Using Active Directory Integration to define Remote Control Permissions for a Global Address Book Group.

Document ID : KB000027540
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

This document covers the use of the Active Directory Integration to specify 'Remote Control Permissions' for a GAB Group. You may also wish to create GAB Groups based on Active Directory OU's.

For this please refer to the technical document "TEC405080".

Background:  

Before you can do this you must have configured the Directory Integration via the "Add Directory Wizard" in the Control Panel, this is documented in the online help. check Pre-Requisites 

Environment:  

CA Client Automation - All Versions

Instructions: 

Create the group 

Expand the group and expand the {Group Details} tree

Figure 1

Right Click on 'Remote Control Permissions' and select 'Add User'.

If your group has not yet been configured as a GAB root group and is not a subgroup of such you will be presented with the following message:

Figure 2

Click Yes to be taken to the Add User Permission Dialog.

Otherwise you will go straight to this Dialog without the preceding Prompt.

Figure 3

The Security Authorities for the integrated directories can be identified by their icon.

Figure 4

Expand the Active Directory Security Authority to display the OU's. Select the OU you wish to select users from, Click on the User or Group and click Add to list.

Figure 5

In this example I have selected the Security Group 'ESX_Admins' from the OU 'ESX'. As you can see after Clicking on 'add to list' the Dialog enters the full LDAP notation for you.

Click OK.

This returns you to the DSM explorer and the required Group\User is added to the Remote Control Permissions.

Figure 6

You can verify that you have assigned the correct permissions using the effective settings for a specific Computer in this group.

Right click on the computer and Select 'Remote Control' 'Effective Settings'.

Figure 7

You will be presented with a 'Select User' dialog which looks exactly like the 'Add User Permission' dialog above.

Browse to a User in the 'Security Authority' that you believe should have rights to control the Computer. Click 'Add to List' and then OK.

You will be shown the Effective Remote Control Permissions of that user.

Figure 8

As you can see in this example, this user has all the default Permissions to remote control the specified computer so the GAB is correctly configured.

Configure the viewer

The last stage is to choose the correct credentials when checking the GAB on the Viewer to correctly reflect these permissions.

On the Viewer PC the initial User credentials used to request the GAB by default are based on the "logged on user" associated with the 'WINNT' Security Authority.

This means that although the logged on user does have rights to view the GAB we just defined it is empty on the viewer PC.

The logged on user is a WINNT::// user but has been assigned permissions to the AD directory user, they are mapped but they are not the same.

Figure 9

To overcome this we must reconfigure the Viewer to request the GAB using the 'User Principle Name' (UPN), for example <user login name>@<domain name>

Right click on 'Global Address Book' and choose properties.

Tick the 'Specify username and password' box.

Enter or browse for the Correct LDAP Provider.

Enter the UPN for the user and the correct password.

Figure 10

Click OK and the GAB now displays the expected computers.

Figure 11