Thanks, Alan. It works perfectly!
Gray From: Alan Osborne [mailto:[email protected]] Sent: Wednesday, January 15, 2014 5:52 PM To: Alban Meunier; Gray McCord Cc: [email protected] Subject: RE: [Ltb-users] Question: requirements for AD LDAP-only user permissions? Please confirm that the following permissions are NOT needed: - Read lockoutTime - Read pwdLastSet - Write pwdLastSet - Read shadowLastChange Thanks! From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Alban Meunier Sent: Wednesday, January 15, 2014 3:15 PM To: Gray McCord Cc: [email protected] <mailto:[email protected]> Subject: Re: [Ltb-users] Question: requirements for AD LDAP-only user permissions? Hi Gray, To set the minimum rights for an AD account to reset a password, do the following 1. Create a basic domain account without any additional privileges 2. Use Delegate control wizard within "User and computers", then * User Object * Reset Password * Write lockoutTime (if unlock is enabled) * Write shadowlastchange That's it ! On 15 Jan 2014, at 22:00, Gray McCord <[email protected] <mailto:[email protected]> > wrote: I've been using LTB very successfully for months on an AD/LDAP environment and have finally gotten to the point where I've turned it over to our users to try. What I want to do is create an "LTB-only" AD user which only has the permissions necessary to change and reset passwords. I created the user in AD and ran the Delegation of control wizard to set this up. I thought that enabling "Reset user passwords" and "Read all user information" might work, but alas, no. I would up having to select "create, delete, and manage user accounts". The good news is that its no longer using my or an admin's credentials, but I think I don't really need LTB to be able to create or delete or change group membership for users, which I think this setting permits. Anyway, does anyone know what the minimum appropriate set of permissions / best practice should be to allow LTB to do its job? Thanks! Gray Gray McCord Adapt, Mutate, Migrate, or Die -C. Darwin -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. _______________________________________________ ltb-users mailing list [email protected] <mailto:[email protected]> http://lists.ltb-project.org/listinfo/ltb-users -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
