Skip to content

Assigning Permissions to Service Accounts

The following section outlines the steps to enable permissions to create and delete computer objects, permissions on these objects, and permissions to change and reset user credentials. These permissions are the minimum level of permissions required for a service account in a Cloud Access Manager deployment.

Organisational Unit [OU] Permissions Dialog

Permissions are being assigned to the service account through the OU permissions dialog.

Permissions to Create and Delete Computer Objects

The following section outlines how to add permissions to create and delete computer objects through the OU permissions dialog:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Select This object and all descendant objects and select the following permissions:
    • Create Computer Objects
    • Delete Computer Objects
  6. Click OK.

Permissions on the Computer Objects

The following section outlines how to select permissions on the computer objects through the OU permissions dialog:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Limit the Apply Onto scope to Descendant Computer objects and select the following settings:
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • Modify Permissions
    • Validated write to DNS host name
    • Validated write to service principal name
  6. Click OK.

DNS and service principal name permissions

The validated write to DNS host and service principal name permissions are required so that the DNS record for a remote workstation can be created after it is domain joined.

Permissions to Change and Reset User Passwords

The following section outlines how to select permissions to change and reset user passwords applicable to the desired user OU:

  1. Go to the security tab of the OU you want to give permissions to.
  2. Right-click the relevant OU and click Properties.
  3. Go to the security tab and click Advanced.
  4. Click Add and browse to your user account. As stated above you need to add the user account to the OU.
  5. Select This object and all descendant objects and select the following permissions:
    • Change Password
    • Reset Password
  6. Click OK

Role-based access control with Active Directory

For more information on role-based access control with Active Directory accounts, see Best Practices for Securing Active Directory.