Dell iDRAC7 User Manual page 132

Figure 2. Typical Setup for Active Directory Objects
You can create as many or as few association objects as required. However, you must create at least one Association
Object, and you must have one iDRAC7 Device Object for each iDRAC7 device on the network that you want to integrate
with Active Directory for Authentication and Authorization with iDRAC7.
The Association Object allows for as many or as few users and/or groups as well as iDRAC7 Device Objects. However,
the Association Object only includes one Privilege Object per Association Object. The Association Object connects the
Users who have Privileges on iDRAC7 devices.
The Dell extension to the ADUC MMC Snap-in only allows associating the Privilege Object and iDRAC7 Objects from the
same domain with the Association Object. The Dell extension does not allow a group or an iDRAC7 object from other
domains to be added as a product member of the Association Object.
When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default
Association objects created by the Dell Schema Extender Utility are Domain Local Groups and does not work with
Universal Groups from other domains.
Users, user groups, or nested user groups from any domain can be added into the Association Object. Extended Schema
solutions support any user group type and any user group nesting across multiple domains allowed by Microsoft Active
Directory.
Accumulating Privileges Using Extended Schema
The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects
associated with the same user through different Association Objects. In other words, Extended Schema Authentication
accumulates privileges to allow the user the super set of all assigned privileges corresponding to the different privilege
objects associated with the same user.
The following figure provides an example of accumulating privileges using Extended Schema.
132