Granting Edit Permissions from ADUC

A normal Active Directory user can use ADUC (Active Directory Users and Computers) to connect to a domain controller in the domain to view the domain data. However, that user isn't allowed to change the domain data. You can provide the AD user the ability to modify data in the domain by granting rights by way of ADUC.

Prerequisite: You need to have installed the Windows agent on both the user's computer and the domain controller.

If the assigned user only has network access rights, they can't launch any applications with the privileged account.
For example, if a user doesn't have the DSA.msc application right but does have the network access right, they can't launch ADUC with the privileged account.

To grant an AD user permissions to modify domain data:

  1. In the Access Manager console, expand Zones to the zone that contains the domain controller.

  2. Expand AuthorizationWindows Right Definitions.

  3. Create the Network Access Right:

    1. Select Network Access and in the right pane, right-click and select New Network Access.

      The New Network Access Right dialog opens.

    2. On the General tab, enter a name and description (optional) for the network access right.

    3. On the Access tab, specify the account to use to connect remotely to the computer.

      You can select User, then click Browse to select an existing user account or click Create to set up a new user. Or, select the Self with added group privileges option, and then specify the desired groups.

    4. Specify whether re-authentication is required or not.

    5. Click OK to save your changes.

      The new network access right is created.

  4. Add the Role Definition:

    1. Under Authorization, select Role Definitions, then in the right pane, right-click and select Add Role.

      The New Role dialog opens.

    2. Enter the name and description (optional) for the role.

      If desired, select the option to allow local accounts to be assigned to this role. Don't select this option if you plan to add PAM access rights or SSH-related rights to the role, or if you plan to enable MFA in teh System Rights tab. If you enable this setting, you can't change it after the role is created; you have to delete and recreate the role to make changes.

    3. On the System Rights tab, enable the Remote login is allowed option.

      Enabling this option allows users in the role to connect to services on the remote computer.

    4. (Optional) If you want users to be able to log on locally to the computer, select the Console login is allowed option.

      The user must be able to connect to the computer remotely in order to perform administrative tasks on the computer. You must assign the user to at least one role with either console login or remote login rights to access any computers where the Windows Agent is installed. You can grant that access using the Windows Login role definition or the system rights in any custom role definition.

    5. Click OK to save your changes.

      The new role is created.

  5. Add the new network access right to the new role:

    1. In the left pane, select the new role definition. In the right pane, right-click and select Add Right.

      The Add Rights dialog opens.

    2. Select the network access right that you just created.

    3. Click OK to save your changes.

  6. Assign the role to users or groups:

    1. In the left pane, go to AuthorizationRole Assignments. In the right pane, right-click and select Assign Role.

      The Select Role dialog opens.

    2. Select the role that you just created, and click OK to save your changes.

      The Assign Role dialog opens.

    3. To assign this role to specific accounts, in the Assignee area select Accounts below and click Add AD Account.

      The Add User Role Assignment dialog opens.

    4. Search for the desired user account and select the account.

    5. Back in the Assign Role dialog, click OK to save your changes.

      The user you selected is listed in the right pane as an assignee for the selected role assignment.

    6. Click OK to save your changes.

  7. On the user's and domain controller systems, open a command window and run dzflush to refresh access rights.

  8. Log in to the user computer as the normal AD user (who you assigned to the role above).

  9. In the Windows start menu, navigate to and then right-click Active Directory Users and Computers and select Run with Privilege.

    The Run with Privilege dialog opens.

  10. Select the role that has the network access right assigned to it and click OK.

    The Active Directory Users and Computers window opens.