Forum Discussion

arpydays's avatar
arpydays
Icon for Nimbostratus rankNimbostratus
May 22, 2016

Minimum AD privileges for APM acct

Hi,

 

we need to allow for VPN users on APM to be able to change AD password (via tickbox on logon page) and also enter new password when it expires. I've read sol15008, which states;

 

  • The user is added to Domain Users group.
  • The user is granted the privilege to reset passwords of other AD users.
  • The user is added to the Group Policy Creator Owners group (this is required for fine-grained password policy checks).
  • The user is allowed to Read all properties (this is required for fine-grained password policy checks).

Is this the minimum that is required to allow this function? or can it be tightened further?

 

thanks

 

APM
security

2 Replies

Sort By
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    May 23, 2016

    We have our service account setup with Domain Users only.

     

    The changing of passwords is done by the user account itself, so we've never had issues.

     

    And by default domain users can read all attributes, so unless you've changed the default security permissions on AD, you should be fine.

     

    Cheers

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    May 23, 2016

    For specific recommendations about aspects of Microsoft Active Directory security, you'd really be better off asking Microsoft about it. Critical things like security parameters should be reviewed by an expert in that area.

     

    What I'd recommend:

     

    1. Configure a user as specified in the solution.
    2. Consult Microsoft about how to enable audit logging so that all actions can of the user can be logged, or capture events, or do whatever Microsoft recommends to capture information about what happens.
    3. Perform your desired reset operation test from APM, just as an end user would.
    4. Provide the audit logs (or whatever data) to Microsoft and ask them what the absolute minimum permission required for the user to perform the operation(s).

    I'm fairly certain that the passwords resets are done as the user changing the password and not as the administrator user. But you can certainly test it both ways, it won't hurt anything to do this in a lab test.