When a "Windows Active Dir" platform is added as a managed system, what are the minimum Active Directory permissions required for the functional account to manage domain accounts, i.e. reset passwords?
What Active Directory permissions are required for the functional account, if unable to use a Domain Administrator account as the functional account?
The functional account is not required to be a Domain Administrator. The non admin user would require the following permissions delegated, to allow the functional account change passwords:
Permissions onto USER OBJECTS:
- LockoutTime (Read/Write)
- Account Restrictions (Read/Write)
- Reset Password
NOTE: In order for a non domain administrator to manage Protected AD Groups/Accounts (eg. Domain Admins, Administrators, and Enterprise Admins), you need to take special steps in AD to ensure the delegated rights are not removed. The AD administrator can use the tool dsacls for this.
For more information on this refer to Microsoft Technet article - "AdminSDHolder, Protected Groups and SDPROP".