• State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 1678 views
  • Users 0 members are here
Options
Related

Configuring Permissions for Domain Management Account

diana schmidt
over 1 year ago

Hello All, I hope someone can help me understand what exactly needs to be done to configure permissions for a Domain Management Account  and a Password Policy Account. I think the guide could have been better explained. Perhaps someone has a powershell script or  commands that could set then necessary permissions and rights? 

Except from  Password Manager 5.12.0 Administration Guide - Getting started - page 23

l
Membership in the Domain Users group  -> this is straight forward
l
The Read permission for all attributes of user objects -> is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
l
The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime ->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
NOTE: If the Storage attribute for Security questions under the Reini-tialization page is a custom value (such as userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.

The right to reset user passwords->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?

The permission to create user accounts and containers in the Users container >is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?


The Read permission for attributes of the organizationalUnit object and domain objects -> Not sure what is required here, if we are setting read permission for all Domain objects wouldnt that include all OU objects as well?
The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects -> not sure where to find the gpLink attribute
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers-> not sure what this means
l


The permission to create container objects in the System container -> cannot find the "create container object" permission
l
The permission to create the serviceConnectionPoint objects in the System container  -> cannot find the "create serviceConnectionPoint object" permission
l
The permission to delete the serviceConnectionPoint objects in the System container  -> cannot find the "delete serviceConnectionPoint object" permission
l
The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container   -> cannot find the "keywords attribute for the serviceConnectionPoint object" permission
l

--------------------------------------------------------------------------I will stop there, hopefully someone can advise Thanks in advance... Diana  --------------------------------------------------------------------------------------------------------

If you want to use the same domain connection in password policies, as well, make sure the account has the following permissions:
l
The Read permission for attributes of the groupPolicyContainer objects.
l
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
l
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
l
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.

l
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
l
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
l
The Write permission for the following attributes of the msDS-PasswordSettings object:
l
msDS-LockoutDuration
l
msDS-LockoutThreshold
l
msDS-MaximumPasswordAge
l
msDS-MinimumPasswordAge
l
msDS-MinimumPasswordLength
l
msDS-PasswordComplexityEnabled
l
msDS-PasswordHistoryLength
l
msDS-PasswordReversibleEncryption
l
msDS-PasswordSettingsPrecedence
l
msDS-PSOApplied
l
msDS-PSOAppliesTo
l
name

  • +1 over 1 year ago

    Hello,

    We currently do not provide any tool or scripts to automate the delegation.

    This KB helps clarify the necessary permissions that are outlined in the documentation, but it is still a manual process:

    https://support.oneidentity.com/password-manager/kb/4227388/assigning-minimum-permissions-required-to-install-and-run-password-manager

    Please keep in mind that if you open a Support Case and the issue is related to a permissions issue (i.e. Access Denied), then we will ask you to test with the service account as a Domain Admin.

    Thank you

  • 0 4 months ago in reply to Daniel.Bishop

    the link to the doc you sent has the same instructions that I specifically was asking questions on and it does not answer my questions. 

  • 0 2 months ago in reply to diana schmidt

    In general, yes you need to grant the permissions to the objects (users, OUs, Domains, etc.) in all the domains you add in Password Manager for the users you wish to allow to use Password Manager.

    For these specific questions:

    NOTE: Ensure you're using ADSIEdit to set and check these permissions. Not all entries show up in other tools.

    The Read permission for all attributes of user objects
    -> is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
    A: For any user objects you wish to include in any User Scope, including Password Policies

    The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
    ->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
    A: Yes, only users in the User Scope

    The right to reset user passwords
    ->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
    A: Yes

    The permission to create user accounts and containers in the Users container
    -> is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
    A: No, it is required in the Users Container. Password Manager creates a disabled account in Users, and also creates a Replication container object, along with user objects within that OU structure.

    The Read permission for attributes of the organizationalUnit object and domain objects
    -> Not sure what is required here, if we are setting read permission for all Domain objects wouldnt that include all OU objects as well?
    A: If it is set for All objectclasses, then yes. If not, you must add these specific object classes as well


    The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
    -> not sure where to find the gpLink attribute
    A: It's a security ACL entry for the Domain object - i.e. right-click your root domain, properties, security, add write GPLink.This is required if you wish to use Password Manager Password Policies as it creates Group Policy Objects (GPOs) in AD. 


    The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
    -> not sure what this means
    A: Requires Read for "Container" objects, and also serviceConnectionPoint objects that reside in the System container.

    For the following, ensure you use ADSIEdit:

    The permission to create container objects in the System container
    The permission to create the serviceConnectionPoint objects in the System container
    The permission to delete the serviceConnectionPoint objects in the System container
    The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container