[cisco-voip] Unified Mobility: Creating Remote Destination Profile Templates

Paul asobihoudai at yahoo.com
Mon Feb 14 15:21:59 EST 2011


Wouldn't you be able to, besides using the filters you've already configured, 
change the suggested LDAP service account's access to the RDP template account 
as an object or perhaps have the account moved to an OU that the LDAP service 
account does not have access to?




________________________________
From: Anthony Holloway <avholloway+cisco-voip at gmail.com>
To: Adel Abushaev <adel.abushaev at gmail.com>
Cc: Cisco VoIP Group <cisco-voip at puck.nether.net>
Sent: Mon, February 14, 2011 12:11:21 PM
Subject: Re: [cisco-voip] Unified Mobility: Creating Remote Destination Profile 
Templates

Thank you for your insight on the topic.  What you are saying is good advice, 
only this service account would have to also appear in the Directory, and that 
is ugly.  We use LDAP filters to specifically avoid listing service accounts in 
the Directory.  Again, thank you for your input.

Anthony


On Mon, Feb 14, 2011 at 12:50 PM, Adel Abushaev <adel.abushaev at gmail.com> wrote:

Can you reference a domain admin account from AD? Those rarely change,
>mostly never. It probably is not Administrator, for security reasons
>(which delays the hacking person only by about 5 minutes in total),
>but people rename Administrator to something less appealing. Since
>this is an account that you don't plan to use on user devices, it
>might be a good candidate for your purposes, if IT folks do not want
>to create a service account.
>
>Actually creating service account would be more secure, it needs to be
>a very deeply restricted user, with absolutely no permissions other
>than just being there, and UCM_DO_NOT_DELETE is a nice name for it.
>
>But first try selling them the story that Call Manager doesn't have
>local user directory when it's integrated with AD, and there is
>absolutely no way you could create that user without them.
>
>Adel.
>
>
>On Sat, Feb 12, 2011 at 7:00 AM, Anthony Holloway
><avholloway+cisco-voip at gmail.com> wrote:
>> Group,
>> When you create an RDP Template it makes you select an End User to associate
>> to the RDP.  It doesn't have to be a Mobility enabled user, just any old End
>> User will do.  If one were to choose the first user in the list as
>> an efficient way to set that value, and this user ends up leaving the
>> organization, and the AD account gets scrubbed, well, then your RDP Template
>> gets deleted automatically.
>> I can see that by having a dedicated service account in my end user's list,
>> named something like: rdp_template, would alleviate that problem, but now I
>> have to explain to the client why they need to create dummy account on their
>> AD side.
>> How have others tackled this?  Am I missing something, such that creating
>> dummy users is the norm?
>> Anthony
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>



      


More information about the cisco-voip mailing list