Minimum Required Permissions for Windows Asset and Directory Password Management and Sessions (4251460)

Converse agora com nosso suporte

Obtenha ajuda em tempo real
Concluir registro

Entrar

Solicitar preços

Entre em contato com o setor de vendas

Voltar

Feedback enviado

Este artigo resolveu um problema para você?

Selecione a classificação

Título

Minimum Required Permissions for Windows Asset and Directory Password Management and Sessions
Descrição

Minimum Required Permissions for Windows Asset and Directory Password Management and Sessions
Resolução

Asset Password Management - Using a Local Account or Domain Account

Test Connection, Check Connection, Password Check, Account Discovery

- Remote Enable permission on CIMV2 Namespace

- Enable Account permission on CIMV2 Namespace

- Remote Activation permission on computer

Password Change

- Member of Local Administrators Group

Domain Password Management - Using a Domain Account

Test Connection, Check Connection, Password Check, Account Discovery

- Member of Domain Users

Password Change

The Service Account needs the following Delegated Permissions on the managed user objects:

2.11 and above

- Read LockoutTime

- Write LockoutTime

- Read and Write Account Restrictions

- Reset Password

If the service account needs to change its own password the above permissions should be applied to the SELF on the service account along with:
- Change Password

2.10 and below

- Read All Properties

- Write All Properties

- Read Permissions

- Modify Permissions

- Reset Password

NOTE: In order for a non domain administrator to manage Protected Accounts (i.e Users that are members of the Domain Admins, Administrators, and Enterprise Admins groups), the rights would need to be delegated over the AdminSDHolder object in AD, to the Safeguard service account. The AD administrator can use the tool dsacls for this. For steps to delegate permissions in AD for SPP Service account to AD Protected Accounts, please refer to KB 4263587

Information from Microsoft on Protected Accounts is available here

Asset Session Access

Local Account

- Member of Remote Desktop Users group

- Defined in the “Allow log on through Remote Desktop Services” policy (directly or via group membership)

- Not defined in the “Deny log on through Remote Desktop Services” local policy (directly or via group membership)

Domain Account

- Defined in the Remote Desktop Users group or be a member of a domain security group pushed by a group policy update to the Remote Desktop Users group for that asset

- Defined in the “Allow log on through Remote Desktop Services” policy (directly or via group membership)

- Not defined in the “Deny log on through Remote Desktop Services” local policy (directly or via group membership)
Solicitação de alteração

197685

Feedback enviado

Este artigo resolveu um problema para você?

Selecione a classificação

Solicitar um artigo da base de conhecimento

Conteúdo recomendado

Produto(s):: One Identity Safeguard for Privileged Passwords
7.0 LTS, 6.13.1, 6.13, 6.12.1, 6.12, 6.11.1, 6.11, 6.10.1, 6.10, 6.9.x, 6.8, 6.7.3, 6.7.2, 6.7.1, 6.7, 6.6, 2.11.2, 2.11.1, 2.11, 2.10, 2.9, 2.8.1, 2.8, 2.7, 2.6; Safeguard On Demand
Hosted; Safeguard for Privileged Passwords On Demand
Hosted

Tópico(s):: Configuration

Histórico do artigo:: Criado em: 3/22/2018
Última atualização em: 7/4/2024

Search All Articles

Selecione seu produto:

Para podermos atendê-lo melhor, informe o Propósito de seu chat:

Soluções recomendadas para seu problema

Minimum Required Permissions for Windows Asset and Directory Password Management and Sessions (4251460)

Título

Descrição

Resolução

Solicitação de alteração

Leave a Comment