Managing domain account permissions for password reset

Securden scans the active directory in Windows servers to obtain the AD domain's OUs, Groups, and Computers. Along with them, the local admin accounts, domain accounts, and service accounts present on the servers are also obtained. Once computers are discovered, Securden scans each device for the domain accounts used as service accounts to run services, scheduled tasks, and IIS App pools.

When the password for a domain account is changed, Securden Unified PAM automatically updates this change across all related service accounts. The service accounts should have domain administrator permission to perform tasks like password verification and remote password resets through Securden. If the password reset made in domain accounts does not cascade to the service accounts, verify that the credentials used in the service accounts for remote operations have administrative privileges.

Follow the steps below to delegate domain account permissions for performing remote password reset.

• Log on to Windows Server as a domain administrator.
• Launch Server Manager.
• Navigate to the Tools menu and select ‘Active Directory Users and Computers (ADUC)’.
• In the left pane of the ADUC window, expand your domain, right-click on the required OU or User container and select ‘Delegate Control’ to delegate the permissions to the selected OU or user container.
• On the welcome screen, click ‘Next’.
• On the Users or Groups screen, click ‘Add’.
• In the ‘Select Users, Computers, or Groups’ dialog box, you should type in the AD group to which you want to give the domain account permissions for resetting user account passwords. Once the group is selected, click ‘OK’.

Note: Domain account permissions are needed only for carrying out remote password resets. For other operations, like Accounts Discovery, domain-level permissions are not required.