Delegating AD permissions for a Safeguard service account
These examples use the following environment:
Domain = yourdomain.com
Service account = sg_sa
How to delegate permissions for AD standard users
From Active Directory Users & Computers, right click on the Domain name and select “Delegate Control” | Next | Add the service account
Select Next. Select “Create a custom task to delegate”
Select “Next”. Select “Only the follow objects in the folder”, and tick “User objects”.
Select “Next”. Tick “General” and “Property-specific”.
Tick the permissions
“Read and write account restrictions”
Select Next & Finish.
How to delegate permissions to AD Protected Accounts
By default in AD, any user that is a Protected Account (Members of the Domain Admins, Administrators, and Enterprise Admins groups) will have any custom ACLs reverted every 60 minutes.
In order for a Safeguard delegated account to manage the account, the adminSDHolder object permissions would need to be changed.
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:CA;"Reset Password"
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"Account Restrictions"
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"LockoutTime"
Then wait for the SDprop process to apply these permissions
How to validate permissions
From ADUC. Go to View | and ensure “Advanced Features” is ticked
Select a managed user who the service account should have permissions over. Right click and select Properties. Select the users “Security” tab.
Click the “Advanced” button.
Select the “Effective Access” tab
Click “Select a user”
Select the service account
Click “View effective access”
Validate that “Reset Password”, “Read account restrictions”, “Write account restrictions”, “Read lockoutTime” and “Write lockOutTime” are all ticked.