user. Then, the setting information management 303 of the MFP 320 changes the password of the user to the user information 304 of the MFP 320.

  When the policy is changed on the Windows server 100, the policy is reflected in the registry 206 of the Windows 201 of the IT-BOX 220 after logging in to the Windows server 100 from the IT-BOX 220. For MFP 320, the policy is reflected by the filtered policy of registry 209.

  (2) A detection method for adding a user to Windows in the Windows 201 of the IT-BOX 220 is shown.

  The account management 214 detects user additions / deletions to / from Windows and changes in user information. When a change occurs, the log management 215 outputs it to the Windows security event log. The event log contains an event ID for identifying the type of event that occurred. In addition, the user ID describes which user the event has occurred. These are functions provided in Windows for both account management 214 and log management 215. In the setting information management 212, the event log is analyzed, and the event type and the user who generated the event are acquired. The setting information management 212 reflects it in the user information 211 according to the event content. FIG. 9 shows an example of event information.

  Here, since the password information cannot be acquired by the account management 214, the following other measures are taken. The password can be changed by notifying the password from the password filter 213 and changing password information. The notification of change notification is received by the setting information management 212. The setting information management 212 also acquires the changed password information and reflects it in the user information 211. A password filter is also a feature of Windows.

  When a user is added to the IT-BOX 220, if the user added to the IT-BOX 220 on the client side is automatically registered in the Windows server 100 when logging in from the operation unit 216 of the IT-BOX 220, the Windows server 100 Centralized user management is broken. In this case, a user added by the server administrator to the IT-BOX 220 from the Windows server 100 side is registered. If the user does not exist in the user information 304 of the MFP 320 when the login request to the MFP 320 from the IT-BOX 220 is made to the MFP 320, the setting information management 212 of the IT-BOX 220 changes the setting information management 303 of the MFP 320. Request the addition of the user. Then, the setting information management 303 of the MFP 320 adds the user to the user information 304 of the MFP 320.

  When the user is deleted in the IT-BOX 220, the user is deleted, so that the login from the operation unit 216 of the IT-BOX 220 fails. Since it is confirmed whether or not the user exists in the user information 211 of the IT-BOX 220 before logging in to the Windows server 100, it can be determined that the user has been deleted. Since the series of login operations starts from the user information of the IT-BOX 220, the user information 106 of the Windows server 100 remains unchanged. To the MFP 320, the setting information management 212 of the IT-BOX 220 requests the setting information management 303 of the MFP 320 to delete the user. Then, the setting information management 303 of the MFP 320 deletes the user from the user information 304 of the MFP 320.

  When the user information is changed in the IT-BOX 220, if the password is changed, the user may input the password to the operation unit 216 of the IT-BOX 220. Since the policy is centrally managed by the Windows server 100, the IT-BOX 220 on the client side cannot change the policy. For the MFP 320, the setting information management 212 of the IT-BOX 220 requests the setting information management 303 of the MFP 320 to change the user information (here, password). Then, the setting information management 303 of the MFP 320 changes the user information of the user information 304 of the MFP 320.

  (3) A case where the addition of user information 304 or the like has occurred in the MFP 320 is shown.

  When a user is added in the MFP 320, a series of login operations starts from the user information of the IT-BOX 220. Therefore, the user of the MFP 320 cannot be added from the IT-BOX 220 side in the series of flows. The user information between the IT-BOX 220 and the MFP 320 is a change in user information between the setting information management 212 of the IT-BOX 220 and the setting information management 303 of the MFP 320 (addition / addition) when a login request from the IT-BOX 220 to the MFP 320 is requested. Confirm (Delete / Change) and reflect the changes in each other's user information. It is also possible to check each other's user information changes (addition / deletion / change) not only at the time of login request from the IT-BOX 220 to the MFP 320 but also at regular time intervals, and reflect the changes in each other's user information. it can.

  When the user is deleted from the MFP 320, a login request to the MFP 320 from the IT-BOX 220 is generated after successful login to the Windows server 100 from the operation unit 216 of the IT-BOX 220. If the user is deleted from the user information 304 of the MFP 320, the login request from the IT-BOX 220 fails. When the login request fails, the IT-BOX 220 requests the setting information management 303 of the MFP 320 to add a user from the setting information management 212 of the IT-BOX 220. A user is added to the user information 304 of the MFP 320 by the setting information management 303 of the MFP 320. Further, not only when a login request is sent from the IT-BOX 220 to the MFP 320 but also at a fixed time interval, the user information changes (addition / deletion / change) are confirmed, and the changes are reflected in the user information.

  When the user information is changed in the MFP 320, the user information between the IT-BOX 220 and the MFP 320 is changed between the setting information management 212 of the IT-BOX 220 and the setting information management 303 of the MFP 320 at the time of a login request from the IT-BOX 220 to the MFP 320. Check each other's user information changes (addition / deletion / change) and reflect each other's user information. Further, not only when a login request is sent from the IT-BOX 220 to the MFP 320 but also at a fixed time interval, the user information changes (addition / deletion / change) are confirmed, and the changes are reflected in the user information.

  As described above, according to the present embodiment, as in the first embodiment, the IT-BOX is intervened between the Windows server and the MFP, so that the IT-BOX has a special support for participation in the domain managed by the Windows server. Without applying the policy, the MFP can be joined to the domain of the Windows server and a policy managed by the Windows server can be applied.

