Service Account Permissions
MyPass Cloud requires a Microsoft Active Directory service account with specific permissions to discover and interact with end-user accounts in the domain. This includes the ability to read account and group information, reset and change passwords and unlock accounts. The following section explores how to create an Active Directory service account and how to delegate the appropriate permissions to it.
The following steps provide simple guidance on how to delegate permissions to you service account once it has been created using your naming standard.
- Open Active Directory Users and Computers (ADUC).
- Right-Click the OU to grant MyPass password management permissions.
- Select Delegate Control.
- Click Next in the Delegation of Control Wizard.
- Add the users and/or groups you want to delegate permissions to. Click Next.
- Select the Standard task to delegate. In this case, we have chosen the permission to Reset user passwords and force
password change at the next logon. Then click Next. - Click Finish to set the permissions in Active Directory.
- Return to Active Directory Users and Computers (ADUC).
- Find the OU for delegation. Right-Click the OU and select Properties.
- Confirm whether you can select the Security tab at the top of the Properties window. If the tab is visible, select the Security tab. Should the tab not be visible, please enable Advanced Features in the Active Directory Users and Computer (ADUC), under the View menu option.
- Under the Security tab, click Advanced to view the permissions to apply the special permissions.
The Gateway requires read permissions granted to the Domain Account on several default attributes for each user. The attributes are shown in the table below.
| ATTRIBUTE | ACCESS | DESCRIPTION | STORED |
|---|---|---|---|
|
DistinguishedName
|
Read
|
The unique name in LDAP format for the user.
|
Yes
|
|
sAMAccountName
|
Read
|
The short unique name for the user (the old style login name).
|
Yes
|
|
objectClass
|
Read
|
The AD object
|
Yes
|
|
cn
|
Read
|
Common Name for the user.
|
Yes
|
|
sn
|
Read
|
Sur Name also editable in Active Directory Users and Computers.
|
Yes
|
|
givenName
|
Read
|
First Name also editable in Active Directory Users and Computers.
|
Yes
|
|
displayName
|
Read
|
Full Name also editable in Active Directory Users and Computers.
|
Yes
|
|
description
|
Read
|
Description also editable in Active Directory Users and Computers.
|
Yes
|
|
department
|
Read
|
Department also editable in Active Directory Users and Computers.
|
Yes
|
|
title
|
Read
|
Title also editable in Active Directory Users and Computers.
|
Yes
|
|
manager
|
Read
|
Manager also editable in Active Directory Users and Computers.
|
Yes
|
|
phone
|
Read
|
Phone also editable in Active Directory Users and Computers.
|
Yes
|
|
mobile
|
Read
|
Mobile Phone also editable in Active Directory Users and Computers.
|
Yes
|
|
mail
|
Read
|
E-mail address also editable in Active Directory Users and Computers.
|
Yes
|
|
lockouttime
|
Read
|
Used to determine whether a user has been locked because of too many failed login attempts.
|
Yes
|
|
userAccountControl
|
Read
|
Used to determine whether a user has been disabled.
|
Yes
|
|
memberOf
|
Read
|
The Groups a user is member of.
|
Yes
|
|
primarygroupid
|
Read
|
Used to determine the primary Group of a user.
|
Yes
|
|
userPrincipalName
|
Read
|
The user principal name of the user.
|
Yes
|
|
pwdLastSet
|
Read
|
Used to determine whether a user has been locked because of too many failed login attempts.
|
Yes
|
|
userCertificate
|
Read
|
Used when Email Encryption is enabled.
|
Yes
|
The list of attributes can be customized and extended. If required, the Read permission for these attributes must also be granted.