Reset Search
 

 

Article

KB9548 - How to configure an Active Directory account with limited admin rights for use as a UAC Active Directory Authentication server admin account (Legacy mode only)

« Go Back

Information

 
Last Modified Date12/26/2018 6:35 PM
Synopsis
This article provides information on how to configure an Active Directory account with limited admin rights for use as a UAC Active Directory Authentication server admin account (Legace Mode).
Problem or Goal

On an Infranet Controller, when configuring an Active Directory / Windows NT authentication server, you are asked to enter an Admin username and password. If you would like to create a limited admin account in Active Directory, with only the necessary permissions for UAC functionality, perform the procedure mentioned in the Solution section.

Note:

  • Release 4.2 adds the support for a new and improved Active Directory Authentication Server mode.
 
  • The previous implementation is now labeled as Active Directory Legacy Mode.
 
  • This article is valid for the UAC pre 4.2Rx AD Auth Server instance and for post 4.2Rx Active Directory Legacy mode instance only
 
Cause
Solution

step1 Identify the user (or group)

  • Identify the user (or group) that will be granted permissions to perform AD operations on behalf of the UAC.  The user (or group) can be any preexisting user (or group), or it can be a new one that you create.
  • If you choose to use a group instead of a user, be sure to add a user to the group with which you will configure the UAC Active Directory authentication server.

step2 Start the Active Directory Users and Computers interface.

  1. Click Start
  2. Go to Programs > Administrative Tools, and then click Active Directory Users and Computers.
  3. In the Active Directory Users and Computers interface, click View
  4. Click to select Advanced Features.

step3 Open the Access Control Settings for Computers dialog box.

  1. In the Active Directory Users and Computers interface, right-click Computers and then click Properties.
  2. In the Computers Properties dialog box, click the Security tab and then click Advanced.

step4 Grant the user (or group) permission to Create Computer Objects and Delete Computer Objects in the Computers container.

  1. In the Access Control Settings for Computers dialog box, click Add.
  2. In the Select User, Computer, or Group dialog box, click or manually enter the name of the user (or group) to whom you want to grant permissions to perform AD operations on behalf of the UAC, and then click OK.
  3. In the Permission Entry for Computers dialog box, click This object only in the Apply onto list.
  4. In the Permissions list, find the Create Computer Objects and Delete Computer Objects permissions, click to select the Allow check box next to each of these permissions, and then click OK.

step5 Grant the user (or group) permission to Reset Password on Computer objects.

  1. In the Access Control Settings for Computers dialog box, click Add.
  2. In the Select User, Computer, or Group dialog box, click or manually enter the name of the user (or group) to whom you want to grant permissions to perform AD operations on behalf of the UAC, and then click OK.
  3. In the Permission Entry for Computers dialog box, click Computer objects in the Apply onto list.
  4. In the Permissions list, find the Reset Password permissions, click to select the Allow check box next to the permission, and then click OK.

step6 Verify that there are no Deny entries that would affect the user (or group).

step7 Exit the Access Control Settings for Computers dialog box.

  1. In the Access Control Settings for Computers dialog box, clickOK>.
  2. In the Computers Properties dialog box, click OK.

step8 Grant the User (or Group) permission to Reset Password on User objects.

(Step number 8 is optional.  Should you choose to skip this step, then the limited admin account you create will not be able to change passwords.  This is not normally an issue as a client can usually change their own password.  Should the client not be able to change their own password, then this can result in the client getting locked out.  However, should you choose to give the limited admin account the ability to change passwords, you should be aware that this is a security risk.  The limited admin account would have the ability to change passwords for a full admin account.  This means that the limited admin account could be used to gain access to a full admin account.)

  1. In the Active Directory Users and Computers interface, right-click Users and then click Properties.
  2. In the User Properties dialog box, click the Security tab and then click Advanced.
  3. In the Access Control Settings for Users dialog box, click Add.
  4. In the Select User, Computer, or Group dialog box, click or manually enter the name of the user (or group) to whom you want to grant permissions to perform AD operations on behalf of the UAC, and then click OK.
  5. In the Permission Entry for Users dialog box, click User objects in the Apply onto list.
  6. In the Permissions list, find the Reset Password permission, click to select the Allow check box next to the permission, and then click OK.

step9 Verify that there are no Deny entries that would affect the user (or group).

step10 Exit the Access Control Settings for Users dialog box.

  1. In the Access Control Settings for Users dialog box, click OK.
  2. In the Users Properties dialog box, click OK.

step11 Exit the Active Directory Users and Computers interface.

step12 Configure the UAC Active Directory Authentication Server

  1. Follow the general directions for configuring or modifying an Active Directory authentication server on the UAC in the administrative guide.
  2. In the Administrator section of the Active Directory authentication server configuration, enter the user name you identified in Step 1 above and their password to the Admin Username and Admin Password fields respectively, and click Save Changes.
  3. Follow the general directions for restarting services on the UAC.

 

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255