-
Titel
Assigning Minimum Permissions Required to Install and Run Password Manager -
Beschreibung
What are the steps required to assign only the minimum permissions so Password Manager will function?
-
Lösung
Password Manager Service Account
The Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, the Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
Application Pool Identity
The Application Pool Identity is an account under which the IIS application pool's worker process runs. The account you specify as the application pool identity during the Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
•This account must be a member of the IIS_WPG local group on the Web server in IIS 6.0 or a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
•This account must have permissions to create files in the \App_Data folder.
•Application pool identity account must have the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.
Domain Management Account
When adding a managed domain, you must specify a service account in which Password Manager will access the domain. Before adding a managed domain, ensure that this service account has sufficient permissions to perform password management tasks in the managed domains. Ideally the service account should be a member of Domain Admins as this group already has all of the required permissions.
However, if the Password Manager service account cannot be added to Domain Admins due to security and internal company restrictions, all of the permissions outlined in this Solution are required except as noted.
This solution elaborates on the steps specified in the Password Manager Admin Guide in the "Configuring Permissions for Domain Management Account" section. It is recommended to refer to this document as well as the Password Manager User Guide when installing and configuring the product.
The following information is designed to give the steps necessary to implement these permissions in Active Directory (AD). The following permissions must be assigned using ADSIEdit.
If you are not familiar with ADSIEdit then please do NOT attempt these instructions. You could cause serious issues if permissions are accidentally removed or objects deleted.
PLEASE NOTE: There may be references in this guide to Descendant User Objects. Depending on the Operating System, the term may be different. Use the appropriate option on your Operating System of use.ASSIGNING MINIMUM PERMISSIONS
NOTE: ADSIEdit must be used for applying the following permissions:
1. Membership in the Domain Users and Group Policy Creator Owners groups- Add the Password Manager service account to Domain Users group
- Add the Password Manager service account to Group Policy Creator Owners
Why: Domain Users permission is required for all Password Manager installations. Group Policy Creator Owners group membership is only required if you plan to use the Password Policy Manager component of Password Manager, however, if you do not assign this you will see errors in the Password Manager Event log. Some items in Active Directory / Windows require the account to be part of the Domain Users group such as user management tasks, user name requirements, password requirements.
2. The following permissions on User Objects
- Read All Properties
- pwdLastSet
- comment
- userAccountControl
- LockOutTime
- Reset Passwords
- mobile
a) Right-Click on your Domain and choose Properties
b) Select Security tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing Permission Entry for
g) Apply onto Descendant User Objects
h) Select the Object tab if running Windows 2008 (otherwise all settings show on one screen in Windows 2012)
i) Allow Read all properties
j) Allow Reset Password
Note: the following are under the Properties tab in Windows 2008 or Properties section in Windows 2012
k) Allow Write Comment
l) Allow Write Lockouttime
m) Allow Read and Write Mobile Number
n) Allow Write pwdLastSet
o) Allow Write userAccountControlWhy: Password Manager resets user passwords as a primary function.
Read All Properties is required for all installations of Password Manager in order for the product to function correctly. Password Manager displays user metadata within its own pages, such as password reset page, the admin pages etc.
The pwdLastSet attribute is required by Password Manager in order to determine password age.
Comment is where the Q&A hashes are stored for user questions. This attribute may be customized – if so, this permission must be changed accordingly.
Mobile is used for Starling 2FA.
userAccountControl specifies account type and possible limitations or additional rights such as NORMAL_ACCOUNT, SMARTCARD_REQUIRED, ECRYPTED_TEXT_PWD_ALLOWED which all have implications within Password Manager and such as Password Age policies.
3. The right to Create User Accounts in the default Users container and assign the Write permission to create Container objects in the Users container.
a) Right-click on your domain>\Users container and select Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto This object and all descendant objects
i) Allow Create User Objects
j) Allow Write All Properties
k) Allow Create Container ObjectsWhy: This permission is only required during the time you add a managed domain. This may be removed after you the managed domain has been added. However, if you ever decide to remove the managed domain and strip this permission, there may be problems if the deactivated user account is removed. Password Manager will not be able to create the deactivated user account _QPMStorageContainer, which is used to store Password Manager configuration data.
Do not remove Write All Properties as Password Manager must be able to continue to update the User objects it created.
4. The Read permission for attributes of the top domain level object. i.e. mydomain.com
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto This object only
i) Allow Read All PropertiesWhy: Password Manager must be able to read domain information.
5. The Read permission for attributes of Organizational Unit objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto Descendant Organizational Unit Objects
i) Allow Read All PropertiesWhy: Password Manager must be able to read Organizational Unit information.
