cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
899
Views
0
Helpful
2
Replies

ACS 4.2 and Active Directory

mpozorski
Level 1
Level 1

I'm in the process of setting up our new ACS 4.2 server. It is version 4.2 Build 124, running on a Windows 2003 server. I'm having some issues with enumerating groups and just cannot figure out what I'm missing. We have 7 different domains, and I can only enumerate groups from one of them. We are not running ACS on one of our domain controllers but the server is a member of the domain controllers. I have even added a service account that is a domain admin and set the services to run as that account but I still cannot enumerate groups. Any assistance would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,

I know that you have a domain admin account running the ACS services. But I would like you to go through the below listed steps again.

------------------------------------------

- You should have a user on AD.

- To make it hard to hack, give it a very long complicated password.

- Make the user a member of Domain Admins group.

- Make the user a member of Administrators group.

- Make the user a member of Enterprise Administrators group.

On the Windows 2000/2003 server running ACS:

- Add new user to proper local group.

-- Open "Administrative Tools" from the control panel.

-- Open "Computer Management."

-- Open "Local Users and Groups" and then "Groups."

-- Double-click the "Administrators" group.

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Give new user special rights on ACS server.

-- Open "Administrative Tools" from the control panel.

-- Open "Local Security Policy."

-- Open "Local Policies."

-- Open "User Rights Assignment."

-- Double-click on "Act as part of the operating system."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

-- Double-click on "Log on as a service."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Set the ACS services to run as the created user.

-- Open "Administrative Tools" from the control panel.

-- Open "Services."

-- Double-click the CSADMIN entry.

-- Click the "Log On" tab.

-- Click "This Account" and then the "Browse" button.

-- Choose the domain, double-click the user created earlier.

-- Click "OK."

-- Repeat for the rest of the CS services.

- Wait for Windows to apply the security policy changes, or reboot the server.

- If you rebooted the server, skip the rest of these instructions.

- Stop and then start the CSADMIN service.

- Open the ACS GUI.

- Click on System Config.

- Click on Service Control.

- Click "Restart."

Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights, the user rights changes listed above will also need to be made there.

If you are authenticating across domains, a full two way trust must exist between the domains, the user(ACS account) must be created and given the access above in each domainbto be queried, and each domain's FQDN must be listed as a DNS suffix in the IP properties of the server on which ACS is installed (restart netlogon service after adding the FQDN).

HTH

JK

Plz rate helps posts-

~Jatin

View solution in original post

2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,

I know that you have a domain admin account running the ACS services. But I would like you to go through the below listed steps again.

------------------------------------------

- You should have a user on AD.

- To make it hard to hack, give it a very long complicated password.

- Make the user a member of Domain Admins group.

- Make the user a member of Administrators group.

- Make the user a member of Enterprise Administrators group.

On the Windows 2000/2003 server running ACS:

- Add new user to proper local group.

-- Open "Administrative Tools" from the control panel.

-- Open "Computer Management."

-- Open "Local Users and Groups" and then "Groups."

-- Double-click the "Administrators" group.

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Give new user special rights on ACS server.

-- Open "Administrative Tools" from the control panel.

-- Open "Local Security Policy."

-- Open "Local Policies."

-- Open "User Rights Assignment."

-- Double-click on "Act as part of the operating system."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

-- Double-click on "Log on as a service."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Set the ACS services to run as the created user.

-- Open "Administrative Tools" from the control panel.

-- Open "Services."

-- Double-click the CSADMIN entry.

-- Click the "Log On" tab.

-- Click "This Account" and then the "Browse" button.

-- Choose the domain, double-click the user created earlier.

-- Click "OK."

-- Repeat for the rest of the CS services.

- Wait for Windows to apply the security policy changes, or reboot the server.

- If you rebooted the server, skip the rest of these instructions.

- Stop and then start the CSADMIN service.

- Open the ACS GUI.

- Click on System Config.

- Click on Service Control.

- Click "Restart."

Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights, the user rights changes listed above will also need to be made there.

If you are authenticating across domains, a full two way trust must exist between the domains, the user(ACS account) must be created and given the access above in each domainbto be queried, and each domain's FQDN must be listed as a DNS suffix in the IP properties of the server on which ACS is installed (restart netlogon service after adding the FQDN).

HTH

JK

Plz rate helps posts-

~Jatin

Thank you so very much. I think that it was the DNS suffix section that I must have missed. I had already done everything else you listed. I added the different domains to the DNS suffix settings and now it looks like I can enumerate the groups. Thank you once again.