Assigning Minimum Permissions Required to Install and Run Password Manager (4227388)

What are the steps required to assign only the minimum permissions so Password Manager will function?

NOTE: The configuration is encrypted with the last service account that was configured for Password Manager. It is mandatory to update all services when changing the account or updating the password will cause PMAdmin website not to load or other issues with services not starting. Please follow this article to switch the account after the permissions are set correctly: Changing the Password Manager Service Account.

Password Manager Service Account

The Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.

Application Pool Identity

The Application Pool Identity is an account under which the IIS application pool's worker process runs. The account you specify as the application pool identity during the Password Manager setup will be used to run Password Manager Web sites.

Application pool identity account must meet the following requirements:

•This account must be a member of the IIS_IUSRS local group on the Password Manager server.

•This account must have permissions to create files in the \App_Data folder.

•Application pool identity account must have the Full Control permission set for the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.

Domain Management Account

When adding a Domain Connection, you must specify a service account in which Password Manager will access the domain. Before adding a domain, ensure that this service account has sufficient permissions to perform password management related tasks in the domain. Ideally the service account should be a member of Domain Admins as this group already has all of the required permissions.

However, if the Password Manager service account cannot be added to Domain Admins due to security and internal company restrictions, all of the permissions outlined in this Solution are required.

MINIMUM PERMISSIONS

For each domain connection added, the following permissions are required at a minimum:
 

• Membership in the Domain Users group

• The Read permission for all attributes of user objects

• The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime

  NOTE: If the Storage attribute for Security questions under the Reinitialization page is a custom value (such as userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.

• The right to reset user passwords

• The permission to create user accounts and containers in the Users container

• The Read permission for attributes of the organizationalUnit object and domain objects

• The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects

• The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers

• The permission to create container objects in the System container

• The permission to create the serviceConnectionPoint objects in the System container

• The permission to delete the serviceConnectionPoint objects in the System container

• The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

If you want to use the same domain connection in password policies, as well, make sure the account has the following permissions:

• The Read permission for attributes of the groupPolicyContainer objects.

• The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.

• The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.

• The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.

• The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.

• The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

• The Read, List and Write permission for the following attributes of the msDS-PasswordSettings object:

  • msDS-LockoutDuration

  • msDS-LockoutThreshold

  • msDS-MaximumPasswordAge

  • msDS-MinimumPasswordAge

  • msDS-MinimumPasswordLength

  • msDS-PasswordComplexityEnabled

  • msDS-PasswordHistoryLength

  • msDS-PasswordReversibleEncryption

  • msDS-PasswordSettingsPrecedence

  • msDS-PSOApplied

  • msDS-PSOAppliesTo

  • name

SQL database and Reporting required permissions

• When creating the reporting database, the account specified must have permission to create a database
• When specifying the Report Server URL, the specified account must have permissions to deploy reports.Under Site Settings, add the specified account as a System Administrator
• Under the root folder (Home) at http://sqlserver/Reports, add the specified account as a Content Manager

In some environments, the specified account may have to be added explicitly as a Local Administrator on the SQL Reporting server.

Additional Information:

It is advisable to use the Password Manager service account to add managed domains and manage domain-specific data.

When you add a managed domain by using the Administration site (PMAdmin), Password Manager creates a user account with the name _QPMStorageContainer in the Users container of that managed domain. Password Manager uses this account to store its configuration data and to perform all its operations in the domain. If there is no Users container in the managed domain, or if the account that you specify does not have the permission to create users in the Users container, you must create the _QPMStorageContainer account manually and then disable this account before registering a managed domain.

See also:

"Set, view, change, or remove special permissions": http://technet.microsoft.com/en-us/library/cc786378.aspx
"Using ADSI Edit to Edit Active Directory Attributes": http://technet.microsoft.com/en-us/library/bb124152.aspx
"AD DS: Fine-Grained Password Policies": http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Additional Information for Password Manager:

If there are issues registering users after the minimum permissions for the Password Manager Account have been completely applied, try the following:

• For any account getting access denied when trying to register, make sure Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here is enabled (checked) on the user objects permissions tab.
• If the scheduled task that is running to update the Service Connection Point (SCP) for Password Manager is running correctly, but if you then check (in ADSIEdit) Domain->"DC="->"CN=System"->"CN=One Identity"->"CN=Password Manager"->"CN=", the owner of "CN=" should be the Password Manager Domain Access account (check Security->Advanced->Owner Tab), if it is not, you can try deleting this SCP leaf ("CN="), and run the scheduled task again and see if the SCP gets created with the proper owner; also check the Keywords attribute to make sure the "CONFIGURATION.TIME_STAMP:" is getting stamped with the time the scheduled task has run.

Note: Users who are members of protected groups (AdminSDHolder) might not be able to edit their Password Manager profiles.

VERY IMPORTANT NOTE: User accounts whose status changes from domain admin accounts to non-domain accounts will lose inheritance on their accounts.   This can result in "Access is denied" errors when trying to access their accounts in Password Manager.   Please see the following from https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx

Orphaned AdminSDHolder Objects