Cisco Systems CSACS3415K9 Selecting an AD Group

8-53

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter8 Managing Users and I dentity Stores

Managing External Identity Stores

Step4 Click:

•Leave to disconnect the selected nodes from AD domain.

•Cancel to cancel the operation.

Note Administrators can perform operations like join, leave, or test connection from the secondary server.

When you perform these operations from the secondary server, it affects only the secondary server.

Related Topics

•Selecting an AD Group, page 8-53

•Configuring AD Attributes, page8-54

•Configuring Machine Access Restrictions, page 8-56

Selecting an AD Group

Use this page to select groups that can then be available for policy conditions.

Note To select groups and attributes from an AD, ACS must be connected to that AD.

Step1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the

Directory Groups tab.

Table8-12 Leave Connection Page

Option Description

Username Enter the username of a predefined AD user. An AD account which is required for the domain

access in ACS, should have either of the following:

•Add workstations to the domain user in the corresponding domain.

•Create Computer Objects or Delete Computer Objects permission on corresponding

computers container where ACS machine's account is pr ecreated (created before joining

ACS machine to the domain).

Cisco recommends that you disable the lockout policy for the ACS account and con figure the

AD infrastructure to send alerts to the administrator if a wrong password is used for that

account. This is because, if you enter a wrong password, ACS will not create or modify its

machine account when it is necessary and therefore possibly deny all authentications.

Password Enter the user password.

Do not try to remove

machine account

Check this check box to disconnect the selected nodes from the AD domain, when you do not

know the credentials or have any DNS issues.

This operation disconnects the node from the AD domain and leaves an entry for this node in

the database. Only administrators can remove this node entry from the database.