![](https://cdn.userecho.com/characters/72.png?1)
Minimal AD delegate rights for UNIFYBroker/Active Directory service account
I do not want to give more permission than that is needed (i.e. no Domain Admin right). Hence please advise the minimal AD delegate rights that the UNIFYBroker service account requires to:
- Create new users
- Modify attribute of an existing users
- Move users from one OU to another
- Suspend/activate an user (userAccountControl)
- Set initial password and set users must change password in the next logon
- Reset/ change password for an existing user
Thanks
Answer
![](https://cdn.userecho.com/characters/65.png?1)
Hi Huu,
As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.
The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.
Thanks.
![](https://cdn.userecho.com/characters/72.png?1)
Hi Adam,
The client AD administrator is asking the questions and we need to give him an answer. He is not an active player of project and only do the minimal support. I am sure he will not spend time analysing our use cases to work out the required permission.
Are you able to come up with a permissiong set in a standard AD implementation? If the customer AD permission is not modelled in a standard way, I can then reason them to translate those permissions to their accordingly.
![](https://cdn.userecho.com/characters/65.png?1)
What did you come up with during the design phase of the project? Happy to add this to our documentation. As mentioned AD security is a huge area and should not be an afterthought.
![](https://cdn.userecho.com/characters/65.png?1)
Failing that, have you tried running the AD Delegation of Control Wizard?
![](https://cdn.userecho.com/characters/72.png?1)
Thanks Adam. I did not write the design document nor set up the environment initially. Nothing mentioned about AD required permission anywhere. Hence I do not know how to answer when the client asked for a complete set of delegation rights.
Customer support service by UserEcho
Hi Huu,
As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.
The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.
Thanks.