https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234140#M3776 So, by your answer, I believe there is no way to counter that behavior.<BR /><BR />Thanks again for your help acartes. Tue, 15 Jul 2008 16:10:16 GMT Guillaume Michaud 2008-07-15T16:10:16Z https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234136#M3772 Hello,<BR /><BR />We discovered in our testing environnement that domain administrators do not need to be in any hp roles to have full access to remote lights-out management. Is there a way to counter this phenomenon ?<BR /><BR />We have certain persons in our production environnement that need to have domain administrators rights for certain reasons, but we do not want them to have access to the remote lights-out management.<BR /><BR />Thanks in advance. Tue, 15 Jul 2008 12:14:45 GMT https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234136#M3772 Guillaume Michaud 2008-07-15T12:14:45Z https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234137#M3773 When configuring the Directory ,make sure you select HP schema directory integration.<BR />For more information Page 130:<BR /><A href="http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf" target="_blank">http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf</A> Tue, 15 Jul 2008 13:34:08 GMT https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234137#M3773 Raghuarch 2008-07-15T13:34:08Z https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234138#M3774 OK.<BR /><BR />We're using HP extended schema. We created various hp roles with different rights to test the different security issues we encountered with the active directory integration. Everything works fine. If a user isn't in the right hp role, he doesn't have the rights to do the things he want while logged on the remote lights-out card.<BR /><BR />The abnormality we discovered is that even though a user with domain administrative rights isn't in any of our hp roles, he still has full power over any of the remote lights-out card that is integrated in the active directory.<BR /><BR />Thanks Tue, 15 Jul 2008 14:33:55 GMT https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234138#M3774 Guillaume Michaud 2008-07-15T14:33:55Z https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234139#M3775 iLO adds rights to users based on their ability to read the roles. If a user is a member of a role, they can read that role and gain the rights.<BR /><BR />The Directory Administrators and role creators have implicit ability to read the role. Tue, 15 Jul 2008 15:31:28 GMT https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234139#M3775 acartes 2008-07-15T15:31:28Z https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234140#M3776 So, by your answer, I believe there is no way to counter that behavior.<BR /><BR />Thanks again for your help acartes. Tue, 15 Jul 2008 16:10:16 GMT https://community.hpe.com/t5/server-management-remote-server/security-abnormality-with-domain-administrators/m-p/4234140#M3776 Guillaume Michaud 2008-07-15T16:10:16Z