How to delegate permissions in Active Directory for a Safeguard service account (329438) Print

  • 0

Title

How to delegate permissions in Active Directory for a Safeguard service account

 

Description

How to delegate permissions in Active Directory for a Safeguard service account

 

Resolution

 

Delegating AD permissions for a Safeguard service account

These examples use the following environment:

Domain = yourdomain.com

Service account = sg_sa

Windows 2016

 

How to delegate permissions for AD standard users

From Active Directory Users & Computers, right click on the Domain name and select “Delegate Control” | Next | Add the service account

Click To See Full Image.

Select Next. Select “Create a custom task to delegate”

Click To See Full Image.


Select “Next”. Select “Only the follow objects in the folder”, and tick “User objects”.

Click To See Full Image.

Select “Next”. Tick “General” and “Property-specific”. 
 
Tick the permissions 
“Reset Password”
“Read and write account restrictions”
“Read lockoutTime”
“Write lockOutTime”
 
Select Next & Finish.

 

How to delegate permissions to AD Protected Accounts

By default in AD, any user that is a Protected Account (Members of the Domain Admins, Administrators, and Enterprise Admins groups) will have any custom ACLs reverted every 60 minutes.

In order for a Safeguard delegated account to manage the account, the adminSDHolder object permissions would need to be changed.
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:CA;"Reset Password" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"Account Restrictions" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"LockoutTime"
 

Then wait for the SDprop process to apply these permissions

 

How to validate permissions

From ADUC. Go to View | and ensure “Advanced Features” is ticked
 
Select a managed user who the service account should have permissions over. Right click and select Properties. Select the users “Security” tab.
 
Click the “Advanced” button.
 
Select the “Effective Access” tab
Click “Select a user”
 
Select the service account

Click To See Full Image.

Click “View effective access”

Click To See Full Image.

Validate that “Reset Password”, “Read account restrictions”, “Write account restrictions”, “Read lockoutTime” and “Write lockOutTime” are all ticked.
 

Was this answer helpful?

« Back