This past week I was experimenting with the Active Directory object that gets created by the SCS when a system is configured with Kerberos integration. I found some things you should be careful with and wanted to share.
First let’s take a look at how we set up the Active Directory to get it ready for provisioning with the SCS:
In order to use Kerberos to authenticate with your AMT device out of band, you need to first set up a new Organizational Unit within your Active Directory:
Now because our SCS Service will be creating the AMT Device Objects, we need to grant the SCS Service Account Create/Delete permission on the container:
In my case im just using my AMTAdministrator account to keep things simple. Once I have the Create / Delete options selected, I am finished with the new OU.
The next thing I need to do is add the Active Directory OU Information to my SCS Profile:
After we set up the Profile in the SCS, we can go ahead and configure the AMT Client using the ACUConfig tool.
Once configured, we should be able to see the Active Directory object of the AMT Device in the OU we created:
Sure enough, there is our object.
Now let’s take a closer look at that object:
Notice that it is a “User” object. Because it is a user object, it will show up by default when you go to add an object to a group or when you are trying to grant users/objects access to a folder or access list.
For example if I had a security group in Active Directory named “SecurityGroup” and I wanted to add this client (e6420) to it, I would search for the name of the system (e6420):
I hit “Check Names” and it looks as though the search returned the computer account:
But look closer and you will see that the object returned was really the AMT Device Object.
Now if you are not careful when trying to add computers to a security group, and assume that this object was the computer object, you could run into issues.
What you want to do is make sure you include “Computers” when searching for objects:
Now when you search:
You will see multiple objects returned, the top one is the “AMT Device Object” (machine name + $iME)
And the bottom one is the acutal OS Machine Object (machine name + $)
To avoid confusion, in a future release of the SCS, the AD object that gets created by the SCS will be created as a “Computer Object”.