Active Directory Service Account Requirements

CloudControl uses a service account to integrate with Active Directory (AD). The service account has read-only access to the AD server to discover and collect information about the users and their group memberships that operate in the environment protected by CloudControl. This account is used for authorization purposes, and to ensure that the CloudControl instance operates against the proper AD domains.

The CloudControl service account uses the following attributes: 

• RootDSE

  • ldapServiceName

  • configurationNamingContext

  • rootDomainNamingContext

  • defaultNamingContext

• Configuration Naming Context

  • nETBIOSName

  • dnsRoot

• Domain

  • canonicalName

  • msDS-PrincipalName

• User

  • cn

  • distinguishedName

  • sAMAccountName

  • mail

  • memberOf

  • userPrincipalName

• Group

  • cn

  • distinguishedName

  • sAMAccountName

  • mail

  • member

• Site

  • cn

  • distinguishedName

  • siteObjectBL

• SiteLink

  • cn

  • distinguishedName

  • siteObjectBL

If needed, work with your AD administrator to configure these permissions for the CloudControl service account. We recommend setting the 'Protect object from accidental deletion' option in the CloudControl service account properties.