Access Manager: How to delegate AD Service Account control to another user

system
This article is marked as obsolete.

Prerequsite:

Active Directory 2003

Active Directory 2008

Active Directory 2012

 

When configuring your directory in Access Manager a service account is required in order to give Access Manager the ability to complete it's actions. The easiest option available is to set the domain Administrator account as the Service Account which is something we recommend you do during installation to get the product installed.

Access Manager can also use another account with sufficient permissions this article shows you how to create a new user within your Active Directory and delegate the required permissions so that it will be able to serve as the Access Manager Service Account, the final step in this article updates your current installation to use this new user.

 

Create a Service Account OU

It is advisable to create a new OU that will hold the user account and it's security group. Setting this up in a new OU will reduce the risk of any mistakes affecting the rest of the domain.

 

 

Create Nervepoint Service User

When the new OU has been created you can create the user account that is going to be the service account you will probably want to set a fixed password for this account so that it does not expire.

 

Create Security Group

After the user has been created you can create the group this should use a Group Scope of Global and a Group Type of Security.

 

 

Associate Service Account to Groups

 

With the user and group now created in the OU it is time to add the user to two groups, first add the user to new Security Group then add the user to the Domain Controllers group. Domain Controllers will give the user the permissions required to make changes to user accounts but at the moment it does not have anything delegated to it.

 

Delegate Control

 

To delegate control to the user select the OU that user will be responsible for controlling and select the Delegate Control option. When you reach the Users or Groups section of the wizard select the Add button then enter the name of the security group created and add the user to it, continue through the wizard.

 

When you are prompted to select the tasks to delegate ensure that “Create, delete, and manage user accounts” and “Reset user passwords and force password change at next logon” are both selected. Complete the Delegation of Control wizard.

 

The user should now have sufficient privileges to function as the Service Account for Access Manager. You can repeat this final step for all OUs that you are planning to use with Access Manager.

 

Test The New User

Lets now test the new user account to ensure that it is able to function and will work correctly as a Service Account.

Go to the Directory tab, from here change the Service Account from the Administrator to the new user that was created and update the password. You should restrict the directory to only the OUs that have delegated control to the Service Account (those identified in the step titled 'Delegate Control').

To apply a DN Filter open the Advanced tab here there will be two options labelled Include DN Filter and Exclude DN Filter. These can be used to control which users, groups, and OUs are imported to the Directory. In this case I am adding the OU that I allowed the new Service Account to control to the Include DN Filter so that only the users in that are imported.

 

 

Save the changes to the Directory and then Synchronise to update the user lists and details.

 

Now lets try to reset a users password, first login to a user account and try the Change Password option, as we can see this completed successfully. Now try setting some answers and then select the Reset Password action from the main page, as we can see this also completed successfully.