{}

Impact-Company-Logo-English Black-01-177x54
Share Price 
Impact-Company-Logo-English Black-01-177x54

Welcome to the Schneider Electric corporate Website

Search FAQs

Video: Data Center Expert | Managing Users

Issue
Managing Users within StruxureWare Data Center Expert

Product Line
StruxureWare Data Center Expert (DCE)
- Basic Appliance (AP9465)
- Standard Appliance (AP9470)
- Enterprise Appliance (AP9475)
- Virtual Appliance (AP94VMACT)
StruxureWare Central (SWC)
InfraStruXure Central (ISXC)

Environment
StruxureWare Data Center Expert (all versions)
StruxureWare Central (all versions)
InfraStruXure Central (all versions)
Active Directory (AD) or OpenLDAP Authentication Server

Resolution

Local Users Remote Users Additional Information / Troubleshooting / Known Issues

Managing Local Users

Local: Creating Users

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
NOTE: Shows you the local and remote users that have been added into DCE.  By default there is only the local apc user.
2) Click Add User...
3) Fill in the required/necessary user information.
4) If you would like the user to be part of a group, select the group within the User Group membership tab.
NOTE: A user does not have to be added to any groups.  This is an option step that may help manage permissions for multiple users.
5) Click OK to create the user.
Local: Creating User Groups

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Click Add User Group...
3) Fill in the required/necessary User Group information.
4) Click the User Group Members tab.
5) Select (checked box) the Users that should be part of this group.
Local: Editing a User or User Group

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Select (left-click once) a user or user group from the list and click Edit.
3) Edit the necessary information.
4) Click OK to save the changes.
Local: Deleting Users / User Groups

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Select (left-click once) the User or User Group.
3) Click Delete.
4) Confirm the username and click Yes to delete the user.
Local: Editing User or User Group Access Permissions

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Click Device Group Access.
3) Select (left-click once) the user or user group within the left pane.
​4) Select (left-click once) a device group in the right pane.
5) Click Modify Device Group Access.
6) Select the desired radial buttons for Monitoring Access and Surveillance Access.
7) Click OK to save the changes.
Managing Remote Users

Remote: Adding an Authentication Server and Users/Groups​

1) Define a user within your AD/OpenLDAP server that will be used to make the connection.
NOTE: It is recommended that this user is set with a password that does not expire.  If the password expires, no users that are authenticated through the connection that uses the expired credentials will be able to login.  A local administrator user would need to be used to change the password for the bind user.
2) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
3) Click the Authentication Servers tab.
4) Click Add Authentication Server...
- Provide a label for the AD server.
- Enter the IP Address of the AD server.
- Select the Server Type.
- Click Next.
5) Enter the Bind User DN, which is the full path to bind user within the authentication server structure.
- The bind user DN is required to be entered with specific syntax, which is case sensitive. EX: cn=bind-user,cn=Users,dc=dcim,dc=apc,dc=com
- It is recommended to user a service account for this configuration.  You may also elect to have a password that does not expire for this user in AD or your users may get locked out of the application until resolved.
- See Determining Bind User DN for details on how to obtain this value.
6) Enter the Bind User Password, which is the password of the Bind User defined within Step 5.
7) Enter the Search Base where the users and groups are located within the AD/LDAP authentication server.
NOTE: The search base is required to be entered with specific syntax, which is case sensitive. EX: dc=dcim,dc=apc,dc=com
NOTE: If you are going to be adding an AD/LDAP group, the group(s) and users must be located within the search base.
- See Determining Search Base for details on how to obtain this value.
8) Click Next.
9) Check the boxes next to the users and user groups. Select Finish.
NOTE: If using groups, you do not need to select the individual users.
10) Click Finish to add the Authentication Server.
Remote: Adding/Deleting Users and User Groups within an already added Authentication Server

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Click the Authentication Servers tab.
3) Select (left-click once) the Authentication Server.
4) Click Edit Authentication Server.
5) Click Next twice.
6) Select (checked box) or Deselect (unchecked box) the users and user groups.
7) Click Finish to finish the user additions/removals.
Remote: Editing User or User Group Access Permissions

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Click Device Group Access.
3) Select (left-click once) the remote user or remote user group within the left pane.
​4) Select (left-click once) a device group in the right pane.
5) Click Modify Device Group Access.
6) Select the desired radial buttons for Monitoring Access and Surveillance Access.
7) Click OK to save the changes.
Remote: Deleting an Authentication Server

1) Within the DCE Desktop Client navigate to the System Menu and select Users and Device Group Access.
2) Click Authentication Servers tab.
3) Select (left-click once) the Authentication Server.
4) Click Delete.
5) Confirm the Authentication Server and click Yes to delete the Authentication Server.