6. The Read permission for the nTSecurityDescriptor attribute of groupPolicy Container objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Allow Read ntSecurityDescriptorWhy: Required for all installations of Password Manager. NTSecurityDescriptor contains the items primary owner and group, and a discretionary access control list (DACL) granting and denying various rights to particular users and groups. Required for all installations of Password Manager.
7. Additional Permissions required for Password Manager Domain Access Account
* The permission to Create Container Objects in the System container
* The permission to Create serviceConnectionPoint objects in the System container
* The permission to Delete serviceConnectionPoint objects in the System containera) Right-Click on the System Container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for this Object and all decedent objects
g) Select Object tab
h) Apply onto This object and all child objects
i) Allow Create Container Object
j) Allow Create serviceConnectionPoint
k) Allow Delete serviceConnectionPointWhy: Password Manager needs to write the service connection point every 10 minutes to Active Directory. Technically if you do not want users having access to the SPE (Secure Password Extension) client this may be omitted. The amount of data written to this AD object is very small and therefore we suggest leaving this alone in case you decide later on to use the SPE client.
8. The Read permission for the attributes of the Group Policy Containerand serviceConnectionPoint objects in the System container
a) Right-Click on the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Objects tab
h) Apply onto Descendant Group Policy Container objects
i) Allow Read permissions
j) Apply to Descendant serviceConnectionPoint objects
k) Allow Read permissionsWhy: Password Manager needs to be able to check to see if there are any existing Service Connection Points in the environment. This is particularly important during an upgrade or when joining a new application server to an existing realm.
9. The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in the System container
a) Right-Click on the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant serviceConnectionPoint objects
i) Allow Write displayName
j) Allow Write serviceBindingInformationWhy: Password Manager uses this location for domain aliases (if used). For example, the domain name on an external-facing password reset page can be masked for security by calling the domain something else so intruders don’t see the actual domain name.
10. The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
a) Right-Click on the System Container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant serviceConnectionPoint objects)
i) Allow Write keywordsWhy: This is where Password Manager version information is stored, along with your registered company name, server URLs, etc. Password Manager needs to create this information during installation and may need to update this information post-install.
11. The Read-All and Write-All permission for the Password Settings Container container
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto This object and all descendant objects
i) Allow Read all properties
j) Allow write all propertiesWhy: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
12. The Create msDS-Password Settings object, Delete msDS-Password Settings object, Allow List contents permissions for the Password Settings Container
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select object tab
h) Apply onto This object only
i) Allow Create msDS-Password Settings object
j) Allow Delete msDS-Password Settings object
k) Allow List contentsWhy: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
13. Apply Write permissions onto 13 attributes of Descendant msDS-PasswordSettings objects:
a) Right-Click on the Password Settings Container container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Select Properties tab
h) Apply onto Descendant msDS-PasswordSettings objects
i) Allow Write to the following attributes:- msDS-LockoutDuration
- msDS-LockoutObservationWindow
- msDS-LockoutThreshold
- msDS-MaximumPasswordAge
- msDS-MinimumPasswordAge
- msDS-MinimumPasswordLength
- msDS-PasswordComplexityEnabled
- msDS-PasswordHistoryLength
- msDS-PasswordReversibleEncryption
- msDS-PasswordSettingsPrecedence
- msDS-PSOApplied
- msDS-PSOAppliesTo
- name
Why: This permission is required to correctly work with Windows 2008 related Fine-Grained Password Policies.
NOTE: Steps 14 through 17 are generally not needed if you do not plan on using the Password Manager Policy Component. However, due to the changes in Password Manager 5.x, they are required if you intend to send email notifications to users for Password Expiration notifications.
Also, if you plan on using Password Manager in a multi-forest environment, you will need to specify a unique Password Manager delegation account for each Password Manager managed domain. This is because it is not possible to make a user a member of the Group Policy Creator Owners group across multiple forests due to Active Directory scope limitations regarding security groups. You won’t be able to add users to global groups from another domain.
For more information please see: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
Also note that if you do not grant these permissions, you will see several errors in the Password Manager Event log.
14. The Write permission for the gpLink attribute on your top domain level object. i.e. mydomain.com
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Apply onto This object only
i) Allow Write gPlinkWhy: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. This permission is used to read existing GPO links and to create new GPO links based on Password Manager password policies explicitly defined within Password Manager.
15. The Write permission for the gpLink attribute of organizational Unit objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Properties tab
h) Apply onto Descendant Organizational Unit Objects)
i) Allow Write gpLinkWhy: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. This permission is used to read existing GPO links and to create new GPO links based on Password Manager Password Policies explicitly defined within Password Manager.
