Active Directory Service Accounts
The following sections outline the Active Directory (AD) Service Account permissions required for installing the Connector. It also outlines the steps required to set these permissions.
Permissions Required to Install the Connector¶
There are no mandatory permissions required for the AD Service Account to install the Connector. You can optionally delegate the Reset user passwords and force password change at next logon task in the Delegation of Control Wizard panel. For steps on how to delegate the password reset task to the AD Service Account, see Permissions to Change and Reset Passwords.
Delegating this task will enable users to change and reset their passwords while connecting to the remote workstations. If this is not set, the user will receive an error.
Higher AD Service Account Permissions
If the user has a higher level of permissions than the AD Service Account, then you will experience password change errors even if the delegation is configured as outlined above.
Domain Controller certificates
If all DC certificates have expired, the Connector will stop working. An error indicator will display on the Connectors page when a Connector has a DC with expired certificates.
A warning indicator that details the current state of the DC certs will display on the same page when a Connector has a certificate that less than a week away from expiring.
For information on how to create and install a self-signed certificate on a Windows 2016 AD server to test LDAP connections, see KB 1707.
Permissions to Change and Reset Passwords¶
The following steps outline how to delegate the Reset user passwords and force password change at next logon task in the Delegation of Control Wizard:
- Open the Active Directory Users and Computers application.
- Select the user or group you want to delegate, and click Delegate Control.
- Click Next.
- Click Add and enter the username or group name that will be granted reset permission.
- Click OK.
- Click Next.
- Select Delegate the following common tasks and select the Reset user passwords and force password change at next logon task.
- Click Finish.
When the Connector is installed, you will be prompted for the following information:
- The AD Service Account username.
- The AD Service Account password.
Permissions Required to Provision Remote Workstations¶
Before provisioning a remote workstation you need to ensure that the AD Service Account is correctly configured. This should be a different AD Service Account to the account used when installing the Connector. The AD Service Account needs to have specific permissions, for information on these permissions and how to configure them, see Provisioning Remote Workstations.