Hello All, I hope someone can help me understand what exactly needs to be done to configure permissions for a Domain Management Account and a Password Policy Account. I think the guide could have been better explained. Perhaps someone has a powershell script or commands that could set then necessary permissions and rights?
Except from Password Manager 5.12.0 Administration Guide - Getting started - page 23
l
Membership in the Domain Users group -> this is straight forward
l
The Read permission for all attributes of user objects -> is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
l
The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime ->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
NOTE: If the Storage attribute for Security questions under the Reini-tialization page is a custom value (such as userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.
The right to reset user passwords->is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
The permission to create user accounts and containers in the Users container >is this required only on the user objects within the OU the user accounts we want to manage via Password Manager?
The Read permission for attributes of the organizationalUnit object and domain objects -> Not sure what is required here, if we are setting read permission for all Domain objects wouldnt that include all OU objects as well?
The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects -> not sure where to find the gpLink attribute
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers-> not sure what this means
l
The permission to create container objects in the System container -> cannot find the "create container object" permission
l
The permission to create the serviceConnectionPoint objects in the System container -> cannot find the "create serviceConnectionPoint object" permission
l
The permission to delete the serviceConnectionPoint objects in the System container -> cannot find the "delete serviceConnectionPoint object" permission
l
The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container -> cannot find the "keywords attribute for the serviceConnectionPoint object" permission
l
--------------------------------------------------------------------------I will stop there, hopefully someone can advise Thanks in advance... Diana --------------------------------------------------------------------------------------------------------
If you want to use the same domain connection in password policies, as well, make sure the account has the following permissions:
l
The Read permission for attributes of the groupPolicyContainer objects.
l
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
l
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
l
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
l
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
l
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
l
The Write permission for the following attributes of the msDS-PasswordSettings object:
l
msDS-LockoutDuration
l
msDS-LockoutThreshold
l
msDS-MaximumPasswordAge
l
msDS-MinimumPasswordAge
l
msDS-MinimumPasswordLength
l
msDS-PasswordComplexityEnabled
l
msDS-PasswordHistoryLength
l
msDS-PasswordReversibleEncryption
l
msDS-PasswordSettingsPrecedence
l
msDS-PSOApplied
l
msDS-PSOAppliesTo
l
name