Considerations for the information you need to supply

These considerations apply to the information you need to supply when configuring HCP support for AD:

  • Before configuring AD support in HCP:
    • Create an AD group in the target domain. Give the group permission to add members to itself. Then give the group these permissions in the specified OU:
      • Read all properties on descendant computer objects
      • Write all properties on descendant computer objects
      • Change password on descendant computer objects
      • Reset password on descendant computer objects
      • Delete on descendant computer objects
      • Create computer objects in this object and all descendant objects
      • Delete computer objects in this object and all descendant objects
    • Create an AD user account and add it to only that group. This is the user to specify as the domain user in the AD configuration in HCP.
    • If HCP is not joined to AD, you can still prepopulate the domain controller filter list.
  • Allow a new computer account for use in querying AD for groups to be created automatically. Do not create this account ahead of time.
  • If you have more than one HCP system for which you are enabling support for AD, specify a computer account name that’s unique among those systems.
  • By default, for the OU in which computer accounts will be created, HCP uses CN=Computers. For the computer account, HCP uses HCPSrv-hcp-name (for example, HCPSrv-hcp), where hcp-name is the first segment of the domain name associated with the [hcp_system] network.