Configuring advanced settings
By default, the mangement console contacts Active Directory through any site, domain, domain controller, or global catalog that is available. To limit how the console contacts Active Directory, click Advanced Settings and specify which sites, domains, domain controllers, or global catalogs you want the console to contact.
To configure advanced Active Directory settings
-
Log into the mangement console with the supervisor account or an Active Directory account rights to change System Settings; that is, an account in the Console Administration role.
-
From the top-level Settings menu, navigate to System settings | Active Directory and click the Advanced Settings button.
Note: If the Advanced Settings button is not enabled, you must first configure the console for Active Directory. See Active Directory configuration for details.
If the Active Directory configuration has become invalid (for example, the console is restricted to a domain that no longer exists), refer to Unable to configure Active Directory for information about temporarily setting the domain and site settings until you can reset the configuration from the Advanced Settings dialog.
-
On the Active Directory Credentials dialog, enter credentials to log into Active Directory and click OK.
The Active Directory Forest Configuration dialog opens which allows you to configure which sites, domains, domain controllers, or global catalogs you want the mangement console to contact for all Active Directory related tasks.
-
Choose either the Sites or the Domains option.
The Sites option allows you to select and deselect only sites. The Domains option allows you to select or deselect individual domain controllers.
-
Expand the tree view and select which site, domain, domain controller, or global catalog node you want the console to contact for all Active Directory related tasks.
-
Click Verify configuration. (Note: You must test before you can save the change.).
-
Click OK to return to System Settings.
To remove a console access restriction in Advanced Settings
- Expand the tree view and deselect site, domain, domain controller, or global catalog node.
- Click Verify configuration. (Note: You must test before you can save the change.).
- Click OK to save the change and return to System Settings.
Setting the default logon domain
The mangement console uses the default log-on domain to authenticate the user name you use when logging onto the console.
To set the default log-on domain
- Log into the mangement console with the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
- From the top-level Settings menu, navigate to System settings | Active Directory and click the Advanced Settings button.
- On the Active Directory Credentials dialog, enter a user name and password to authenticate to Active Directory.
The Active Directory Forest Configuration dialog displays.
- Next to Default logon Domain (at the bottom of the dialog), choose the default domain to use when logging onto the console.
This allows you to log onto the mangement console using a simple name instead of "user@domain".
- Click Verify configuration. (Note: You must test before you can save the change.).
- Click OK to return to System Settings.
Privilege Manager system settings
You can configure the mangement console to communicate with one or more Privilege Manager policy groups which allows you to centrally manage security policy, remotely configure the Privilege Manager hosts, and view keystroke logs generated by the policy. The Privilege Manager settings in System Settings allows you to activate previously configured service accounts on policy servers. This enables you to view and edit the policy, view keystroke logs, and run policy reports.
Use the Privilege Manager settings to configure the service account and activate the policy groups that you want to use for checking policy and keystroke logging.
Before you can use the Privilege Manager features, you must install and configure a Privilege Manager primary policy server. See Installing the Privilege Manager packages for details.
Configuring a service account
Configuring a service account activates the policy group and allows the console to access both pmpolicy or sudoers policy files, view events and keystroke logs for a policy group.
To configure service account
-
Log in as supervisor or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
-
From the top-level Settings menu, navigate to System settings | Privilege Manager.
-
Click Configure service account next to the primary policy server listed.
Note: If your policy group is not listed, make sure you have added and profiled the host where Privilege Manager software is installed as the primary policy server to the mangement console; then re-profile the host.
-
On the Configure Service Account dialog, enter credentials to log onto the primary policy server and click OK.
Note: This task requires elevated credentials.
-
Verify that the Active box is checked and click OK.
When you configure the service account, the mangement console,
- Creates "questusr", (the user service account), if it does not already exist, and a corresponding "questgrp" group on the host.
Note: The questusr account is a user service account used by Management Console for Unix to manage Privilege Manager policy and search event logs. It is a non-privileged account (that is, it does not require root-level permissions) used by the console to gather information about existing policy servers and commit policy changes. questgrp is the primary group (gid) for questusr.
- Adds questusr to the pmpolicy and pmlog Privilege Manager configuration groups, and as an implicit member of questgrp.
Note: questusr, pmpolicy, and pmclient are all non-privileged service accounts (that is, they do not require root-level permissions). The pmpolicy and pmclient users are used to sync the security policy on policy servers and on Sudo Plugin hosts (offline policy cache), respectively.
The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.
- Adds the policy group SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
- Verifies the user service account can login to the host.
Note: If you receive an error message saying you could not log in with the user service account, refer to Service account login fails to troubleshooting this issue.
If questusr is inadvertently deleted from the console,
- Re-profile the host.
- Unconfigure the service account. See Unconfiguring a service account for details.
- Reconfigure the service account.