Delegating Rights in AD

If you have enabled Active Directory integration, then you must provide a user account that has the ability to reset and unlock other users’ passwords in Active Directory. This is a typical requirement for password management systems (e.g. IBM Tivoli Access Manager). A good idea at this point is to create a new user account with minimal rights and then assign the needed rights to the account through Active Directory’s Delegation functionality. Here is a step-by-step guide to creating the user account and assigning it the proper rights for correct functioning.

  1. Open the Active Directory Users and Computers management interface
  2. Find the container in which you would like to create the new user account. For our purposes, we will create it in the “Dev” organizational unit

  1. Right-click the container in the left-hand frame and choose the “New” => “User” menu item

  1. The “New Object - User” dialog appears. Enter a first, last and logon name. In this case, our chosen logon name is “pwreset”.

  1. Click the Next button and enter a password for the user. Be sure to enter a very complex password as this account does have more rights than normal users. Uncheck the ‘User must change password at next logon’ box and check the ‘Password never expires’ setting.

  1. Click Next to see a summary screen and then click Finish to create the user.
  2. If delegating rights for PortalGuard’s Native Windows Authentication user (found on the “Native Windows” tab in the User Repository configuration), this administrative user must be added to the Account Operators group in Active Directory. If not using Native Windows Authentication, the new service account user does not need to be added to any additional groups.
  3. In the left-hand frame, right-click on the highest level container containing Active Directory user accounts and choose the “Delegate Control…” menu item.

  1. This launches the Delegation of Control wizard. Click Next to advance past the Welcome screen.
  2. On the “Users or Groups” dialog that follows, click the Add button, enter the logon name of the newly created user and click the “Check Names” button to validate the entry and show the fully qualified UPN. In our case, this logon name is “pwreset”.

  1. Once the name is successfully resolved, click the OK button to return to the wizard.

  1. Now that the username is shown in the “Users and Groups” dialog, click Next to advance to the “Tasks to Delegate” screen. If you are enabling PortalGuard's Native Windows authentication functionality, choose the "Create, delete, and manage user accounts" and "Reset user passwords and force password change at next logon" options and click the "Next" then the "Finish" buttons.

Otherwise, click the “Create a custom task to delegate” radio button.

  1. Click the Next button to show the “Active Directory Object Type” screen. Choose the “Only the following objects in the folder:” radio button, then scroll to the very bottom and check the “User objects” entry. This is the only entry that should be checked.

  1. Click Next to display the “Permissions” screen. Ensure the “General” and “Property-specific” boxes are checked, then scroll down and enable the “Reset Password” entry:

  1. On the same screen, scroll down and also check both the “Read lockoutTime” and “Write lockoutTime” permissions. This ensures that WSP can unlock the Active Directory account if it has been struck out within AD.

  1. Click Next to display the summary screen and then click Finish to commit the changes.

  1. This is the final step in the procedure. Please note that these changes may take a few minutes to replicate through your domain.