Active Directory management & automation

Grant Rights to Modify Account Options

Each Active Directory user account has a number of account options that determine security and password settings for logon and authentication. All these options are set via the Account Options (userAccountControl) property of a user account.

View Descriptions of Account Options

Account Option Description
User must change password at next logon Allows forcing the user to change his/her password the next time this user logs on to the network.
User cannot change password Allows preventing the user from changing his/her password. This allows you to keep control over the account.
Password never expires Allows preventing the expiration of the user password.
Store passwords using reversible encryption Allows permitting this user to log on to a Windows network from Apple computers.
Account is disabled Allows enabling/disabling user accounts.
Smart card is required for interactive logon Allows permitting users to use a smart card to log on to the network interactively.
Account is trusted for delegation Allows a service running under this account to perform operations on behalf of other user accounts on the network.
Account is sensitive and cannot be delegated Allows forbidding the assignment of user accounts for delegation by another account.
Use DES encryption types for this account Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys.
Do not require Kerberos pre-authentication Allows permitting the usage of alternate implementations of the Kerberos protocol.

In order to allow specific users or groups to modify user account options in Active Directory, you need to grant them the Write 'Account Options' Property permission. For this purpose, you need to create a Security Role that grants this permission and assign the new Role to the users or groups, to which you want to allow modifying account options.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role . The Create Security Role wizard will open.

Launching the Create Security Role wizard

2Enter the name for the new Role, and click Next.

3Here you need to specify permissions the new Role will grant. To allow modifying user account options, you need to grant the Write 'Account Options' Property permission. Clicking the Add button will display the Add Permissions dialog.

Create Security Role - Step 2

4 In the list of object types, to which permissions are applied, select User. In the Property-specific permissions section, check the Write 'Account Options' Property permission in the Allow column. Click OK.

Add Permission

Optionally, add the Read permission

It is reasonable to specify the Read - All object types permission for every Security Role, as this permission allows browsing Active Directory. By default, this permission is granted by the Domain Users built-in Role, however, if that Role is disabled, users will not be able to view any objects in Active Directory.

Click the Add button to return to the Add Permissions dialog. Select the Read permission in the Allow column of the General permissions section. Click OK.

Specify additional permissions


5 The Write 'Account Options' Property permission allows modifying all account options, except the following:

  • User must change password at next logon,
  • User cannot change password,
  • Password never expires.

To grant these permissions too, you need to add also the Write ‘Password Last Set' Property and Write ‘User Cannot Change Password' Property permissions.

See step-by-step

  • At the Role Permissions page of the wizard, click Add to open the the Add Permissions dialog.
  • In the list of object types, to which permissions are applied, select User.
  • Check Show all properties below the Property-specific permissions section.
  • Check the Write ‘Password Last Set' Property and Write ‘User Cannot Change Password' Property permissions in the Allow column. Click OK.

Grant additional password permissions


6Click Next. Here, at the Assign Role page, specify users or groups to which you want to assign the new Role. To quickly find a user or group, type its name in the search field. Click Search button Search and select the object you need in the search results. Click the Assign button.

Role assignments

7In the Role Activity Scope dialog that opens, you need to specify, to which objects the users or groups selected at the previous step, will be able to apply permissions granted by the new Role.

You can select one of the following items:

  • All Objects - select if you want to allow the users or groups specified at the previous step to modify options of any user account in any AD domain managed by the Adaxes service.
  • Specific Domain - select a specific AD domain if you want to allow modifying options of any account in the AD domain you specify. If you select a domain, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that users or groups specified at the previous step will be able to apply permissions of the new Role to all accounts in the selected domain. Click OK.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific organizational unit or container if you want to allow modifying account options of any user located in the selected OU or container. If you select an OU or container, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow modifying account options of all children of the selected OU at any nesting level, click Child objects of this Organizational-Unit. To allow modifying account options of the direct child objects of the selected OU only, check also Immediate child objects only. Select the option you need and click OK.

    Assignment Options for an OU or Container

  • Group - select a specific group if you want to allow modifying account options of any user that is a member of the selected group. If you select a group, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow modifying account options of any group member, select Members of this Group. To allow modifying account options of direct group members only, check also Direct members only . Click OK.

    Assignment Options

  • Business Unit - select a Business Unit if you want to allow modifying options of user accounts that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    If you select a Business Unit, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the new Role permissions will be applied to all user accounts that are the members of the selected Business Unit. Select this option and click OK.

    Assignment Options

Select the object you need and click Add. When finished, click OK.

8When specified, the assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 5 and 6. Click Finish.

Assignments

Distribution of permissions with the help of Security Roles does not modify Active Directory native permissions.
? Waiting

Progress status: Checking...