The first time you install or upgrade the Safeguard Authentication Services Windows components in your environment, One Identity recommends that you configure Active Directory for Safeguard Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the application configuration in your forest. Safeguard Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise. Without the application configuration, store UNIX attributes in the RFC2307 standard attributes to achieve the most functionality.

The Safeguard Authentication Services application configuration stores the following information in Active Directory:

• Application Licenses
• Settings controlling default values and behavior for Unix-enabled users and groups
• Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.

The Safeguard Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If Safeguard Authentication Services finds multiple configurations, it uses the one created first as determined by reading the whenCreated attribute. The only time this would be a problem is if different groups were using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts.

You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.

The first time you run the Control Center, the Safeguard Authentication Services Active Directory Configuration Wizard walks you through the setup.

You can modify the settings using Safeguard Authentication ServicesControl Center| Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.

The following table summarizes the required rights.

Table 10: Safeguard Authentication Services Required rights

Rights required	For user	Object class	Attributes
Create Child Object	Safeguard Authentication Services Administrators Only	Container	cn, displayName, description, showInAdvancedViewOnly
Write Attribute	Safeguard Authentication Services Administrators Only	Container
Read Attribute	Authenticated Users	Container	cn, displayName, description, whenCreated

At any time you can completely remove the Safeguard Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the application configuration, Safeguard Authentication Services Active Directory-based management tools do not function.