  In addition, since IT-BOX acts as an intermediary, there is only one IT-BOX that can be managed from either the Windows server or MFP, so future systems (Windows server, IT-BOX, MFP) Even when considering the expansion of the system, the IT-BOX can absorb differences due to version upgrades in the system. Since the IT-BOX is intervened between the Windows server and the MFP to synchronize user information, there is no need to install an application on the server side or to change settings on the Windows server side. Therefore, there is an effect that there is no need to worry about a new security hole without giving an extra burden and trouble for the administrator.

[Embodiment 3]
FIG. 10 shows an example of a network environment according to the present embodiment. As shown in the figure, in addition to the Windows server 100, the IT-BOX 200, and the MFP 300, the MFP 300-2 and the MFP 300-3 are connected via a network.

  In the first embodiment, the IT-BOX 200 serves as an intermediary, and the unified management of user information including policies managed by the Windows server 100 can be applied to the MFP 300 having an OS different from the Windows OS. explained. In the third embodiment, the IT-BOX 200 can connect not only one MFP 300 but also a plurality of MFPs 300 and can perform the same intermediary operation. As shown in the figure, a state in which three MFPs 300, 300-2, and 300-3 are connected to one IT-BOX 200 is shown.

  In the second embodiment, the IT-BOX 220 also acts as an intermediary, and the unified management of user information including policies managed by the Windows server 100 is also applied to the MFP 320 equipped with an OS different from the Windows OS. I explained what I can do. In the third embodiment, similarly, the IT-BOX 220 can connect not only one MFP 320 but also a plurality of MFPs 320 and can perform the same intermediary operation. As shown in the figure, a state in which three MFPs 320, MFP 320-2, and MFP 320-3 are connected to one IT-BOX 220 is shown (the reference numerals are shown in parentheses).

  The IT-BOX 220 setting information management 212 is the main (master) and synchronizes with the MFP setting information management 303, 303-2, 303-3, etc., and the IT-BOX 220 user information 211 and each MFP user. Data synchronization is performed with the information 304, 304-2, 304-3, and the like. The example of the synchronization method is as described above. When the login request from the IT-BOX 220 to the MFP and at a certain time interval, the change (addition / deletion / change) of each other's user information is confirmed, and the change is confirmed with each other's user information. To reflect.

  As described above, since the IT-BOX connects a plurality of MFPs and performs the above-described intermediary operation, it is possible to perform a system upgrade in the future without changing the MFP side even for a plurality of MFPs. Extension can be absorbed by IT-BOX.

  As described above, according to the present invention, when a non-Windows system is introduced in a Windows network environment, an information processing apparatus that can apply a policy such as a user managed by a Windows server to the non-Windows system as easily as possible. Etc. can be provided.

  The present invention is not limited to such specific embodiments, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims.

100 Windows Server 101 Policy Management Unit 102 Password Policy 102
103 Account Lockout Policy 104 Windows Update Policy 105 Setting Information Management Unit 107 Shared Filter Policy 106 User Information 200 IT-BOX
201 Windows
203 Session management unit 204 Windows server authentication processing unit 205 Policy management unit 206 Registry 207 Filter unit 208 Policy filter 209 Registry 210 MFP authentication processing unit 211 User information 212 Setting information management unit 213 Password filter unit 214 Account management unit 215 Log management unit 216 Operation unit 220 IT-BOX
300 MFP
302 Request management unit 303 Setting information management unit 304 User information 305 Session management unit 306 Authentication processing unit 307 Policy management unit 308 Operation unit 320 MFP
320-2 MFP
320-3 MFP

JP-A-2005-284950

Claims (6)

A server having a first OS and applying a policy to the information processing apparatus and to a user or user group of the information processing apparatus;
A second information processing apparatus having a second OS;
A first information processing apparatus having a first OS connected via a network,
Policy management means for obtaining and storing the policy from the server;
Filter means for filtering a policy stored by the policy management means based on a filter policy in which a policy applicable from the first OS to the second OS is defined;
The filtered policy is applied to the second information processing apparatus or the second information processing apparatus user or user group;
An information processing apparatus characterized by the above. Synchronization means for synchronizing user information managed by the server and user information managed by the second information processing apparatus with user information managed by the own apparatus;
The information processing apparatus according to claim 1, further comprising: A plurality of the second information processing devices are connected;
The filtered policy is applied to a plurality of second information processing devices or a plurality of second information processing device users or user groups;
The information processing apparatus according to claim 1 or 2. A server having a first OS and applying a policy to the information processing apparatus and a user or user group of the information processing apparatus, and a second information processing apparatus having the second OS via a network A policy application method in a first information processing apparatus having a connected first OS,
A policy management procedure for obtaining and storing the policy from the server;
A filter procedure for filtering a policy stored by the policy management procedure based on a filter policy in which a policy applicable from the first OS to the second OS is defined;
An application procedure in which the filtered policy is applied to the second information processing apparatus or the second information processing apparatus user or user group;
Policy application method characterized by   A program for causing a computer to execute the policy application method according to claim 4. A first information processing apparatus having a first OS;
A second information processing apparatus having a second OS;
A system that includes a first OS and includes a server that applies a policy to the first and second information processing apparatuses and to a user or a user group of the first and second information processing apparatuses. There,
The first information processing apparatus includes:
Policy management means for obtaining and storing the policy from the server;
Filter means for filtering a policy stored by the policy management means based on a filter policy in which a policy applicable from the first OS to the second OS is defined;
Have
The second information processing apparatus
Policy management means for obtaining and storing the policy filtered by the filter means,
The filtered policy is applied to the second information processing apparatus or the second information processing apparatus user or user group;
A system characterized by

Images