Configuring Local or Active Directory-based Console Users

ITM On-Prem (ObserveIT) allows you to create and configure local Console Users in the ITM On-Prem (ObserveIT) Database, or Active Directory-based Console Users (if an LDAP Target has been established).

If the server on which the ITM On-Prem (ObserveIT) Application server is installed is a member of an Active Directory domain, that Active Directory domain will be automatically added to the list of LDAP Targets, and will be configured as an "Automatic" type LDAP Target. This will enable the usage of Active Directory users and groups from all domains in all the Active Directory forests that are connected to the current forest.

If the server was not a member of any domain during the ITM On-Prem (ObserveIT) installation, then after adding the server to a domain, you can add the LDAP Target. If the server on which the ITM On-Prem (ObserveIT) Application server is installed is not a member of any Active Directory domain, you can manually add LDAP Targets, which will be configured as "Manual" type LDAP Targets. This will enable the usage of Active Directory users; however, you cannot use groups from that domain.

Creating Console Users for an Active Directory domain does not create actual Active Directory user objects. These Console Users are just "pointers" to Active Directory user objects that exist in the target Active Directory domain. That is why the Password field is grayed-out whenever an Active Directory domain is selected. If you are using an "Automatic" type LDAP Target, and the user name is not verified, you will get an error message. This check is NOT performed if you are using "Manual" type LDAP Targets or when you specify a domain manually. When a user that is configured as an ITM On-Prem (ObserveIT) Console User tries to log on to the ITM On-Prem Web Console, and that user's Authentication target is selected as the Active Directory domain, the ITM On-Prem Web Console will connect to the destination domain and try to authenticate the user given the user's credentials.

By default, the use of domain local groups is disabled. In order to use domain local groups, you must enable the Allow LDAP local groups option in the System Settings page of the Web Console.