https://community.cloudera.com/t5/Archives-of-Support-Questions/What-is-the-reason-for-creating-an-Active-Directory-OU-User/m-p/144077#M52426 <P>We want to use our existing Active Directory environment for Kerberos User Authentication. Using the Ambari Kerberos Wizard the following prereequisites needs to be checked to progress ...</P><UL> <LI>Active Directory OU User container for principals has been created, For example "OU=Hadoop-Cluster,OU=People,dc=domain,dc=com"</LI><LI>Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container are implemented</LI></UL><P>What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?</P> Fri, 16 Sep 2022 10:56:35 GMT timo_burmeister 2022-09-16T10:56:35Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-is-the-reason-for-creating-an-Active-Directory-OU-User/m-p/144077#M52426 <P>We want to use our existing Active Directory environment for Kerberos User Authentication. Using the Ambari Kerberos Wizard the following prereequisites needs to be checked to progress ...</P><UL> <LI>Active Directory OU User container for principals has been created, For example "OU=Hadoop-Cluster,OU=People,dc=domain,dc=com"</LI><LI>Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container are implemented</LI></UL><P>What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?</P> Fri, 16 Sep 2022 10:56:35 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-is-the-reason-for-creating-an-Active-Directory-OU-User/m-p/144077#M52426 timo_burmeister 2022-09-16T10:56:35Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-is-the-reason-for-creating-an-Active-Directory-OU-User/m-p/144078#M52427 <A rel="user" href="https://community.cloudera.com/users/2158/timoburmeister.html" nodeid="2158">@Timo Burmeister</A><P>A new container does not need to be created specifically for the Ambari-managed Kerberos identities; however, it would be recommended since there potentially may be a lot of accounts created for service and user principals in the Active Directory. In any case, there needs to be a container available in the Active Directory that Ambari can create and manage accounts within. </P><P>The credentials used to access the Active Directory must give access to Ambari so that new accounts can be created for each of the cluster-specific service and user principals. That account must able to able to update the password for each of those accounts. It is recommended that a special account is given access to the container for security purposes and ease-of-mind. You may not want to give out a domain administrator's credentials or give Ambari full rein over the Active Directory - not that Ambari will do anything nefarious. </P> Tue, 24 Jan 2017 23:17:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-is-the-reason-for-creating-an-Active-Directory-OU-User/m-p/144078#M52427 rlevas 2017-01-24T23:17:40Z