0
Answered

Minimal AD delegate rights for UNIFYBroker/Active Directory service account

Huu Tran 1 week ago in UNIFYBroker/Microsoft Active Directory • updated 1 week ago 6

I do not want to give more permission than that is needed (i.e. no Domain Admin right). Hence please advise the minimal AD delegate rights that the UNIFYBroker service account requires to:

- Create new users

- Modify attribute of an existing users

- Move users from one OU to another

- Suspend/activate an user (userAccountControl)

- Set initial password and set users must change password in the next logon

- Reset/ change password for an existing user


Thanks

Affected Versions:
Fixed by Version:

Answer

Answer
Answered

Hi Huu,

As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.

The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.

Thanks.

Answer
Answered

Hi Huu,

As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.

The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.

Thanks.

Hi Adam,

The client AD administrator is asking the questions and we need to give him an answer.  He is not an active player of project and only do the minimal support. I am sure he will not spend time analysing our use cases to work out the required permission. 

Are you able to come up with a permissiong set in a standard AD implementation? If the customer AD permission is not modelled in a standard way, I can then reason them to translate those permissions to their accordingly. 


What did you come up with during the design phase of the project? Happy to add this to our documentation. As mentioned AD security is a huge area and should not be an afterthought.

Failing that, have you tried running the AD Delegation of Control Wizard?

Thanks Adam. I did not write the design document nor set up the environment initially. Nothing mentioned about AD required permission anywhere. Hence I do not know how to answer when the client asked for a complete set of delegation rights.