The following three items are new to version 4.6.1 and later. They are not required if you make the service account a member of Group Policy Creator. This is a detailed list on the actual permissions required. The permission listed below is required for all installs of Password Manager.
16. The Read permission for attributes of the groupPolicyContainer objects
a) Right-Click on your Domain and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select the Object tab
h) Apply onto groupPolicyContainer objects
i) Allow Read All PropertiesWhy: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. Password Manager is required to enforce existing group policies as well as its own, this requires read access to existing group policy items.
17. The Create and Delete groupPolicyContainer permissions in the System Policies container
a) Right-Click on your Policies container under the System container and choose Properties
b) Select Security Tab
c) Click on the Advanced button
d) On the Permissions tab, click the Add button
e) Select the service account you are working with and click OK
f) You will be viewing the Permission Entry for
g) Then select Object tab
h) Apply onto groupPolicyContainer objects
i) Allow Create groupPolicyContainer objects
j) Allow Delete groupPolicyContainer objects (Required if you use the PPM components, ignore if not)Why: The above permission is only required if you plan on using the Password Policy component of Password Manager. It is not required for a base install. Password Manager can and does create additional group policies such as password restrictions which are more restrictive than the domain default policies.
SQL database and Reporting required permissions
- When creating the database, the account specified must have permission to create a database
- When specifying the Report Server URL, the specified account must have permissions to deploy reports.Under Site Settings, add the specified account as a System Administrator
- Under the root folder (Home) at http://sqlserver/Reports, add the specified account as a Content Manager
In some environments, the specified account may have to be added explicitly as a Local Administrator on the SQL Reporting server.
Additional Information:
It is advisable to use the Password Manager service account to add managed domains and manage domain-specific data.
When you add a managed domain by using the Administration site, Password Manager creates a user account with the name _QPMStorageContainer in the Users container of that managed domain.
Password Manager uses this account to store its configuration data and to perform all its operations in the domain. If there is no Users container in the managed domain, or if the account that you specify does not have the permission to create users in the Users container, you must create the _QPMStorageContainer account manually and then disable this account before registering a managed domain.
See also:
"Set, view, change, or remove special permissions": http://technet.microsoft.com/en-us/library/cc786378.aspx
"Using ADSI Edit to Edit Active Directory Attributes": http://technet.microsoft.com/en-us/library/bb124152.aspx
"AD DS: Fine-Grained Password Policies": http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxAdditional Information for Password Manager:
If there are issues registering users after the minimum permissions for the Password Manager Account have been completely applied, try the following:
- For any account getting access denied when trying to register, make sure "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." is checked off on the user objects permissions tab in either ADSIEDIT.
- If the scheduled task that is running to update the Service Connection Point (SCP) for Password Manager is running correctly, but if you then check (in ADSIEdit) Domain->"DC="->"CN=System"->"CN=One Identity"->"CN=Password Manager"->"CN=", the owner of "CN=" should be the Password Manager Domain Access account (check Security->Advanced->Owner Tab), if it is not, you can try deleting this SCP leaf ("CN="), and run the scheduled task again and see if the SCP gets created with the proper owner; also check the Keywords attribute to make sure the "CONFIGURATION.TIME_STAMP:" is getting stamped with the time the scheduled task has run.
Note: Keep in mind that users that are members of protected groups (AdminSDHolder) might not be able to edit their Password Manager profiles.
Additional permissions may need to be assigned for unlocking accounts. Please see:
https://support.quest.com/password-manager/kb/116232
VERY IMPORTANT NOTE: User accounts whose status change from domain admin accounts to non-domain accounts will lose inheritance on their accounts. This can result in "Access is denied" errors when trying to access their accounts in Password manager. Please see the following from https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx
Orphaned AdminSDHolder Objects
When a user is removed from a protected group, the adminCount attribute on that user account does not change; the value 1 remains. Furthermore, the status of inheritance is not changed. As a result, the user account no longer receives its ACL from the AdminSDHolder object, but it also doesn't inherit any permissions from parent objects, provided inheritance has not been enabled on the AdminSDHolder object. The common term for this issue is "orphaned AdminSDHolder objects." There is no automated mechanism to fix inheritance on objects that no longer belong to protected groups; you must deal with orphaned AdminSDHolder objects manually. Microsoft has developed and made available a VB Script that will assist you in re-enabling inheritance on user accounts that were previously members of protected groups. To find the VB Script, go to Delegated permissions are not available and inheritance is automatically disabled. -
Weitere Informationen
Please note that if Password Manager is pointing to a Read only DC in the environment, Access denied errors will occur even with the correct min permissions.