Directory Management Supported Configurations Understanding Directories
Polycom, Inc. 459
In addition to leveraging Active Directory Universal groups, the RealPresence
Resource Manager system also has Local groups, which you can use to grant a
standard set of rights to multiple users or groups. These RealPresence
Resource Manager system Local groups can have as members, RealPresence
Resource Manager system Local users, Active Directory users or Active
Directory Universal groups. In this fashion, you can nest a variety of users and
groups into a RealPresence Resource Manager system Local group and assign
those users rights through their RealPresence Resource Manager system Local
group membership, simplifying management of rights on the RealPresence
Resource Manager system.
Users
The RealPresence Resource Manager system supports both local and
enterprise user accounts. Local user accounts exist entirely on the
RealPresence Resource Manager system. They can be created and managed
whether or not the system is integrated to an enterprise directory. Enterprise
user accounts exist in your enterprise Active Directory. The RealPresence
Resource Manager system cannot create or manage Active Directory accounts,
except to modify their privileges on the RealPresence Resource Manager
system itself.
If simultaneously using local and enterprise accounts, it is important to avoid
duplication of account data. For example, if your Active Directory has a user
named John Doe with a username of jdoe, a local account for this user must
possess a unique name, such as localjdoe or johndoetest. If duplicate user
accounts exist in the same domain or across domains, the user associated with
these accounts will not be able to log into a dynamically managed endpoint.
The RealPresence Resource Manager system accesses the enterprise directory
in a read-only mode. It does not create, modify, or delete Active Directory
users or groups in any way.
Once you integrate with an enterprise directory, it's best to minimize your
dependency on local users. A single local administrative user account must
exist, and it should be used only when there is a problem connecting to the
enterprise directory.
This configuration provides flexibility and varying security levels as follows:
• Restricted access: For security reasons, local user accounts do not have
access to any data in Active Directory, though they can see the Active
Directory users and groups as defined in the RealPresence Resource
Manager system's security.
An Active Directory forest with a functional level of Windows 2000 Mixed mode
only supports Universal Distribution groups. Windows 2000 Native mode,
Windows 2003 Mixed, and Windows 2003 forest functional levels support
Universal Security and Distribution groups.
