Delegating permissions to a Windows Server 2019 AD Service Account

system

Prerequsite

Active Directory running on Windows Server 2019.

 

When configuring your user database in LogonBox, a service account is required in order to give LogonBox the ability to synchronise users and reset passwords. The easiest option available is to set the domain Administrator account as the Service Account which is something we wouldn't recommend in a production environment, but can be used whilst you are testing the product if you wish.

Instead, you can delegate a set of permissions to a service account of your choice.

This article shows you how to create a new user within your Active Directory and delegate the required permissions so that it will be able to serve as the LogonBox Service Account.

 

 

Create the LogonBox Service User Account

You can create the user account that is going to act as the service account. You will probably want to set a fixed password for this account so that it does not expire.

 

Delegate Control

To delegate control to the user select the OU that user will be responsible for controlling (or the top level of the domain if you want the service account to work with all users), right click and select the Delegate Control option.

Click Next, then on the Users and Groups page of the wizard click the Add button then enter the name of the service account, click Check Names to confirm the user, then click OK to continue through the wizard.

 

When you are prompted to select the tasks to delegate ensure that “Create, delete, and manage user accounts” and “Reset user passwords and force password change at next logon” are both selected.

Click Next, then Finish to complete the wizard.

 

The new user should now have sufficient privileges to function as the Service Account for LogonBox.

 

Test the new service account

Lets now test the new user account to ensure that it is able to function and will work correctly as a Service Account.

In your LogonBox server, go to the Administration->User Directory menu and click Configure User Database. Set the Service Username and Service Password to the new user that was created.

 

If you delegated only on a single OU, you should restrict the directory to only the OUs that have delegated control to the Service Account (those identified in the step titled 'Delegate Control').

This can be done in the Filter tab. In this example, we are filtering only OU=LogonBox. Click Update to save the changes and start a syncronise.

 

Now lets try to reset a user's password, on the Users page, click the gears icon next to a user, then click Set Password.

 

If successful, you should get a success notification at bottom right.

 

You can now test a user performing a self service reset, which should also work.