Permissions required for alternate accounts and organizational units

You can run the connector service as an Active Directory service account instead of as a Local System account. The account you select must have all of the required permissions. For example, if you run as a specific Active Directory service account, the account must be a member of the local administrators group, and you must confirm that it has at least read permission to the container that has Privileged Access Service user accounts and Active Directory Groups used as members of Roles.

You should not run a Windows service with an Active Directory built-in account or an Active Directory user account.

You must verify that the relevant accounts have permission to read Active Directory users and groups as if authentication would work. Each time role permissions are reassessed, the Connector tries to resolve the Active Directory groups mapped to any role in which the Active Directory user is potentially a member.

The host computer must also have read access to the container or organizational unit (OU) that stores the user accounts. Without read access, the connector cannot authenticate the user. Domain computers have this permission by default; however, the connector host may not. This most often occurs in multi-forest or multi-domain setups and can occur even when two-way trust is already defined. You can tell when this occurs—the connector log would show the error message, "unable to locate forest or user object."

In this case, you need to give the Local System account read access permission to the containers or organizational units.

  1. Open Active Directory Users and Computers, select the user account container, and open the Properties.
  2. Select the Security tab and then click Add to add the user account you are using to run the connector service. Click OK after you add the user account.
  3. Click the user account in Group or User Names and click the Allow box for the Read permission.
  4. Click OK.

Any user or group that has been given permission to read and write the LockoutTime attribute for an OU or other container can unlock user accounts that reside in that container. See https://support.microsoft.com/en-us/kb/294952 to delegate the right to unlock locked user accounts to a particular group or user in Active Directory.

Password reset requires you to delegate a group of users to have the ability to reset passwords for another subset of users in a particular OU. See Password Reset Permissions for information on delegating password reset permissions.