[Ltb-users] Question: requirements for AD LDAP-only user permissions?

Alban Meunier ameunier at smartwavesa.com
Thu Jan 16 00:14:44 CET 2014


Hi Gray,

To set the minimum rights for an AD account to reset a password, do the following
Create a basic domain account without any additional privileges
Use Delegate control wizard within "User and computers", then
User Object
Reset Password
Write lockoutTime (if unlock is enabled)
Write shadowlastchange

That’s it !


On 15 Jan 2014, at 22:00, Gray McCord <gdm at sangabriel.com> wrote:

> I’ve been using LTB very successfully for months on an AD/LDAP environment and have finally gotten to the point where I’ve turned it over to our users to try. What I want to do is create an “LTB-only” AD user which only has the permissions necessary to change and reset passwords.  I created the user in AD and ran the Delegation of control wizard to set this up. I thought that enabling “Reset user passwords” and “Read all user information” might work, but alas, no. I would up having to select “create, delete, and manage user accounts”. The good news is that its no longer using my or an admin’s credentials, but I think I don’t really need LTB to be able to create or delete or change group membership for users, which I think this setting permits.
> 
> Anyway, does anyone know what the minimum appropriate set of permissions  / best practice should be to allow LTB to do its job?
> 
> Thanks!
> 
> Gray
> 
> Gray McCord
> Adapt, Mutate, Migrate, or Die
>                                                           -C. Darwin
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.
> _______________________________________________
> ltb-users mailing list
> ltb-users at lists.ltb-project.org
> http://lists.ltb-project.org/listinfo/ltb-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20140116/6d4cbc5d/attachment-0001.htm>


More information about the ltb-users mailing list