Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X
Hi. I was wondering if anybody can advise.
I have received a fresh instance of Windchill. The person who performed the install of the software on the application server did not use a new local "wcadmin" account to complete the install. Instead, the initial admin account used to perform the install was an account from our Enterprise Directory. Our LDAP server is configured to be read-only. Consequently, I have received the new Windchill instance with an inability to create local Windchill accounts - it seems it is now only possible to import users from active directory.
Please can anybody advise how important it is to have at least one account in Windchill that is not an account from active directory that can be used for admin purposes?
Solved! Go to Solution.
The solution depends on your business requirements and the flexibility of your IT department: corporate LDAP admins and cyber security.
If this is an unsecured environment, you can probably set up an independent read-write LDAP server and manage software administrative accounts (site admin), integration accounts (publishing admin), and development/test accounts.
If there are SSO or corporate LDAP exclusive requirements, then you need to ask IT to create all these additional accounts and add them to your Windchill filter group. Depending on the purpose of the account, you can usually get them assigned non-expiring passwords.
If it were me, I would like to have the ability to create local user accounts for both Admin tasks and testing purposes. There are a number of different ways to configure user accounts in Windchill. You should open a Tech Support call with PTC to review your current configuration and get some advice from them regarding your options for adding local accounts based on the configuration.
Thank you! Are you aware of how to create local accounts when the LDAP content is read-only?
You would have to set up a second LDAP that is independent of your enterprise LDAP. Then Configure Infoengine (additional JNDI adapter) & apache to enable that adapter. You can have multiple adapters, but each one HAS to point to a unique branch of AD and usernames must be unique between adapters.
https://www.ptc.com/en/support/article/CS29454?source=search
The only way to create users locally in the past was to have users in Windchill DS (no longer in use) -which was an LDAP.
Does your organization allow for the creation of "administrator" type accounts, where you can have users added to AD?
Hi. Thank you very much for the response and info.
The creation of "administrator" type accounts is something I could ask for to get around this issue. I was just curious if there was a more straight forward way of doing this from Windchill.
The solution depends on your business requirements and the flexibility of your IT department: corporate LDAP admins and cyber security.
If this is an unsecured environment, you can probably set up an independent read-write LDAP server and manage software administrative accounts (site admin), integration accounts (publishing admin), and development/test accounts.
If there are SSO or corporate LDAP exclusive requirements, then you need to ask IT to create all these additional accounts and add them to your Windchill filter group. Depending on the purpose of the account, you can usually get them assigned non-expiring passwords.
Thank you very much. I'll look into the possibility of creating an admin account added into our LDAP.
Hello @BF_13811900,
It looks like you have some responses from some community experts. If any of these replies helped you solve your question please mark the appropriate reply as the Accepted Solution.
Of course, if you have more to share on your issue, please let the Community know so other community members can continue to help you.
Thanks,
Vivek N.
Community Moderation Team.