Setting up an Active Directory object
The Configuration Object Dictionary for any Application Server includes the Active Directory object, which is capable of collecting data from Active Directory 2003. To use this object, you typically must distribute it to one or more Microsoft Windows servers.
In addition to distributing the Active Directory object, you must also set up an automation principal so you can impersonate a domain user.
Consider the following guidelines when setting up the Active Directory object:
- Distributing the Active Directory object to a domain controller is the easiest approach. For most environments, if the Active Directory object is distributed to an agent running on any domain controller in the forest, then no automation principal is needed.
- If your environment has stricter security needs, you may need to add an automation principal in order to view one or more domains in the forest. In such a scenario, using an automation principal with credentials for the top-most domain works best because it allows you to view all the child domains.
- If you choose to distribute the Active Directory object to a non-domain controller, you must set up an automation principal. The Active Directory configuration determines what credentials you must provide. Typically using an account with Domain User or Domain Admin privileges works, but remember that you may need to use this account from the top-most domain. You must also make sure the account is authorized to access the machine and that the account is granted the Windows "Logon as a batch job" privilege. To access this setting, use the Control Panel and go to Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment.
If you have additional questions about access requirements for Active Directory, consult your domain administrator.
To set up an Active Directory object
- Distribute the Active Directory custom configuration object by running a Distribute Configuration Objects Job. When you select objects to distribute, select the Active Directory object. When you select targets for the job, select the appropriate Windows servers. Ideally you would select at least one Windows server in each domain. For more information about running this type of job, see Creating or modifying a Distribute Configuration Objects Job.
- Create an automation principal that defines user credentials with privileges to browse the Active Directory domain. For more information, see Creating automation principals.
- Associate the automation principal with a role that should have access to Active Directory information. For more information, see Role - Agent ACL.