Minimum Permissions for Active Directory Remote Password Changing
Overview
Secret Server requires proper permissions to perform remote password changing (RPC). The privileged Delinea Secret Server RPC service account used for RPC of an Active Directory (AD) account secret must have granular permissions applied to it. You will be using two Active Directory tools to make these modifications to the RPC account:
- ADSI Edit
- Active Directory Users and Computers.
Setting ADSI Permissions
-
Open ADSI Edit (found on Domain Controllers as part of the Active Directory Administration Tools).
-
From the Action drop down menu select Connect to…. The "Connection Settings" window appears:
-
Make any adjustments if needed.
-
Click the OK button to connect to the domain you are logged into. The ADSI Edit window appears.
-
Click on the Default naming context node (the root of the domain).
-
Expand the domain name root and maneuver down until you reach CN=System > CN=Password Settings Container as noted in the image below:
-
Right-click CN=Password Settings Container and select Properties. A properties dialog box appears:
-
Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:
-
Enter the information for the Delinea Secret Server RPC account.
-
Click the OK button. The previous dialog box reappears with the "delinea" service account appearing in the "Group or user names" list.
-
Click on the new account. Its permissions appear.
-
Click to select the Read check box in the Allow column.
-
Click the OK button.
Setting Delegate Control Permissions
-
Open the Active Directory Users and Computers administrative console.
-
Right-click the Organizational Unit (OU) or the top-level domain you want to configure and select Delegate Control… as noted in the image below. The "Delegation of Control Wizard" appears.
-
Click the Next button. The Users or Groups dialog appears.
-
Click the Add… button in the Users or Groups section.
-
Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:
-
Enter the information for the Delinea Secret Server RPC account.
-
Click the OK button. The Wizard reappears.
-
Click the Next button. The Tasks to Delegate page of the wizard appears:
-
Click to select the Create a custom task to delegate selection button.
-
Click the Next button. The Active Directory Object Type page of the wizard appears.
-
Click to select the Only the following objects in the folder selection button.
-
Scroll to bottom of the list.
-
Click to select the User objects check box.
-
Click the Next button. The Permissions page of the wizard appears:
-
Click to select the General and Property-specifics check boxes.
-
In the Permissions list, ensure none of the check boxes are selected.
-
Locate and click to select the following check boxes in the Permissions list:
- Change Password
- Read lockoutTime
- Read pwdLastSet
- Reset Password
- Write lockoutTime
- Write pwdLastSet
- Write UserAccountControl
- Read UserAccountControl
-
Click the Next button.
-
Click the Finish button.