8-53
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores
Step4 Click:
Leave to disconnect the selected nodes from AD domain.
Cancel to cancel the operation.
Note Administrators can perform operations like join, leave, or test connection from the secondary server.
When you perform these operations from the secondary server, it affects only the secondary server.
Related Topics
Selecting an AD Group, page 8-53
Configuring AD Attributes, page8-54
Configuring Machine Access Restrictions, page 8-56
Selecting an AD Group
Use this page to select groups that can then be available for policy conditions.
Note To select groups and attributes from an AD, ACS must be connected to that AD.
Step1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the
Directory Groups tab.
Table8-12 Leave Connection Page
Option Description
Username Enter the username of a predefined AD user. An AD account which is required for the domain
access in ACS, should have either of the following:
Add workstations to the domain user in the corresponding domain.
Create Computer Objects or Delete Computer Objects permission on corresponding
computers container where ACS machine's account is pr ecreated (created before joining
ACS machine to the domain).
Cisco recommends that you disable the lockout policy for the ACS account and con figure the
AD infrastructure to send alerts to the administrator if a wrong password is used for that
account. This is because, if you enter a wrong password, ACS will not create or modify its
machine account when it is necessary and therefore possibly deny all authentications.
Password Enter the user password.
Do not try to remove
machine account
Check this check box to disconnect the selected nodes from the AD domain, when you do not
know the credentials or have any DNS issues.
This operation disconnects the node from the AD domain and leaves an entry for this node in
the database. Only administrators can remove this node entry from the database.