Management and Security
Use the User management tool to define credentials for Active Directory groups that will have console access. These credentials only need to let Endpoint Manager enumerate the directory. You'll need to provide credentials for each Active Directory containing users you want to have console access. The authentications you provide determine which user groups you can select from to assign console group permissions.
Console authentication is based on Windows local or Active Directory group membership. When an Ivanti administrator assigns group permissions to a local or Active Directory group, users who are members of that group can log into the Windows or Web consoles and share the permissions assigned to that group.
You should be aware of the following issues when managing Active Directories for use with Endpoint Manager:
Active Directory is fully integrated with DNS and TCP/IP (DNS) is required. To be fully functional, the DNS server must support SRV resource records or service records.
Using Active Directory to add a user to a group being used in the console will not enable the user to log in to the console even though the user has Endpoint Manager permissions assigned. In order to log in to the console, a user must belong to the core server's local LANDESK groups. For more information, see Adding Endpoint Manager console users.
In order for Active Directories to work properly with role-based administration, you need to configure the COM+ server credentials on the core server. This enables the core server to use an account in one of the core server's local LANDESK groups that has the necessary permissions to enumerate Windows domain members, such as the administrator account. For instructions on how to perform the configuration, see Configuring COM+ server credentials.
If the account password for an authentication changes, you will have to log into the console and change the password in the authentication dialog box to the new password. You can do this by logging in as a local group. Users are authenticated when they log in, so any existing session will continue to work. Users in the domain that has had the password changed won't be allowed to log in until the password change has been corrected in the Users tool.
Setting rights with Active Directory
The following rules apply to when using Active Directory with RBA:
- If a user is a member of an Active Directory group, the user inherits the RBA rights for that group.
- If a user is a member of an Active Directory group, which is a member of a higher level group, the user inherits the RBA rights of the upper level group.
- Groups can be nested and inherit the appropriate rights according to the usual Active Directory rules.
Was this article useful?
The topic was:
Not what I expected
Copyright © 2019, Ivanti. All rights reserved.