As Active Roles performs operations on objects on behalf of delegated users, the Active Roles service account requires adequate permissions. It is recommended that the Active Roles proxy account be given the Domain Admin membership to ensure that Active Roles has all the required access.
It is possible to separate the tasks managed by the service account from Domain management by specifying distinct accounts for the service and for managing the Domain.
The service account credential has five main roles, two of which are optional:
Accessing local resources on the Active Roles Administration Service host
Creating the Service Connection Point in Active Directory - This functionality is not critical and does not prevent the service from functioning as expected, instead, Active Roles clients does not automatically discover the Active Roles Administration Service. Active Roles Clients will still be able to connect if the service name or IP address is available.
All script modules are executed under the security context of the Active Roles Service Account.
Connecting to the Microsoft SQL database - This is optional, as an SQL Authentication credential can also be specified.
Synchronizing native permissions to Active Directory - This is required only if Active Roles is configured to do so.
NOTE: Contact One Identity Sales for any assistance in engaging One Identity Professional Services.
Access to the Administration Service Computer
The service account must be a member of the local Administrators group on the computer running Active Roles Administration service.
Service Publication in Active Directory
For Active Roles clients to discover available Active Roles services, the service account must be able to publish itself in Active Directory. On the One Identity sub-container, under the System container in the domain, grant the following rights:
• Create Container Objects
• Create ServiceConnectionPoint Objects
Access to Managed Domains
The service account must have at least Read Permissions in any Managed Domain. In addition, the service account must have Modify Permissions rights on the Active Directory objects and containers where the Active Roles security synchronization feature will be utilized.
Fine-Grained Password Policies
Active Roles needs specific read access to be able to read fine-grained password policy objects in Active Directory (AD). If it is unable to read them, it defaults to using the Default Domain Policy, for example, for password expiry information and password generation.
To enable Active Roles to read fine-grained password policies in AD, you must assign the Listand Read permissions in each managed domain where passwords are managed, on the following container:
CN=Password Settings Container,CN=System,DC=<domain>
Access to Exchange Organizations
Exchange 2013, 2016, or 2019
To manage Exchange recipients on Exchange Server 2013, 2016, or 2019 the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. For details, see the steps that follow.
To configure the service account or the override account
- Add the account to the Recipient Management role group. For instructions, see “Manage Role Group Members” at http://technet.microsoft.com/library/jj657492(exchg.150).aspx.
- Add the account to the Account Operators domain security group.
- Enable the account to use remote Exchange Management Shell. For instructions, see “Enable remote Shell for a user” in the topic “Manage Exchange Management Shell Access” at http://technet.microsoft.com/library/dd638078(exchg.150).aspx.
- Ensure that the account can read Exchange configuration data (see Permission to read Exchange configuration data).
- Restart the Administration Service after changing the configuration of the account: Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.
Permission to read Exchange configuration data
To perform Exchange recipient management tasks, Active Roles requires Read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights. For example the service account, is a member of the Domain Admins or Organization Management group. Otherwise, provide the account Read permission in the Microsoft Exchange container, using the ADSI Edit console.
NOTE: The following instructions apply to the ADSI Edit console that ships with Windows Server.
To provide Read access to the service account using the ADSI Edit console:
- Open the ADSI Edit console, and connect to the Configuration naming context.
- In the ADSI Edit console, navigate to the Configuration/Services container, right-click Microsoft Exchange in that container, and then click Properties.
- On the Security tab in the Properties dialog box that appears, click Advanced.
- On the Permissions tab in the Advanced Security Settings dialog box, click Add.
- On the Permission Entry page, configure the permission entry:
- Click Select a principal, and select the desired account.
- Ensure that the Type box indicates Allow.
- Ensure that the Applies onto box indicates: This object and all descendant objects.
- In the Permissions area, select the List contents and Read all properties check boxes.
- Click OK.
- Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.
Support for Exchange Remote Shell
When performing Exchange recipient management tasks on Exchange Server 2013 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server. Hence, it is not required to install the Exchange management tools on the computer running the Administration Service.
To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:
- Windows Server 2016 or a later version of the Windows Server operating system.
- Microsoft .NET Framework 4.5 installed (see “Installing the .NET Framework 4.5, 4.5.1” at https://msdn.microsoft.com/library/5a4x27ek%28VS.110%29.aspx).
- Windows Management Framework 3.0 installed (see “Windows Management Framework 3.0” at https://www.microsoft.com/en-us/download/details.aspx?id=34595).
Remote Shell also requires the following:
- TCP port 80 must be open between the computer running the Administration Service and the remote Exchange server.
- The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
- Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window.