[Ltb-users] Question: requirements for AD LDAP-only user permissions?
ameunier at smartwavesa.com
Thu Jan 16 00:14:44 CET 2014
To set the minimum rights for an AD account to reset a password, do the following
Create a basic domain account without any additional privileges
Use Delegate control wizard within "User and computers", then
Write lockoutTime (if unlock is enabled)
That’s it !
On 15 Jan 2014, at 22:00, Gray McCord <gdm at sangabriel.com> wrote:
> I’ve been using LTB very successfully for months on an AD/LDAP environment and have finally gotten to the point where I’ve turned it over to our users to try. What I want to do is create an “LTB-only” AD user which only has the permissions necessary to change and reset passwords. I created the user in AD and ran the Delegation of control wizard to set this up. I thought that enabling “Reset user passwords” and “Read all user information” might work, but alas, no. I would up having to select “create, delete, and manage user accounts”. The good news is that its no longer using my or an admin’s credentials, but I think I don’t really need LTB to be able to create or delete or change group membership for users, which I think this setting permits.
> Anyway, does anyone know what the minimum appropriate set of permissions / best practice should be to allow LTB to do its job?
> Gray McCord
> Adapt, Mutate, Migrate, or Die
> -C. Darwin
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> ltb-users mailing list
> ltb-users at lists.ltb-project.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ltb-users