Setting Minimum Permissions for AD RPC Service Accounts

Overview

Secret Server requires proper permissions to perform remote password changing (RPC). The privileged Delinea Secret Server RPC service account used for RPC of an Active Directory (AD) account secret, must have granular permissions applied to it. You will be using two Active Directory tools to make these modifications to the RPC account:

  • ADSI Edit
  • Active Directory Users and Computers.
ADSI stands for Active Directory Service Interfaces. It is a set of COM interfaces used to access the features of directory services from different network providers.
The AD password changer has an RPC timeout minutes advanced setting. This setting only applies when using Password Change By Admin Credentials.

Setting ADSI Permissions

  1. Open ADSI Edit (found on Domain Controllers as part of the Active Directory Administration Tools).

  2. From the Action drop down menu select Connect to…. The "Connection Settings" window appears:

    image-20230608164226410

  3. Make any adjustments if needed.

  4. Click the OK button to connect to the domain you are logged into. The ADSI Edit window appears.

  5. Click on the Default naming context node (the root of the domain).

  6. Expand the domain name root and scroll maneuver down until you reach CN=System > CN=Password Settings Container as noted in the image below:

    image-20230608162641136

  7. Right-click CN=Password Settings Container and select Properties. A properties dialog box appears:

    image-20230608163030922

  8. Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:

    image-20230608163134414

  9. Type the information for the Delinea Secret Server RPC account.

  10. Click the OK button. The previous dialog box reappears with the "delinea" service account appearing in the "Group or user names" list.

  11. Click on the new account, its permissions appear:

    image-20230608163433933

  12. Click to select the Read check box in the Allow column.

  13. Click the OK button.

Setting Delegate Control Permissions

  1. Open the Active Directory Users and Computers administrative console.

  2. Right-click the Organizational Unit (OU) or the top-level domain you want to configure and select Delegate Control… as noted in the image below. The "Delegation of Control Wizard" appears.

  3. Click the Next button. The Users or Groups dialog appears.

  4. Click the Add… button in the Users or Groups section.

  5. Click the Add… button. The "Select Users, Computers, Service Accounts, or Groups" dialog box appears:

    image-20230608163508465

  6. Type the information for the Delinea Secret Server RPC account.

  7. Click the OK button. The Wizard reappears.

  8. Click the Next button. The Tasks to Delegate page of the wizard appears:

    image-20230608163720600

  9. Click to select the Create a custom task to delegate selection button.

  10. Click the Next button. The Active Directory Object Type page of the wizard appears:

    image-20230608163848627

  11. Click to select the Only the following objects in the folder selection button.

  12. Scroll to bottom of the list.

  13. Click to select the User objects check box.

  14. Click the Next button. The Permissions page of the wizard appears:

    image-20230608163930036

  15. Click to select the General and Property-specifics check boxes.

  16. In the Permissions list, ensure none of the check boxes are selected.

  17. Locate and click to select the following check boxes in the Permissions list:

    • Change Password
    • Read UserAccountControl
    • Read lockoutTime
    • Read pwdLastSet
    • Reset Password
    • Write lockoutTime
    • Write pwdLastSet
    • Write UserAccountControl
  18. Click the Next button.

  19. Click the Finish button.

Setting Delegate Control Permissions for Protected Group Accounts

See the Protected Accounts and Groups in Active Directory page for details about protected groups.

Configure delegation control in the domain controller for protected group accounts:

  1. At a command prompt on the domain controller, type the following command to grant the domain account permission to unlock the account:

    dc=cps and dc=com in the following commands should be changed to your domain name.

    Copy
    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\<yourAccountName>:RP;msDS-User-Account-Control-Computed;user" /I:S

    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\yourAccountName>:RPWP;lockoutTime;user" /I:S 

    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com"  /G 
    "<yourDomainName>\<yourAccountName>:RPWP;lockoutTime"      
  2. At a command prompt on the domain controller, type the following command to grant the domain account permission to reset the password:

    dc=cps and dc=com in the following commands should be changed to your domain name.

