Active Directory Service Account Requirements

CloudControl uses a service account to integrate with Active Directory (AD). The service account has read-only access to the AD server to discover and collect information about the users and their group memberships that operate in the environment protected by CloudControl. This account is used for authorization purposes, and to ensure that the CloudControl instance operates against the proper AD domains.

The service account requires the following permissions in AD:

• Domain object: Read memberOf
• User object: attributes memberOf and distinguishedName
• Group object: attributes member, memberOf, and distinguishedName

If needed, work with your AD administrator to configure these permissions for the CloudControl service account. We recommend setting the 'Protect object from accidental deletion' option in the CloudControl service account properties.