Considerations for the information you need to supply
These considerations apply to the information you need to supply when configuring HCP support for AD:
- Before configuring AD support in HCP:
- Create an AD group in the target domain. Give the group permission to add members to itself. Then give the group these permissions in the specified OU:
- Read all properties on descendant computer objects
- Write all properties on descendant computer objects
- Change password on descendant computer objects
- Reset password on descendant computer objects
- Delete on descendant computer objects
- Create computer objects in this object and all descendant objects
- Delete computer objects in this object and all descendant objects
- Create an AD user account and add it to only that group. This is the user to specify as the domain user in the AD configuration in HCP.
- If HCP is not joined to AD, you can still prepopulate the domain controller filter list.
- Create an AD group in the target domain. Give the group permission to add members to itself. Then give the group these permissions in the specified OU:
- Allow a new computer account for use in querying AD for groups to be created automatically. Do not create this account ahead of time.
- If you have more than one HCP system for which you are enabling support for AD, specify a computer account name that’s unique among those systems.
- By default, for the OU in which computer accounts will be created, HCP uses CN=Computers. For the computer account, HCP uses HCPSrv-hcp-name (for example, HCPSrv-hcp), where hcp-name is the first segment of the domain name associated with the [hcp_system] network.