June 2012 ENTARIAN LIMITED FORESTSAFE 4 ForestSafe Adrian Owen and Jani Järvinen
Table of Contents 1 INTRODUCTON...3 2 LOCAL ADMINISTRATOR GROUP...3 2.1 STEPS...3 2.2 VERIFICATION...3 3 WINDOWS DOMAIN ACCOUNT MANAGEMENT...4 3.1 STEPS...4 3.2 VERIFICATION...6 Copyright 2007-2012 Entarian Limited Page 2
1 INTRODUCTON ForestSafe runs as a Windows Domain Account. The scope of its management is configured within ForestSafe containers and policy. But what permissions should be given to the domain account in active directory to further restrict its authority if required? The ForestSafe service requires local Administrator rights on every windows target that it manages and particular password admin rights on every domain account it manages. In proof of Concept POC, the simplest approach is to make it a member of the Domain Administrators group. In production environments, it need only be made a member of Domain Users, and management can be selectively configured through restricted groups and delegation. 2 Local Administrator Group These steps will add a domain account to be a member of a computer s local administrators group, using restricted domain group membership. 2.1 Steps 1. In Active Directory Users and Computers create a domain account (or group) that you later wish to use to locally administer a computer. This domain account should be a regular user account, not a domain admin account. 2. Create a new organizational unit (OU) in Active Directory. 3. Place the destination computer(s) objects for instance the member server in the OU created in the previous step. 4. In Group Policy Management, create a new group policy object: a. Under Computer Configuration, select Policies/Windows Settings/Security Settings. b. Under Restricted Groups, right-click and select Add Group. c. Name the group to match the local group you want to modify. In case of local administrators, type Administrators. This must match the name of the local group! d. Under Members of this group (upper list), click Add, and select the domain account which should be the local administrator. For instance, MYDOMAIN\LocalAdminTest. e. Click OK. 5. Link the new group policy object to the OU where the computer object(s) reside. 6. On the member server, run gpupdate /force. 7. Log off and then log on again with the domain account created in step 1. 2.2 Verification Copyright 2007-2012 Entarian Limited Page 3
8. Run the command net user Administrator Password2000. 9. The command will succeed. 3 Windows domain account management A Windows user can change the password of his/her user account, but not others. The administrators can change passwords of any user account within the domain. These steps show how to use Active Directory delegation to allow any domain user to change (or reset) passwords of any other user in a given organization unit (OU). 3.1 Steps Follow these steps to delegate control to any user within the domain. 1. Start the Active Directory Users and Computers tool as an administrator for the domain. 2. If needed, create a new organization unit (OU) that will contain all the user accounts which passwords the new delegated user account should be able to change. Note: it is not possible to restrict to which user accounts the password change operation can be done; this can be only limited at the OU level. 3. Right-click the OU from the left-hand-side panel, and choose Delegation. 4. On the Delegation of Control Wizard dialog box, click Next to skip the welcome screen. On the Users or Groups page, select the domain account to which you want to give rights to change passwords within the selected OU with the Add button. Note that you can also specify multiple accounts or use groups. Once you are done, click Next. Copyright 2007-2012 Entarian Limited Page 4
5. On the Tasks to Delegate page, select the option Create a custom task to delegate at the bottom. Click Next. 6. On the Active Directory Object Type page, select the option Only the following objects in the folder. Then, at the bottom of the list that becomes active, select User objects. Then click Next. 7. On the Permissions page, select Property-specific. Verify that both the options General and Property-specific. Then, first select both the options Change password and Reset password near Copyright 2007-2012 Entarian Limited Page 5
the top of the list. Next, near the bottom of the list, select the options Read pwdlastset and Write pwdlastset. Click Next. 8. Verify the settings you have selected, and then click Finish. 3.2 Verification After you have completed the above steps, you can verify the operation with the following steps. 1. Login to the server (or, your local workstation) as the user to whom you delegate the password change rights in step 4. 2. Start Active Directory Users and Computers tool (dsa.msc). 3. Go to the Organizational Unit (OU) to which you delegated control. 4. Right-click any user account within that OU, and choose Reset Password. 5. Enter a new password and its verification, and click OK. Windows will display a message indicating that the password has been successfully reset. Copyright 2007-2012 Entarian Limited Page 6