System User and Group Management in OES 2 SP2 267novdocx (en) 22 June 2009Further investigation revealed that the administrator credentials had been used to install OES 2 onmultiple servers, and by default the credentials were therefore also used as the proxy user credentialsfor some of the OES services. Consequently, the credentials were stored in CASA for use when theOES services came up.Because the Admin password had changed, the CASA credentials had expired and serviceauthentication requests were failing, resulting in the intruder detection lockout.I.3.2 Proxy User Impacts on User Connection LicensesFrom a licensing standpoint, each proxy user counts as a user on the OES network and consumesone user connection license.It is not unreasonable to expect that the OES servers you install could average five to six proxy usersa piece, meaning that an organization that has three to five OES servers installed with the defaultsettings, can expect that 15 to 30 of its user connection licenses might be taken by proxy users.For large organizations with hundreds of servers, the user connections consumed by defaultinstallations would be substantial. Therefore, large organizations are especially interested inmethods for limiting the number of proxy users on their network.I.3.3 Limiting the Number of Proxy Users in Your TreeTable I-6 outlines various options for limiting the number of proxy users in your tree andsummarizes the licensing, security, and manageability considerations of each approach.Table I-6 Options for Limiting the Number of Proxy UsersApproach Licensing Impact Security Considerations Manageability ConsiderationsPer Service perServer (default)One for eachservice on eachserverFor AFP, CIFS, iFolder 3, NSS,and Samba this is the mostsecure option. Passwords forthese are system-generatedand not known by anyone.For LUM there is no option tohave a system-generatedpassword.For DNS, DHCP, andNetStorage, the install admin’scredentials are used by default.This has separate securityimplications as outlined in“Avoid Assigning an AdminUser As a Proxy User” onpage 266.This approach requires no proxyuser planning.Services are installed at the sametime as the OES server.This is a good option for smallorganizations or installationswhere only a few services areused.This is not a good option ifsecurity policies dictate that allpasswords must be resetperiodically.