• State Not Answered
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 918 views
  • Users 0 members are here
Options
Related

Problem with the management of the Active Directory service account on SPP 7.0

samuele fochi
over 1 year ago

Goodmorning everyone,

i have a problem managing the Active Directory service account, in particular the permissions that needs to be given to it.

The service account needs permission to read and change passwords for the administrative accounts in the domain.
By technical specifications we can see that the service account doesn't need to be a domain admin, but to change passwords for administrative accounts it must be or at least have a delegation. We don't want to promote it to domain admin role so we chose the delegation path. The problem is that the delegations for a non-administrative account will automatically be revoked after 15 minutes maximum.
How can we make it be permanent without assigning the domain admin role? Is there another solution?

Thank you,

Samuele Fochi

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    Hello,

    Thank you for your answer. I have tried to delegate permissions in this way, but the delegation was given to all the domain. It's possible to give delegations only for a specific OU?

    Thank you,

    Samuele Fochi

  • 0 over 1 year ago in reply to samuele fochi

    Hi Samuele,

    You should follow the steps below which is the second part of the KB for how to delegate permissions to protected AD users, the first part you tried is to manage non-protected group AD users which can be applied to any OU but that still would not fix delegating permissions on users such as domain admins so the steps below would be the solution to manage admin users: 

    How to delegate permissions to AD Protected Accounts

    By default in AD, any user that is a Protected Account (Members of the Domain Admins, Administrators, and Enterprise Admins groups) will have any custom ACLs reverted every 60 minutes.

    In order for a Safeguard delegated account to manage the account, the adminSDHolder object permissions would need to be changed.
    dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:CA;"Reset Password" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"Account Restrictions" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"LockoutTime"

    You should modify the bold items to match your domain and service account or discuss with your AD admin team to apply the permissions above for the Safeguard service account on the AdminSDHolder folder in you AD.

    Then wait for the SDprop process to apply these permissions (about 60 minutes).

    Thanks!

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    hello,

    We know that we have to follow the second step of the procedure, but if we are correctly understanding the commands in the KB doing that we will allow the Safeguard's service account to reset the password for the whole domain. This is something we don't want and we have created a specific OU in which we put all the users which have to be managed by the Safeguard. How can we accomplish the same goal you explained in the KB but only restricted to a specific OU?

    Thank you,

    Samuele Fochi

  • 0 over 1 year ago in reply to samuele fochi

    Hi Samuele,

    The permissions are applied on the AdminSDHolder which would only apply to protected users such as domain admins for example and not the whole domain.

    The other option is on the AdminSDHolder object viewing the Security tab > Click Advanced button > Enable Inheritance but this would also apply to all protected users to have inheritance enabled and if the permissions are applied on an OU basis then the users within the OU will inherit the permissions delegated to that OU

    Thanks!