FYI, if you use the "Reset by questions" option, then you'll also need to do the following:
* Right click the OU where you want delegation of permissions to propogate down from and select "Delegate Control..." * Add the account to delegate to, click Next * Create a custom task to delegate * Select the radio button for "Only the following objects in the folder", then select "User objects" at the bottom of the list, click Next * Select the "Property-specific" checkbox only, then locate the attribute you are using to store the "Reset by questions" answer in (this value is set in "$answer_attribute" - see SSP conf file). In my case, I use the "description" attribute. Not sure, but I would assume you need Read/Write for that attribute (i.e. select both "Read Description" and "Write Description" From: [email protected] [mailto:[email protected]] On Behalf Of Gray McCord Sent: Friday, January 17, 2014 4:37 AM To: [email protected] Subject: Re: [Ltb-users] Question: requirements for AD LDAP-only user permissions? Thanks, Alan. It works perfectly! Gray From: Alan Osborne [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Wednesday, January 15, 2014 5:52 PM To: Alban Meunier; Gray McCord Cc: [email protected]<mailto:[email protected]> Subject: RE: [Ltb-users] Question: requirements for AD LDAP-only user permissions? Please confirm that the following permissions are NOT needed: - Read lockoutTime - Read pwdLastSet - Write pwdLastSet - Read shadowLastChange Thanks! From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Alban Meunier Sent: Wednesday, January 15, 2014 3:15 PM To: Gray McCord Cc: [email protected]<mailto:[email protected]> Subject: Re: [Ltb-users] Question: requirements for AD LDAP-only user permissions? Hi Gray, To set the minimum rights for an AD account to reset a password, do the following 1. Create a basic domain account without any additional privileges 2. Use Delegate control wizard within "User and computers", then * User Object * Reset Password * Write lockoutTime (if unlock is enabled) * Write shadowlastchange That's it ! On 15 Jan 2014, at 22:00, Gray McCord <[email protected]<mailto:[email protected]>> wrote: I've been using LTB very successfully for months on an AD/LDAP environment and have finally gotten to the point where I've turned it over to our users to try. What I want to do is create an "LTB-only" AD user which only has the permissions necessary to change and reset passwords. I created the user in AD and ran the Delegation of control wizard to set this up. I thought that enabling "Reset user passwords" and "Read all user information" might work, but alas, no. I would up having to select "create, delete, and manage user accounts". The good news is that its no longer using my or an admin's credentials, but I think I don't really need LTB to be able to create or delete or change group membership for users, which I think this setting permits. Anyway, does anyone know what the minimum appropriate set of permissions / best practice should be to allow LTB to do its job? Thanks! Gray Gray McCord Adapt, Mutate, Migrate, or Die -C. Darwin -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. _______________________________________________ ltb-users mailing list [email protected]<mailto:[email protected]> http://lists.ltb-project.org/listinfo/ltb-users -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
