When ARS is not a domain admin, using builtin 'administrators' - what granular permissions required to deProvision to target OU.

Question

Our Service Account wasdomain admin until the earth moved. Now we run as builtin administrators. What native granular permissions are required on object to deprovision, the losing OU and then winning OU as part of the deprovision process. 
 We see a failure at the last step of our process, relocate object to new OU fails. access denied. 
 Thoughts.

Stu.Pollock · Answer

Hi dyannic 
 
 information is available as to the permissions requried when running Active Roles with least permissions/minimum permissions, one of the KB's is Active Roles service account minimum permissions (264316) (oneidentity.com) 
 
 The permissions required to move an object in Active Directory from "Losing OU" to "Winning OU" would be ( Delegate Moving User, Group and Computer Accounts Between Organizational Units in Active Directory )

Object

Organizational Unit

Permission Tab

Apply to

Permission

User

Source Organizational Unit 
 "Losing OU"

Object

This object and all descendant objects (*)

Delete User objects

Properties

Descendant User objects

Write Distinguished Name

Properties

Descendant User objects

Write name

Properties

Descendant User objects

Write Name (aka cn)

Destination Organizational Unit 
 "Winning OU"

Object

This object and all descendant objects (*)

Create User objects

However, don't forget the reverse will be true to enable users to undo deprovisioning. 
 It is also worth noting here, additional pemrissions would be required to manage the objects, like changing other attributes other than those listed above, or change / reset passwords. 
 
 Hope this helps 
 Stu

Endpoint Privilege Management

When ARS is not a domain admin, using builtin 'administrators' - what granular permissions required to deProvision to target OU.

Top Replies