What are the steps required to assign only the minimum permissions so Password Manager will function?
Password Manager Service Account
The Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, the Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
Application Pool Identity
The Application Pool Identity is an account under which the IIS application pool's worker process runs. The account you specify as the application pool identity during the Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
•This account must be a member of the IIS_WPG local group on the Web server in IIS 6.0 or a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
•This account must have permissions to create files in the \App_Data folder.
•Application pool identity account must have the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.
Domain Management Account
When adding a managed domain, you must specify a service account in which Password Manager will access the domain. Before adding a managed domain, ensure that this service account has sufficient permissions to perform password management tasks in the managed domains. Ideally the service account should be a member of Domain Admins as this group already has all of the required permissions.
However, if the Password Manager service account cannot be added to Domain Admins due to security and internal company restrictions, all of the permissions outlined in this Solution are required except as noted.
This solution elaborates on the steps specified in the Password Manager Admin Guide in the "Configuring Permissions for Domain Management Account" section. It is recommended to refer to this document as well as the Password Manager User Guide when installing and configuring the product.
The following information is designed to give the steps necessary to implement these permissions in Active Directory (AD). The following permissions must be assigned using ADSIEdit.
If you are not familiar with ADSIEdit then please do NOT attempt these instructions. You could cause serious issues if permissions are accidentally removed or objects deleted.
PLEASE NOTE: There may be references in this guide to Descendant User Objects. Depending on the Operating System, the term may be different. Use the appropriate option on your Operating System of use.
NOTE: ADSIEdit must be used for applying the following permissions:
1. Membership in the Domain Users and Group Policy Creator Owners groups
Why: Domain Users permission is required for all Password Manager installations. Group Policy Creator Owners group membership is only required if you plan to use the Password Policy Manager component of Password Manager, however, if you do not assign this you will see errors in the Password Manager Event log. Some items in Active Directory / Windows require the account to be part of the Domain Users group such as user management tasks, user name requirements, password requirements.
2. The following permissions on User Objects
a) Right-Click on your Domain and choose Properties
b) Select Security tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing Permission Entry for
g) Apply onto Descendant User Objects
h) Select the Object tab if running Windows 2008 (otherwise all settings show on one screen in Windows 2012)
i) Allow Read all properties
j) Allow Reset Password
Note: the following are under the Properties tab in Windows 2008 or Properties section in Windows 2012
k) Allow Write Comment
l) Allow Write Lockouttime
m) Allow Read and Write Mobile Number
n) Allow Write pwdLastSet
o) Allow Write userAccountControl
Why: Password Manager resets user passwords as a primary function.
Read All Properties is required for all installations of Password Manager in order for the product to function correctly. Password Manager displays user metadata within its own pages, such as password reset page, the admin pages etc.
The pwdLastSet attribute is required by Password Manager in order to determine password age.
Comment is where the Q&A hashes are stored for user questions. This attribute may be customized – if so, this permission must be changed accordingly.
Mobile is used for Starling 2FA.
userAccountControl specifies account type and possible limitations or additional rights such as NORMAL_ACCOUNT, SMARTCARD_REQUIRED, ECRYPTED_TEXT_PWD_ALLOWED which all have implications within Password Manager and such as Password Age policies.
3. The right to Create User Accounts in the default Users container and assign the Write permission to create Container objects in the Users container.
a) Right-click on your domain>\Users container and select Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto This object and all descendant objects
i) Allow Create User Objects
j) Allow Write All Properties
k) Allow Create Container Objects
Why: This permission is only required during the time you add a managed domain. This may be removed after you the managed domain has been added. However, if you ever decide to remove the managed domain and strip this permission, there may be problems if the deactivated user account is removed. Password Manager will not be able to create the deactivated user account _QPMStorageContainer, which is used to store Password Manager configuration data.
Do not remove Write All Properties as Password Manager must be able to continue to update the User objects it created.
4. The Read permission for attributes of the top domain level object. i.e. mydomain.com
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto This object only
i) Allow Read All Properties
Why: Password Manager must be able to read domain information.
5. The Read permission for attributes of Organizational Unit objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto Descendant Organizational Unit Objects
i) Allow Read All Properties
Why: Password Manager must be able to read Organizational Unit information.
6. The Read permission for the nTSecurityDescriptor attribute of groupPolicy Container objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Allow Read ntSecurityDescriptor
Why: Required for all installations of Password Manager. NTSecurityDescriptor contains the items primary owner and group, and a discretionary access control list (DACL) granting and denying various rights to particular users and groups. Required for all installations of Password Manager.
7. Additional Permissions required for Password Manager Domain Access Account
* The permission to Create Container Objects in the System container
* The permission to Create serviceConnectionPoint objects in the System container
* The permission to Delete serviceConnectionPoint objects in the System container
a) Right-Click on the System Container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for this Object and all decedent objects
g) Select Object tab
h) Apply onto This object and all child objects
i) Allow Create Container Object
j) Allow Create serviceConnectionPoint
k) Allow Delete serviceConnectionPoint
Why: Password Manager needs to write the service connection point every 10 minutes to Active Directory. Technically if you do not want users having access to the SPE (Secure Password Extension) client this may be omitted. The amount of data written to this AD object is very small and therefore we suggest leaving this alone in case you decide later on to use the SPE client.
