What are the steps required to assign only the minimum permissions so Password Manager will function?
NOTE: The configuration is encrypted with the last service account that was configured for Password Manager. It is mandatory to update all services when changing the account or updating the password will cause PMAdmin website not to load or other issues with services not starting. Please follow this article to switch the account after the permissions are set correctly: Changing the Password Manager Service Account.
Password Manager Service Account
The Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
Application Pool Identity
The Application Pool Identity is an account under which the IIS application pool's worker process runs. The account you specify as the application pool identity during the Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
•This account must be a member of the IIS_IUSRS local group on the Password Manager server.
•This account must have permissions to create files in the \App_Data folder.
•Application pool identity account must have the Full Control permission set for the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.
Domain Management Account
When adding a Domain Connection, you must specify a service account in which Password Manager will access the domain. Before adding a domain, ensure that this service account has sufficient permissions to perform password management related tasks in the domain. Ideally the service account should be a member of Domain Admins as this group already has all of the required permissions.
However, if the Password Manager service account cannot be added to Domain Admins due to security and internal company restrictions, all of the permissions outlined in this Solution are required.
For each domain connection added, the following permissions are required at a minimum:
Membership in the Domain Users group
The Read permission for all attributes of user objects
The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
NOTE: If the Storage attribute for Security questions under the Reinitialization page is a custom value (such as userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.
The right to reset user passwords
The permission to create user accounts and containers in the Users container
The Read permission for attributes of the organizationalUnit object and domain objects
The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
The permission to create container objects in the System container
The permission to create the serviceConnectionPoint objects in the System container
The permission to delete the serviceConnectionPoint objects in the System container
The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
If you want to use the same domain connection in password policies, as well, make sure the account has the following permissions:
The Read permission for attributes of the groupPolicyContainer objects.
The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
The Read, List and Write permission for the following attributes of the msDS-PasswordSettings object:
msDS-LockoutDuration
msDS-LockoutThreshold
msDS-MaximumPasswordAge
msDS-MinimumPasswordAge
msDS-MinimumPasswordLength
msDS-PasswordComplexityEnabled
msDS-PasswordHistoryLength
msDS-PasswordReversibleEncryption
msDS-PasswordSettingsPrecedence
msDS-PSOApplied
msDS-PSOAppliesTo
name
SQL database and Reporting required permissions
In some environments, the specified account may have to be added explicitly as a Local Administrator on the SQL Reporting server.
Additional Information:
It is advisable to use the Password Manager service account to add managed domains and manage domain-specific data.
When you add a managed domain by using the Administration site (PMAdmin), Password Manager creates a user account with the name _QPMStorageContainer in the Users container of that managed domain. Password Manager uses this account to store its configuration data and to perform all its operations in the domain. If there is no Users container in the managed domain, or if the account that you specify does not have the permission to create users in the Users container, you must create the _QPMStorageContainer account manually and then disable this account before registering a managed domain.
See also:
"Set, view, change, or remove special permissions": http://technet.microsoft.com/en-us/library/cc786378.aspx
"Using ADSI Edit to Edit Active Directory Attributes": http://technet.microsoft.com/en-us/library/bb124152.aspx
"AD DS: Fine-Grained Password Policies": http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Additional Information for Password Manager:
If there are issues registering users after the minimum permissions for the Password Manager Account have been completely applied, try the following:
Note: Users who are members of protected groups (AdminSDHolder) might not be able to edit their Password Manager profiles.
VERY IMPORTANT NOTE: User accounts whose status changes from domain admin accounts to non-domain accounts will lose inheritance on their accounts. This can result in "Access is denied" errors when trying to access their accounts in Password Manager. Please see the following from https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx
Orphaned AdminSDHolder Objects
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center