Remote: Determining Bind User DN

1) Open Windows Powershell and run the following command, ensuring to replace "binduser" with the username of the user you want to use to connect to the Active Directory server.
Get-ADUser -Identity binduser | select DistinguishedName
If you receive an error you likely need to download and install RSAT (Remote Server Administration Tools) from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=45520
Example Result:
DistinguishedName
-----------------
CN=username,OU=Admins,OU=NAM,OU=Countries,DC=example,DC=com
3) Example Bind User DN from step 2 to enter into Bind User DN field:
Data Center Expert bind user DN example value

Remote: Determining Search Base

1) Open Windows Powershell and run the following command, ensuring to replace "OU_Name" with the Organization Unit Name of the user you want to use to connect to the Active Directory server.
Get-ADOrganizationalUnit -Filter 'Name -like "OU_Name"' | select DistinguishedName
If you receive an error you likely need to download and install RSAT (Remote Server Administration Tools) from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=45520
Example Result:
DistinguishedName
-----------------
OU=Admins,OU=NAM,OU=Countries,DC=example,DC=com
3) Once a result is obtained, the Bind User DN should be the full result.
Data Center Expert search base DN example value
image

Additional Information

Please ensure to reference Data Center Expert | Tips for configuring Active Directory integration for further troubleshooting and guidance. Note for port 636 connections: DCE does not support wildcard certificates. The hostname of the server has to be the common name on the certificate if they do not match in any capacity it will fail.

AD/LDAP Remote Users cannot be added to Local Groups
- In order to define permissions on a group scale with Remote Users and Remote User Group, defined within the AD/LDAP servers, must be used.  Adding remote users to local user groups is not supported.  This is working as designed.

AD/LDAP Search Base may be Too Large
- If only some remote users are able to login or binding during configuration takes too long (or produces an error) the search base may be too large.
- DCE supports search bases up to 10000 objects, including: Users, User Groups, Containers, etc.
- Multiple authentication servers can be created if the authentication server setup allows. Within each respective authentication server entry, the users and user groups must be in that respective search base.

AD/LDAP Users and User Groups must be within the same search base
- AD/LDAP users and user groups must exist within the same search base.  If the users are located outside of the search base, they will be unable to authenticate, even if the user group has been selected within the authentication server settings.  To correct the issue, ensure the search base includes both the users and user groups.  This is working as designed.

Active Directory Users must login using Pre-Windows 2000 Usernames
- Users must login using the Pre-Windows 2000 username (found within the Properties of the User Object in Active Directory).
- The syntax of the user may be slightly different that the username used to log into other systems.
- The username case must be used exactly as shown within the Pre-Windows 2000 username.
- If there is a space within the username, try to log using quotes around the username, EX: "John Smith"

Active Directory Group Type
- If adding User Groups from Active Directory instead of individual user objects, the User Group CANNOT be a Global Group.  Change the User Group type to Universal to resolve the issue.

Issues Binding to Search Base that Contains an Object starting with #
- AD objects that begin with a # can cause parsing issues within DCE.  You will see an error if this happens that states 'Invalid Attribute.'  Typically binding to a Search Base one container higher than the one that contains the object beginning with '#' will resolve the issue.  However, you cannot select any AD Objects within the container that also contains the '#' object.

Protected Users
- Windows 8.1 and Windows Server 2012 R2 have a Protected Users group.  As of DCE 7.4.1, adding a user that is also a member of this group will cause authentication to fail.
- More information on Protected Groups: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)

Users can no longer log into DCE after changing Active Directory or OpenLDAP structure.
- DCE records the specific structure of the authentication server search base.  You will need to remove and re-add the AD/LDAP user/group within the authentication server settings.  This is working as designed.

Unable to remove Active Directory Groups (Authentication Server Offline)
- If the configured AD/OpenLDAP server goes offline or is decommissioned before the Authentication Server is removed from DCE, the groups added through the authentication server may not be able to be deleted.  If possible, put the active directory user back on-line to process the deletion.  Once communication can occur between the two systems, the Authentication Server entry can be removed.
- If the server cannot be brought back online with the same IP or server name, contact your local technical support for assistance.

"Unable to Reach Host" message during Authentication Server Configuration
- The error indicates that the client is unable to access the remote Authentication Server at the address/port provided.
- The client computer must have access on the network to the Authentication server as it is performing the connection during the configuration.
- When the configuration is finished the DCE appliance will connect to the Authentication Server(s) for user verification.  The Client to Authentication Server connection is only used during configuration of the Authentication Server.
- This message is not logged in any DCE client or Server logs.

After upgrading to 7.8.0.46, users that are added via Active Directory groups can no longer authenticate.
There was an issue that prevented users that are added to Data Center Expert via an Active Directory group from authenticating.  This issue has been corrected in version 7.8.0.47, but at this time there is no fix for users that have already upgraded to 7.8.0.46.  This issue is being actively worked on by development for a fix to the 7.8.0.46 version.  The only current work around is that the users can be individually added into Data Center Expert via Active Directory, instead of using Groups.

Schneider Electric Global

Explore more
Range:
Product:
Users group

Discuss this topic with experts

Visit our Community for first-hand insights from experts and peers on this topic and more.
Explore more
Range:
Product: