-
标题
Active Roles service account minimum permissions -
说明
What are the requirements to assign minimum permissions so that Active Roles will function? -
原因
Enhancement ID 223920 has been created to update and clarify the wording in the Active Roles Administration Guide and Active Roles Quick Start Guide regarding minimum permissions. -
解决办法
Required Permissions and AccessAs Active Roles performs operations on objects on behalf of delegated users, the Active Roles service account which is used to manage the Active Directory domain requires adequate permissions. All internal test scenarios and the One Identity Active Roles Support Model all assume that the domain is being managed using an account that is a member of the Domain Admins role group. If this configuration is not leveraged, then guidance and documentation provided by the One Identity Support Team may not be relevant.
It is possible to separate the tasks performed by the service account from domain management by specifying distinct accounts for the service and for managing the domain. In this configuration scenario, the service account can be configured to run with the minimum permissions specified below, but the proxy account should be a member of the Domain Admins role group in order to stay within the One Identity Active Roles Support Model.
The service account credential has five main roles, two of which are optional:- Accessing local resources on the Active Roles Administration Service host.
- Creating the Service Connection Point in Active Directory (this functionality is non-critical and won't prevent the service from functioning as expected - instead, Active Roles clients won't automatically discover the Active Roles Administration Service. Active Roles Clients will still be able to connect if the service name or IP address is known).
- All script modules are executed under the security context of the Active Roles Service Account
- Connecting to the Microsoft SQL database (this is optional, as a SQL Authentication credential may also be specified).
- Synchronizing native permissions to Active Directory (this is required only if Active Roles is configured to do so).
Access to the Administration Service ComputerThe service account must be a member of the local Administrators group on the computer running the Active Roles Administration service.
Service Publication in Active Directory
For Active Roles clients to discover available Active Role services, the service account must be able to publish itself in Active Directory. On the Aelita sub-container, under the System container in the domain, grant the following rights:• Create Container Objects• Create ServiceConnectionPoint Objects
Access to Managed Domains
The service account must have at least Read Permissions in any Managed Domain. In addition, the service account must have Modify Permissions rights on the Active Directory objects and containers where the Active Roles security synchronization feature will be utilized.Access to Exchange OrganizationsExchange 2010To manage Exchange recipients on Exchange Server 2010, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. See the following steps for details.
To configure the service account or the override account
1.- Add the account to the Recipient Management role group. For instructions, see “Add Members to a Role Group” at http://technet.microsoft.com/library/dd638143(EXCHG.141).aspx.2.- Add the account to the Account Operators domain security group.3.- Enable the account to use remote Exchange Management Shell. For instructions, see “Enable Remote Exchange Management Shell for a - User” at http://technet.microsoft.com/library/dd298084(exchg.141).aspx.4.- Ensure that the account can read Exchange configuration data (see Permission to read Exchange configuration data).5.- Restart the Administration Service after changing the configuration of the account:- Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.
The Exchange 2010 management tools are not required on the computer running the Administration Service.
Exchange 2013 and 2016
To manage Exchange recipients on Exchange Server 2013 or 2016, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. For details, see the steps that follow.To configure the service account or the override account1.- Add the account to the Recipient Management role group. For instructions, see “Manage Role Group Members” at http://technet.microsoft.com/library/jj657492(exchg.150).aspx.2.- Add the account to the Account Operators domain security group.3.- Enable the account to use remote Exchange Management Shell. For instructions, see “Enable remote Shell for a user” in the topic “Manage Exchange Management Shell Access” at http://technet.microsoft.com/library/dd638078(exchg.150).aspx.4.- Ensure that the account can read Exchange configuration data (see Permission to read Exchange configuration data).5.- Restart the Administration Service after changing the configuration of the account: Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.
Permission to read Exchange configuration data
To perform Exchange recipient management tasks, Active Roles requires Read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights. For example, the service account is a member of the Domain Admins or Organization Management group. Otherwise, provide the account Read permission in the Microsoft Exchange container, using the ADSI Edit console.NOTE: The following instructions apply to the ADSI Edit console that ships with Windows Server 2012 or Windows Server 2012 R2.
To provide Read access to the service account using the ADSI Edit console:
1.- Open the ADSI Edit console, and connect to the Configuration naming context.
2.- In the ADSI Edit console, navigate to the Configuration/Services container, right-click Microsoft Exchange in that container, and then click Properties.
3.- On the Security tab in the Properties dialog box that appears, click Advanced.
4.- On the Permissions tab in the Advanced Security Settings dialog box, click Add.
5.- On the Permission Entry page, configure the permission entry:
a.- Click Select a principal and select the desired account.
b.- Ensure that the Type box indicates Allow.
c.- Ensure that the Applies onto box indicates: This object and all descendant objects.
d.- In the Permissions area, select the List contents and Read all properties checkboxes.
e.- Click OK.
6.- Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.Support for Exchange Remote Shell
When performing Exchange recipient management tasks on Exchange Server 2010 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server. Hence, it is not required to install the Exchange management tools on the computer running the Administration Service.To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:
- Microsoft .NET Framework 4.5 installed (see “Installing the .NET Framework 4.5, 4.5.1” at https://msdn.microsoft.com/library/5a4x27ek%28VS.110%29.aspx).
- Windows Management Framework 3.0 installed (see “Windows Management Framework 3.0” at https://www.microsoft.com/en-us/download/details.aspx?id=34595).
Remote Shell also requires the following:- TCP port 80 must be open between the computer running the Administration Service and the remote Exchange server.
- The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
- Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window.