HP Client Automation Active directory best practices

  • KM00432938
  • 20-May-2013
  • 20-May-2013

This document has not been formally reviewed for accuracy and is provided "as is" for your convenience.


HP Client Automation Active directory best practices




We are having the 1 Core Server which is having the Win 2003 64Bit Standard Edition and 8GB of Ram 4 Core processor and 4 Satellite is having Win 2003 64Bit Standard Edition and 4 GB or ram 4 Core processor.


Around 14,000 Devices are there, Whether Active Directory is recommended or not ?


If its recommended can share the Document for the benchmark for minimum supported devices for without AD and with AD also ….


HP CAE integrates well with Active Directory, AD (or any other LDAP-compliant directory) is a frequently used option to manage HPCA policy;

however, it is not a must-have option.


It is used as an option to administer policy (for software and patches, for example) stored in an external LDAP directory—such as Active Directory. This policy source is used by the Policy Server to drive resolution in the Configuration Server. Policies in the directory are administered by the HPCA Console.


Therefore, whether or not to involve AD, it all comes down to customer’s needs, for example, AD can be used for:

• Running reports based on Active Directory (AD) containers & groups

• Enabling external AD/LDAP sources for authentication to the HPCA Console

• Policy assignment – a policy is a designation of the services to which a user, an agent

• computer, or a managed device is entitled

• OS Management operations

• Agent Notification based on AD/LDAP sources


Furthermore, you can use both internal policies (HPCAE) and external policies (e.g. AD), note that policy resolution is always internal first; you can even use multiple directories at the same time but a more common approach is to use a single AD.


Although there is no official documentation on minimum supported devices with or without AD (basically, the numbers of devices that can be supported are the same, internal and external policy are just different options), if AD is required by the customer, there are some points that may be worthy of your consideration:

• Plan to Extend the Schema and use all five LDAP schema.

• Use GPO’s to control Automatic Update NT services, Firewall settings on servers and clients, NTFS Permissions on Directory Structures for client and server.

• Automatic Update NT Services to be set to manual (not disabled) on the End User Devices.

• Automatic Updates in Control panel is turned off.

• HPCAE Service ID’s which are required for the tool to function should be configured to authenticate to Active Directory. It is recommended that access to the Enterprise Console, Policy Server, CSDB, Management Portal and Patch Manager be controlled using Active Directory ID’s.

• Create HPCAE AD OU containers for service IDs, Application Management ID’s, Management Groups and Servers.

• Lock down the HPCAE Infrastructure using Domain Groups and Accounts.

• Extending the AD schema for HPCAE Policy Server offers the most secure solution for storing HPCAE entitlement configuration information.

• Determine AD Replication Topology so that Policy is assigned at the top of the AD replication tree.

• Entitle HPCAE services be performed at the Active Directory Organizational OU Level.