Service Account Permissions

Estimated reading: 3 minutes 61 views

MyPass Cloud requires a Microsoft Active Directory service account with specific permissions to discover and interact with end-user accounts in the domain. This includes the ability to read account and group information, reset and change passwords and unlock accounts. The following section explores how to create an Active Directory service account and how to delegate the appropriate permissions to it.

Delegating Permissions

The following steps provide simple guidance on how to delegate permissions to you service account once it has been created using your naming standard.

  1. Open Active Directory Users and Computers (ADUC).
  2. Right-Click the OU to grant MyPass password management permissions.
  3. Select Delegate Control.
  4. Click Next in the Delegation of Control Wizard.
  5. Add the users and/or groups you want to delegate permissions to. Click Next.
  6. Select the Standard task to delegate. In this case, we have chosen the permission to Reset user passwords and force
    password change at the next logon. Then click Next.
  7. Click Finish to set the permissions in Active Directory.
  1. Return to Active Directory Users and Computers (ADUC).
  2. Find the OU for delegation. Right-Click the OU and select Properties.
  3. Confirm whether you can select the Security tab at the top of the Properties window. If the tab is visible, select the Security tab. Should the tab not be visible, please enable Advanced Features in the Active Directory Users and Computer (ADUC), under the View menu option.
  4. Under the Security tab, click Advanced to view the permissions to apply the special permissions.
Effective Attribute Permissions

The Gateway requires read permissions granted to the Domain Account on several default attributes for each user. The attributes are shown in the table below.

ATTRIBUTE ACCESS DESCRIPTION STORED
DistinguishedName
Read
The unique name in LDAP format for the user.
Yes
sAMAccountName
Read
The short unique name for the user (the old style login name).
Yes
objectClass
Read
The AD object
Yes
cn
Read
Common Name for the user.
Yes
sn
Read
Sur Name also editable in Active Directory Users and Computers.
Yes
givenName
Read
First Name also editable in Active Directory Users and Computers.
Yes
displayName
Read
Full Name also editable in Active Directory Users and Computers.
Yes
description
Read
Description also editable in Active Directory Users and Computers.
Yes
department
Read
Department also editable in Active Directory Users and Computers.
Yes
title
Read
Title also editable in Active Directory Users and Computers.
Yes
manager
Read
Manager also editable in Active Directory Users and Computers.
Yes
phone
Read
Phone also editable in Active Directory Users and Computers.
Yes
mobile
Read
Mobile Phone also editable in Active Directory Users and Computers.
Yes
mail
Read
E-mail address also editable in Active Directory Users and Computers.
Yes
lockouttime
Read
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
userAccountControl
Read
Used to determine whether a user has been disabled.
Yes
memberOf
Read
The Groups a user is member of.
Yes
primarygroupid
Read
Used to determine the primary Group of a user.
Yes
userPrincipalName
Read
The user principal name of the user.
Yes
pwdLastSet
Read
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
userCertificate
Read
Used when Email Encryption is enabled.
Yes

The list of attributes can be customized and extended. If required, the Read permission for these attributes must also be granted.