Setting Minimum Permissions for AD RPC Service Accounts
Overview
Secret Server requires proper permissions to perform remote password changing (RPC). The privileged Delinea Secret Server RPC service account used for RPC of an Active Directory (AD) account secret must have granular permissions applied to it. You will be using two Active Directory tools to make these modifications to the RPC account:
- ADSI Edit
- Active Directory Users and Computers.
Setting ADSI Permissions
-
Open ADSI Edit (found on Domain Controllers as part of the Active Directory Administration Tools).
-
From the Action drop down menu select Connect to…. The "Connection Settings" window appears:
-
Make any adjustments if needed.
-
Click the OK button to connect to the domain you are logged into. The ADSI Edit window appears.
-
Click on the Default naming context node (the root of the domain).
-
Expand the domain name root and maneuver down until you reach CN=System > CN=Password Settings Container as noted in the image below:
-
Right-click CN=Password Settings Container and select Properties. A properties dialog box appears:
-
Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:
-
Enter the information for the Delinea Secret Server RPC account.
-
Click the OK button. The previous dialog box reappears with the "delinea" service account appearing in the "Group or user names" list.
-
Click on the new account. Its permissions appear.
-
Click to select the Read check box in the Allow column.
-
Click the OK button.
Setting Delegate Control Permissions
-
Open the Active Directory Users and Computers administrative console.
-
Right-click the Organizational Unit (OU) or the top-level domain you want to configure and select Delegate Control… as noted in the image below. The "Delegation of Control Wizard" appears.
-
Click the Next button. The Users or Groups dialog appears.
-
Click the Add… button in the Users or Groups section.
-
Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:
-
Enter the information for the Delinea Secret Server RPC account.
-
Click the OK button. The Wizard reappears.
-
Click the Next button. The Tasks to Delegate page of the wizard appears:
-
Click to select the Create a custom task to delegate selection button.
-
Click the Next button. The Active Directory Object Type page of the wizard appears.
-
Click to select the Only the following objects in the folder selection button.
-
Scroll to bottom of the list.
-
Click to select the User objects check box.
-
Click the Next button. The Permissions page of the wizard appears:
-
Click to select the General and Property-specifics check boxes.
-
In the Permissions list, ensure none of the check boxes are selected.
-
Locate and click to select the following check boxes in the Permissions list:
- Change Password
- Reset Password
- Read lockoutTime
- Write lockoutTime
- Read pwdLastSet
- Write pwdLastSet
- Read UserAccountControl
- Write UserAccountControl
-
Click the Next button.
-
Click the Finish button.
Setting Delegate Control Permissions for Protected Group Accounts
To configure delegation control in the domain controller for protected group accounts:
-
At a command prompt on the domain controller, type the following command to grant the domain account permission to perform account unlock.
dc=cps and dc=com in the following commands should be changed to your domain name.
dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourAccountName>:RP;msDS-User-Account-Control-Computed;user" /I:S
dsacls "dc=cps,dc=com" /G "<yourDomainName>\yourAccountName>:RPWP;lockoutTime;user" /I:S
dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G "<yourDomainName>\<yourAccountName>:RPWP;lockoutTime"
-
At a command prompt on the domain controller, type the following command to grant the domain account permission to perform password reset.
dc=cps and dc=com in the following commands should be changed to your domain name.
dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S
dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G "<yourDomainName>\<yourAccountName>:CA;Reset Password"
It can take a while for the Security Descriptor Propagator Update (SDProp) process to pick up the new settings from AdminSDHolder. To initiate the SDProp process immediately, complete the following steps:
-
Click Run and enter ldp.exe in the domain controller desktop Start menu.
-
Select Connection > Connect... from the LDP window.
-
In the Connect window, make sure 389 is listed in the Port field, and then click OK.
-
Select Connection > Bind... from the LDP window.
-
Select Bind as currently logged on user and click OK.
-
Select Browse > Modify from the LDP window.
-
Configure the following fields in the Modify window:
-
DN field: empty
-
Attribute field: type RunProtectAdminGroupsTask
-
Values field: 1
-
Operation: click Add and then click Enter.
-
-
Click Run.
If you have a large environment, it may take some time for SDProp to update the protected admin group permissions.