Previous Topic: Restrictions on Domain Users on Windows Agentless EndpointsNext Topic: Advanced CA ControlMinder and SAM Integration Limitation


Minimum Privileges for Managing an Active Directory Endpoint

Valid on Windows

If you want to use SAM Windows Agentless endpoint type to manage Active Directory endpoints and do not want to specify a domain administrator account, you can specify a delegated user account with the minimum privileges required to manage regular user accounts.

Example: Delegating an Active Directory user the privileges to manage other Active Directory users on Windows Server 2008

The following example shows you how to delegate the privileges for a regular user to manage other regular Active Directory users on Windows Server 2008.

  1. Select Start, Administrative Tools, Component Services

    The component services console opens.

  2. Expand the Component Services list, select Computers then right-click My Computer and select Properties.

    The My Computer properties window opens.

  3. Navigate to the COM Security tab and do the following:
    1. Click the Edit Default button in the Access Permissions section
    2. Click Add to locate the user account to assign access permissions
    3. Select Edit Defaults in the Launch and Activation Permissions section.
    4. Click Add to locate the user account to assign access permissions.
    5. Select the Local and Remote Access and Local and Remote Activation options under the Allow column.
    6. Click OK and exit the properties window.
  4. Select Start, Administrative Tools, Active Directory Users and Computers. Do the following:
    1. From the Users list, right-click the user account.
    2. Move to the Member Of tab and select Add to a group.
    3. Add the user as a member of the following groups, then click OK:
      • Domain Users
      • Distributed COM Users

    You have configured the security attributes for the delegated user. You now configure the security attributes for the container that you want this user to manage.

  5. From the Active Directory Users and Groups console, right-click the Users folder and select Properties.
  6. Move to the Security tab, Select Add User and click Advanced.

    The advanced security settings window opens. Do the following:

    1. In the Permissions tab select the user and click Edit.

      The permissions entry window opens.

    2. From the Apply onto list, select Descendant User Objects and apply the following permissions:
      • List contents
      • Read all properties
      • Write all properties
      • Read permissions
      • Modify permissions
      • Change password
      • Rest password
    3. Click OK and exit the properties window.

    You have configured the security attributes for the user in the Users container.

  7. From a Command Prompt window, run the command wmimgmt to open the WMI Control Console. Do the following:
    1. Right-click WMI Control and select Properties.

      The WMI Control properties window opens.

    2. Move to the Security tab and expand the root directory.
    3. Select directory and click on the Security button.
    4. Click Add to add the user account that you are editing, then add the following permissions for Read Security for Root namespaces and subnamespaces:
      • Partial Write
      • Provider Write
      • Enable Account
      • Remote Enable
    5. Close the WMI Control Console.
  8. From a Command Prompt window, run the regedit utility and locate the following registry entry:
    HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
    
    HKEY_CLASSES_ROOT\CLSID\{233664b0-0367-11cf-abc4-02608c9e7553} 
    
  9. Right-click each registry key and select Permissions

    The permissions window opens.

  10. Add the user to the list and assign Full Control to the key and all child objects
  11. Click OK to close the regedit utility.

    You have delegated a regular Active Directory user the permissions to manage other regular Active Directory users.