Chat now with support
Chat with Support

One Identity Safeguard 2.3 - Evaluation Guide

Minimum required permissions for Windows assets

The following minimum permissions are required for Windows assets to perform directory password management and sessions management tasks.

Asset password management

Using a Local account or Domain account:

  • Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
    • Remote Enable permission on CIMV2 Namespace
    • Enable Account permission on CIMV2 Namespace
    • Remote Activation permission on computer

    NOTE:

    To set Remote Enable and Enable Account permissions

    1. Open wmimgmt.
    2. Right-click WMI Control (Local) and select Properties.
    3. Select the Security tab.
    4. Add user and select Remote Enable and Enable Account.
    5. Click OK.

    To set Remote Activation permissions

    1. Open dcomcnfg.
    2. Expand Component Services | Computers.
    3. Right-click My Computer and select Properties.
    4. Open the COM Security tab.
    5. Under Launch and Activation Permissions, select Edit Limits.
    6. Add user and select Allow for Remote Activation.
  • Password change task requires the following permission:
    • Member of Local Administrators group
Domain password management

Using a Domain account:

  • Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
    • Member of Domain Users
  • Password change task requires that the Service account has the following delegated permissions:
    • Reset Password
    • Read All Properties
    • Write All Properties
Asset session access

Using a Local account:

  • Member of Remote Desktop Users group
  • Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
  • Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)

Using a Domain account:

  • Defined in the Remote Desktop Users group or be a member of a domain security group by a group policy update to the Remote Desktop Users group for that asset
  • Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
  • Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)
Related Documents