Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Chris1213

4 Posts

1809

January 31st, 2016 23:00

Why write access to AD to install Policy Manager ?

Hi everyone,

In the 432 pages () of the "EMC Secure Remote Services Policy Manager : Operations guide", it is written that the Directory Server Principal (for me APSLDAPAdmin) must have read and write access to Active Directory for install and post-install of the Policy Manager... Then, it has to be member of domain admins group for a while.

Fine... but why ? I would like to know what it will do with this write access. I do not want to have a mess in my Active Directory right after this install (creating users, groups or whatsoever).

Another question, i have several OU with users and several OU with groups. What should i fill in the "User Base DN" and "Group Base DN" ? My APS groups are in one of those OU. Should i isolate those groups by create an APS OU ?

Thank you for your help. By the way, why the groups are named "APSxxx", what aps stands for ?

Chris

FrankMS

26 Posts

February 2nd, 2016 06:00

Hi Chris,

The write access is really only needed if you intend to use Roles. If you create a role, PM creates a corresponding group in the APSRoles group and assigns users. For installation and accessing PM as Admin, or only with users that have admin access, you do not need write access. If you intend to use Roles, it is sufficient to delegate certain rights for the OU the APSRoles group resides in to the Security Principal.

For the user and group base DN: You need a base OU were the search for a user or a group will start. If you do the LDAP query to a domain controller the base DN is given as a parameter and the DC will search in this OU and all containers within this OU. If you have users in OUs that are both in the root of the domain this will not work. As far as I know this is a limitation of the LDAP query to a DC, but I'm not 100% sure about this. You have a user and a group base DN to allow for different start points for the search, they can be the same.

I assume APS stands for Axeda Policy Server, but am also not sure about this detail.

I hope this information helps.

Regards

Frank

RPE

33 Posts

February 2nd, 2016 07:00

You are correct about APS = Axeda Policy Server (checkout PolicyManager.properties file)

Was this post helpful?

View All

No Events found!

Top