Asset Password Management - Using a Local Account or Domain Account
Test Connection, Check Connection, Password Check, Account Discovery
- Remote Enable permission on CIMV2 Namespace
- Enable Account permission on CIMV2 Namespace
- Remote Activation permission on computer
Password Change
- Member of Local Administrators Group
Domain Password Management - Using a Domain Account
Test Connection, Check Connection, Password Check, Account Discovery
- Member of Domain Users
Password Change
The Service Account needs the following Delegated Permissions on the managed user objects:
2.11 and above
- Read LockoutTime
- Write LockoutTime
- Read and Write Account Restrictions
- Reset Password
If the service account needs to change its own password the above permissions should be applied to the SELF on the service account along with:
- Change Password
2.10 and below
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Reset Password
NOTE: In order for a non domain administrator to manage Protected Accounts (i.e Users that are members of the Domain Admins, Administrators, and Enterprise Admins groups), the rights would need to be delegated over the AdminSDHolder object in AD, to the Safeguard service account. The AD administrator can use the tool dsacls for this. For steps to delegate permissions in AD for SPP Service account to AD Protected Accounts, please refer to KB 4263587
Information from Microsoft on Protected Accounts is available
here
Asset Session Access
Local Account
- Member of Remote Desktop Users group
- Defined in the “Allow log on through Remote Desktop Services” policy (directly or via group membership)
- Not defined in the “Deny log on through Remote Desktop Services” local policy (directly or via group membership)
Domain Account
- Defined in the Remote Desktop Users group or be a member of a domain security group pushed by a group policy update to the Remote Desktop Users group for that asset
- Defined in the “Allow log on through Remote Desktop Services” policy (directly or via group membership)
- Not defined in the “Deny log on through Remote Desktop Services” local policy (directly or via group membership)