8. The Read permission for the attributes of the Group Policy Containerand serviceConnectionPoint objects in the System container
a) Right-Click on the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Objects tab
h) Apply onto Descendant Group Policy Container objects
i) Allow Read permissions
j) Apply to Descendant serviceConnectionPoint objects
k) Allow Read permissions
Why: Password Manager needs to be able to check to see if there are any existing Service Connection Points in the environment. This is particularly important during an upgrade or when joining a new application server to an existing realm.
9. The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in the System container
a) Right-Click on the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant serviceConnectionPoint objects
i) Allow Write displayName
j) Allow Write serviceBindingInformation
Why: Password Manager uses this location for domain aliases (if used). For example, the domain name on an external-facing password reset page can be masked for security by calling the domain something else so intruders don’t see the actual domain name.
10. The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
a) Right-Click on the System Container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant serviceConnectionPoint objects)
i) Allow Write keywords
Why: This is where Password Manager version information is stored, along with your registered company name, server URLs, etc. Password Manager needs to create this information during installation and may need to update this information post-install.
11. The Read-All and Write-All permission for the Password Settings Container container
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto This object and all descendant objects
i) Allow Read all properties
j) Allow write all properties
Why: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
12. The Create msDS-Password Settings object, Delete msDS-Password Settings object, Allow List contents permissions for the Password Settings Container
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select object tab
h) Apply onto This object only
i) Allow Create msDS-Password Settings object
j) Allow Delete msDS-Password Settings object
k) Allow List contents
Why: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
13. Apply Write permissions onto 13 attributes of Descendant msDS-PasswordSettings objects:
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant msDS-PasswordSettings objects
i) Allow Write to the following attributes:
Why: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
NOTE: Steps 14 through 17 are generally not needed if you do not plan on using the Password Manager Policy Component. However, due to the changes in Password Manager 5.x, they are required if you intend to send email notifications to users for Password Expiration notifications.
Also, if you plan on using Password Manager in a multi-forest environment, you will need to specify a unique Password Manager delegation account for each Password Manager managed domain. This is because it is not possible to make a user a member of the Group Policy Creator Owners group across multiple forests due to Active Directory scope limitations regarding security groups. You won’t be able to add users to global groups from another domain.
For more information please see: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
Also note that if you do not grant these permissions, you will see several errors in the Password Manager Event log.
14. The Write permission for the gpLink attribute on your top domain level object. i.e. mydomain.com
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Apply onto This object only
i) Allow Write gPlink
Why: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. This permission is used to read existing GPO links and to create new GPO links based on Password Manager password policies explicitly defined within Password Manager.
15. The Write permission for the gpLink attribute of organizational Unit objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Apply onto Descendant Organizational Unit Objects)
i) Allow Write gpLink
Why: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. This permission is used to read existing GPO links and to create new GPO links based on Password Manager Password Policies explicitly defined within Password Manager.
The following three items are new to version 4.6.1 and later. They are not required if you make the service account a member of Group Policy Creator. This is a detailed list on the actual permissions required. The permission listed below is required for all installs of Password Manager.
16. The Read permission for attributes of the groupPolicyContainer objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select the Object tab
h) Apply onto groupPolicyContainer objects
i) Allow Read All Properties
Why: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. Password Manager is required to enforce existing group policies as well as its own, this requires read access to existing group policy items.
17. The Create and Delete groupPolicyContainer permissions in the System Policies container
a) Right-Click on your Policies container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto groupPolicyContainer objects
i) Allow Create groupPolicyContainer objects
j) Allow Delete groupPolicyContainer objects (Required if you use the PPM components, ignore if not)
Why: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. Password Manager can and does create additional group policies such as password restrictions which are more restrictive than the domain default policies.
SQL database and Reporting required permissions
In some environments, the specified account may have to be added explicitly as a Local Administrator on the SQL Reporting server.
Additional Information:
It is advisable to use the Password Manager service account to add managed domains and manage domain-specific data.
When you add a managed domain by using the Administration site, Password Manager creates a user account with the name _QPMStorageContainer in the Users container of that managed domain.
Password Manager uses this account to store its configuration data and to perform all its operations in the domain. If there is no Users container in the managed domain, or if the account that you specify does not have the permission to create users in the Users container, you must create the _QPMStorageContainer account manually and then disable this account before registering a managed domain.
See also:
"Set, view, change, or remove special permissions": http://technet.microsoft.com/en-us/library/cc786378.aspx
"Using ADSI Edit to Edit Active Directory Attributes": http://technet.microsoft.com/en-us/library/bb124152.aspx
"AD DS: Fine-Grained Password Policies": http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Additional Information for Password Manager:
If there are issues registering users after the minimum permissions for the Password Manager Account have been completely applied, try the following:
Note: Keep in mind that users that are members of protected groups (AdminSDHolder) might not be able to edit their Password Manager profiles.
Additional permissions may need to be assigned for unlocking accounts. Please see:
https://support.quest.com/password-manager/kb/116232
VERY IMPORTANT NOTE: User accounts whose status change from domain admin accounts to non-domain accounts will lose inheritance on their accounts. This can result in "Access is denied" errors when trying to access their accounts in Password manager. Please see the following from https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx
Orphaned AdminSDHolder Objects
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center