[TABS_R id=10143]
Your company synchronizes Microsoft Active Directory enduser accounts with UCM.
Which of the following tasks cannot be performed by using the UCM administrative GUI? (Select 2 choices.)
- assigning users to groups
- assigning an IP phone to a user
- assigning roles to user groups
- changing user PINs
- creating end-user accounts
- deleting end-user accounts
Explanation:
Because your company synchronizes Microsoft Active Directory end-user accounts with Cisco Unified Communications Manager (UCM), you cannot create end-user accounts by using the UCM administrative graphical user interface (GUI). In addition, you cannot delete end-user accounts by using the UCM administrative GUI.
When UCM is configured to synchronize with a Lightweight Directory Access Protocol (LDAP) directory, such as OpenLDAP or Microsoft Active Directory, the user ID and all user personal and organizational data that is stored in the LDAP directory, except for passwords, are replicated to the UCM database. It is important to note that the Cisco Directory Synchronization (DirSync) service must be activated before LDAP synchronization can take place.
When LDAP synchronization is configured, UCM configures the synchronized data as readonly data and acknowledges the LDAP directory as the central authority for creating and deleting user accounts. Therefore, UCM prevents administrators from using the UCM GUI to add and delete users. None of the data that was replicated to the UCM database can be modified by using the GUI. However, UCM user data that is not managed by the LDAP directory, such as the user’s password and personal identification number (PIN), can be modified in the UCM administrative GUI.
You can assign roles to user groups in the UCM administrative GUI, even if your company synchronizes Microsoft Active Directory enduser accounts with UCM. UCM roles are configured with privileges that are specific to UCM, such as the ability to log in to the administrative GUI and the ability to modify specific configuration settings. Therefore, an administrator must be able to assign UCM roles to user groups in the UCM administrative GUI so that the end users in those groups can perform tasks in the GUI. However, UCM synchronization with LDAP overrides any role’s privilege to add or delete UCM end users.
You can assign users to groups in the UCM administrative GUI, even if your company synchronizes Microsoft Active Directory enduser accounts with UCM. Because the user groups and user roles that control user privileges in UCM are unique to UCM, administrators must be able to assign those groups and roles to end users by using the UCM administrative GUI.
You can assign an IP phone to a user in the UCM administrative GUI, even if your company synchronizes Microsoft Active Directory enduser accounts with UCM. Because the enduser IP phone assignments are not stored in Active Directory, administrators must be able to assign those devices to end users by using the UCM administrative GUI.
You can change user PINs in the UCM administrative GUI, even if your company synchronizes Microsoft Active Directory enduser accounts with UCM. Because the enduser PIN assignments are not stored in Active Directory, administrators must be able to assign PINs to end users by using the UCM administrative GUI.
[TABS_R id=10143]