Skip to content

Active Directory Domain Prerequisites

Before installing the Cloud Access Connector you need to create and correctly configure the Active Directory Domain. You need to create an AD service account that has the following permissions to:

  • Create Computer Objects
  • Delete Computer Objects

The permissions on the Computer Objects must be set to:

  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • Change Passwords
  • Reset User Passwords
  • Validated write to DNS host name
  • Validated write to service principal name

For information on how to create and install a self-signed certificate on a Windows 2016 AD server to test LDAP connections, see KB 1707.

For information on creating these computer objects and configuring their associated parameters, see Service Account Permissions.

Domain Controller Certificates

If all DC certificates have expired, the Cloud Access Connector will stop working. An error indicator will display on the Connectors page when a Cloud Access Connector has a DC with expired certificates.

A warning indicator that details the current state of the DC certs will display on the same page when a Cloud Access Connector has a certificate that less than a week away from expiring.

Service Account Permissions

The following section outlines the steps to enable permissions to create and delete computer objects, permissions on these objects, and permissions to change and reset user credentials. These permissions are the minimum level of permissions required for a service account in a Cloud Access Manager deployment.

Organisational Unit [OU] Permissions Dialog

Permissions are being assigned to the service account through the OU permissions dialog.

Permissions to Create and Delete Computer Objects

The following section outlines how to add permissions to create and delete computer objects through the OU permissions dialog:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Select This object and all descendant objects and select the following permissions:
    • Create Computer Objects
    • Delete Computer Objects
  6. Click OK.

Permissions on the Computer Objects

The following section outlines how to select permissions on the computer objects through the OU permissions dialog:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Limit the Apply Onto scope to Descendant Computer objects and select the following settings:
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • Modify Permissions
    • Validated write to DNS host name
    • Validated write to service principal name
  6. Click OK.

DNS and service principal name permissions

The validated write to DNS host and service principal name permissions are required so that the DNS record for a remote workstation can be created after it is domain joined.

Permissions to Change and Reset User Passwords

The following section outlines how to select permissions to change and reset user passwords applicable to the desired user OU:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Select This object and all descendant objects and select the following permissions:
    • Change Password
    • Reset Password
  6. Click OK

Role-based access control with Active Directory

For more information on role-based access control with Active Directory accounts, see Best Practices for Securing Active Directory.

During Installation

When the Cloud Access Connector is installed, you will be prompted for the following information:

  • The AD domain that the remote workstations should be joined to.
  • The AD Service Account username.
  • The AD Service Account password.
  • AD user group for users that are permitted to log into the legacy Management Interface on the Cloud Access Connector.