Server Management - Remote Server Management
1748181 Members
3928 Online
108759 Solutions
New Discussion юеВ

Re: Security abnormality with domain administrators

 
SOLVED
Go to solution
Guillaume Michaud
Occasional Contributor

Security abnormality with domain administrators

Hello,

We discovered in our testing environnement that domain administrators do not need to be in any hp roles to have full access to remote lights-out management. Is there a way to counter this phenomenon ?

We have certain persons in our production environnement that need to have domain administrators rights for certain reasons, but we do not want them to have access to the remote lights-out management.

Thanks in advance.
4 REPLIES 4
Raghuarch
Honored Contributor

Re: Security abnormality with domain administrators

When configuring the Directory ,make sure you select HP schema directory integration.
For more information Page 130:
http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf
Guillaume Michaud
Occasional Contributor

Re: Security abnormality with domain administrators

OK.

We're using HP extended schema. We created various hp roles with different rights to test the different security issues we encountered with the active directory integration. Everything works fine. If a user isn't in the right hp role, he doesn't have the rights to do the things he want while logged on the remote lights-out card.

The abnormality we discovered is that even though a user with domain administrative rights isn't in any of our hp roles, he still has full power over any of the remote lights-out card that is integrated in the active directory.

Thanks
acartes
Honored Contributor
Solution

Re: Security abnormality with domain administrators

iLO adds rights to users based on their ability to read the roles. If a user is a member of a role, they can read that role and gain the rights.

The Directory Administrators and role creators have implicit ability to read the role.
Guillaume Michaud
Occasional Contributor

Re: Security abnormality with domain administrators

So, by your answer, I believe there is no way to counter that behavior.

Thanks again for your help acartes.