Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Intel AMT Active Directory Objects

idata
Employee
2,630 Views

Hi, for each client that gets provisioned the AMT process creates an object in AD for AMT. The object is created with a non expiring password, can we change this and if so how?

also each object is added to the domain users group., can this be changed as well?

both the non expiring password and the domain users group were spotted by our IT security team.

Do you also have detailed documentation about the risks if any of these objects that are created.

they seem like half user objects and half computer object??

you can search and find them in AD under a user and groups search but when you right click on any of them you have the computer object menu, reset, disable etc....choices

let me know

thanks

Stéphane

0 Kudos
17 Replies
idata
Employee
767 Views

Can you be specific as to which documentation to check for finding answers to the questions? I am interested as well to the answers and have searched, however, I have not found answers to the questions.

Thank you.

0 Kudos
idata
Employee
767 Views

yes please specify, i read through it and didn't seem to find specific info on what i needed.

thanks

Stéphane

0 Kudos
idata
Employee
767 Views

I have not gotten any specific answer on this or where to find it yet...

can someone help please?

thanks

Stéphane

0 Kudos
idata
Employee
767 Views

Here is what the Intel SCS 7.0 User Guide says:

"If the ADOU has a maximum password age password policy defined in AD, the password must be replaced before it expires." So I think you set it in AD.

If you are using Intel SCS 7.0, page 15 of the User Guide (available in the download zip file) tells you how to schedule a maintenance task to reset the password.

I don't know the answer to the security implications, but I think they are greatly reduced if you set a password expiration policy.

0 Kudos
idata
Employee
767 Views

Hi, do you have any idea who or where i could get the answers from to the security questions i have?

thanks

0 Kudos
idata
Employee
767 Views

I have not yet gotten a response for this?

Any idea?

Can i set AD AMT object password to reset every 30days or so, will it break AMT fonctionality?

thanks

Stéphane

0 Kudos
Adolfo_S_Intel2
Employee
767 Views

Currently there is no way to do that, the only way to reset the AMT password is manually.

Youcannot set the system to remind you every 30 days or so.

0 Kudos
idata
Employee
767 Views

Sorry about the delay on your security question. I've entered an internal support request to our Intel AMT team get some help on this issue. You should be getting a reply in a few days.

0 Kudos
idata
Employee
767 Views

Building on what Adolfo said, the maintenance tasks to reset the AD object password depend on what software you are using. Can you give me some more background on your implementation? Are you provisioning with the Intel SCS? If so, which version?

0 Kudos
idata
Employee
767 Views

Adolfo, i am talking about the amt active directory object password.

0 Kudos
idata
Employee
767 Views

ok thanks Steve i will wait on a reply from them.

I got one from Adolfo saying the amt password cannot be reset every 30 days but i don't beleive he is talking about the amt active directory object.

let me know

thanks.

Stéphane

0 Kudos
idata
Employee
767 Views

Hi Dan, i am in band provisioning these clients through sccm 2007 r2

auto provisioning is set through sccm with a 3rd party cert.

if there is any other info you need let me know

thanks

Stéphane

0 Kudos
idata
Employee
767 Views

Ah, Ok. You are in good shape then. SCCM takes care of the maintenance of the AD objects for AMT and will make sure that passwords get changed automatically in accordance with any policies you have in place in the AD.

0 Kudos
idata
Employee
767 Views

Dan, the problem is when the amt object get created in AD the account's password is set not to HAVE to expire. So because of this our policy to change the password does not take effect.

can we change this?

0 Kudos
idata
Employee
767 Views

Hi Stephane,

Before I can respond to your question, I need to know which version of SCS you are using and what is the AD Integration setting you are using?

David

0 Kudos
idata
Employee
767 Views

Hi David, I am using sccm 2007 with a verisign cert for auto provisioning.

What do you mean by Ad intergration?

thanks

Stéphane

0 Kudos
Reply