This may be helpful too: http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/
From: [email protected] [mailto:[email protected]] On Behalf Of Gray McCord Sent: Wednesday, January 15, 2014 1:00 PM To: [email protected] Subject: [Ltb-users] Question: requirements for AD LDAP-only user permissions? I've been using LTB very successfully for months on an AD/LDAP environment and have finally gotten to the point where I've turned it over to our users to try. What I want to do is create an "LTB-only" AD user which only has the permissions necessary to change and reset passwords. I created the user in AD and ran the Delegation of control wizard to set this up. I thought that enabling "Reset user passwords" and "Read all user information" might work, but alas, no. I would up having to select "create, delete, and manage user accounts". The good news is that its no longer using my or an admin's credentials, but I think I don't really need LTB to be able to create or delete or change group membership for users, which I think this setting permits. Anyway, does anyone know what the minimum appropriate set of permissions / best practice should be to allow LTB to do its job? Thanks! Gray Gray McCord Adapt, Mutate, Migrate, or Die -C. Darwin -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