    Copy
    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S 

    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com"  /G 
    "<yourDomainName>\<yourAccountName>:CA;Reset Password"

It can take a while for the Security Descriptor Propagator Update (SDProp) process to pick up the new settings from AdminSDHolder.

To initiate the SDProp process immediately, complete the following steps:

  1. Click Run and type ldp.exe in the domain controller desktop Start menu.

  2. Select Connection > Connect... from the LDP window.

  3. In the Connect window, make sure 389 is listed in the Port field, and then click OK.

  4. Select Connection > Bind... from the LDP window.

  5. Select Bind as currently logged on user and click OK.

  6. Select Browse > Modify from the LDP window.

  7. Configure the following fields in the Modify window:

    • DN: empty

    • Attribute: RunProtectAdminGroupsTask

    • Values: 1

    • Operation: click Add and then click Enter.

  8. Click Run.

If you have a large environment, it may take some time for SDProp to update the protected admin group permissions.

Configuring Delegation Control for Administrative Accounts

If you use a regular domain account (not part of the Domain Admins group) for the administrative account, you need to configure the domain account delegation in the domain controller.

The delegated permissions configured for the administrative account are not available for some protected groups. See Delegated permissions are not available and inheritance is automatically disabled, for details.
To enable delegated permissions on the administrative account in order to manage protected groups, see the additional configuration steps in [insert bookmark to second section below]

Configuring Delegation Control for the Administrative Account

To configure delegation control in the domain controller for the administrative account, do the following:

  1. In the domain controller of the domain, select Administrative Tools > Active Directory Users and Computers.

  2. Right-click the domain with the accounts that will be managed. Select Delegate Control, then click Next at the Welcome window.

  3. In Users and Groups, click Add and enter the name of the user you want to configure with the administrative account (with unlock and password reset permissions) and click OK.

  4. In Task to Delegate, select Create a custom task to delegate and click Next.

  5. In Active Directory Object Type, select Only the following objects in the folder, as well as User objects, then click Next.

  6. In Permissions, select the following:

    1. General and Reset password to delegate password reset rights.

    2. Property-specific, Read msDS-User-Account-Control-Computed, Read lockout Time, and Write lockout Time to delegate account unlock rights.

  7. Click Next and then Finish.

The domain account with delegated permissions can now be configured as the domain administrative account for the account unlock and automatic account maintenance features.

Configuring Delegation Control for Protected Group Accounts

To configure delegation control in the domain controller for protected group accounts, do the following:

  1. At a command prompt on the domain controller, type the following command to grant the domain account permission to unlock the account:

    dc=cps and dc=com in the following commands should be changed to your domain name.

    Copy
    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\<yourAccountName>:RP;msDS-User-Account-Control-Computed;user" /I:S

    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\yourAccountName>:RPWP;lockoutTime;user" /I:S

    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G 
    "<yourDomainName>\<yourAccountName>:RPWP;lockoutTime"
  2. At a command prompt on the domain controller, type the following command to grant the domain account permission to perform a password reset:

    dc=cps and dc=com in the following commands should be changed to your domain name.

    Copy
    dsacls "dc=cps,dc=com" /G 
    "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S

    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G 
    "<yourDomainName>\<yourAccountName>:CA;Reset Password"

    It can take a while for the Security Descriptor Propagator Update (SDProp) process to pick up the new settings from AdminSDFolder.

    To initiate the SDProp process immediately, complete the following steps:

    1. Click Run and enter ldp.exe in the domain controller desktop Start menu.

    2. Select Connection > Connect... from the LDP window.

    3. In the Connect window, make sure 389 is listed in the Port field, and then click OK.

    4. Select Connection > Bind... from the LDP window.

    5. Select Bind as currently logged on user and click OK.

    6. Select Browse > Modify from the LDP window.

    7. Configure the following fields in the Modify window:

      • DN: empty

      • Attribute: RunProtectAdminGroupsTask

      • Values: 1

      • Operation: click Add and then click Enter.

    8. Click Run.

    If you have a large environment, it may take some time for SDProp to update the protected admin group permissions.