How to delegate permissions in Active Directory for a Safeguard service account (4263587)

Delegating AD permissions for a Safeguard service account

These examples use the following environment:

Domain = yourdomain.com

Service account = sg_sa

Windows 2016

How to delegate permissions for AD standard users

From Active Directory Users & Computers, right click on the Domain name and select “Delegate Control” | Next | Add the service account

Select Next. Select “Create a custom task to delegate”


Select “Next”. Select “Only the follow objects in the folder”, and tick “User objects”.

How to delegate permissions to AD Protected Accounts

dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:CA;"Reset Password" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"Account Restrictions" 
dsacls CN=AdminSDHolder,CN=System,DC=YOURDOMAIN,DC=COM /G YOURDOMAIN\sg_sa:WP;"LockoutTime"

Then wait for the SDprop process to apply these permissions

How to validate permissions

From ADUC. Go to View | and ensure “Advanced Features” is ticked

 

Select a managed user who the service account should have permissions over. Right click and select Properties. Select the users “Security” tab.

 

Click the “Advanced” button.

 

Select the “Effective Access” tab

Click “Select a user”

 

Select the service account

Click “View effective access”

Validate that “Reset Password”, “Read account restrictions”, “Write account restrictions”, “Read lockoutTime” and “Write lockOutTime” are all ticked.