Active Directory - Account Setup

Overview

In this article we will cover off the least privilege sets required for the following:

  • Computer object creation, deletion and move
  • OU creation and deletion


Considerations

  • Have the appropriate rights to delegate permissions within Active Directory
  • Have configured your service account for use


Procedure

Computer object delegation rights

There are two sets of rights you can apply.  One set is the default so you can create the computer objects and delete them.  The second set of optional rights is so that you can move the computer object between OU's

NOTE: This will need to be applied to each top level OU as required, child OU's will have the permissions applied automatically.

  1. Delegate the following permissions to your service account on the appropriate OU
    1. Create a custom task to delegate
    2. Only on the following object
      1. Computer Objects
    3. Create selected objects in this folder
    4. Delete selected objects in this folder
    5. Select the following permissions
      1. Read all properties 
      2. Create all child objects
      3. Delete all child objects
    6. If you plan on building computers into a Build OU then add the following permissions
      1. Read
      2. Write

OU Object Security Rights

The below permission sets will give you enough rights to create and delete OU's within the specified OU. The Delegate permissions does not appear to provide the right level of permissions on the OU thus the security permissions are used to achieve this.

NOTE: This will need to be applied to each top level OU as required, child OU's will have the permissions applied automatically.

  1. In the properties of the OU, go to security, Advanced and add new permissions
  2. Select the service account you will be using
  3. Add the following to this account:
    1. TYPE:
      1. Allow
    2. APPLIES TO:
      1. This object and all descendant objects
    3. PERMISSIONS 
      1. List Contents
      2. Read all properties
      3. Write all properties
      4. Read permissions
      5. Create Organization Unit objects
      6. Delete Organization Unit objects
      7. Read all properties
      8. Write all properties
  4. Add the following to this account:
    1. TYPE:
      1. Allow
    2. APPLIES TO:
      1. Descendant Organizational Unit objects
    3. PERMISSIONS
      1. List Contents
      2. Read all properties
      3. Write all properties
      4. Read permissions
      5. Delete
      6. Create Organization Unit objects
      7. Delete Organization Unit objects
      8. Read all properties
      9. Write all properties


AD Security Group Permission set

This delegation is a little more tricky as you will need to know which group or groups you want to delegate to, if its in an OU you want to delegate to or a single group.

  1. Delegate the following permissions to your service account on the appropriate OU
    1. Modify the membership of a Group

Additional information

SovLabs Microsoft AD Module: http://docs.sovlabs.com/latest/vRA/7.6/modules/platform-extensions/microsoft-ad/
Microsoft delegation Article: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.