How to create a limited Active Directory service account

How to create a limited Active Directory service account

Problem:  For webNetwork installation, you will need a Schema Admin and Domain Admin account.  For daily operation, you will need a service account to connect to Active Directory, but you may not want to run it with this same high-level account.  webNetwork uses a "proxy" style account to connect into your directory.  This means the proxy account is the only user that accesses the Active Directory server.



Cause:  webNetwork must have the proper rights to be able to modify objects in the Active Directory tree or it will not function.  General guidelines are the service account needs read/write access on swareXXX attributes  and ability full access to swareXXX objects in Stoneware OU. 


Prerequisite(s):
  • Active Directory Users and Computers console
  • Domain Admins have two accounts (ex: joe-regular-user and joe-domain-admin-user)
  • webNetwork will need to be taken offline to switch account


Solution(s):  Create a lower-privileged account easily using the built-in Account Operators group.  

  1. Create a standard user in desired OU
  2. Add user to Account Operators group (under Builtin) 
  3. Right-click on Stoneware OU and click Properties 
  4. Go to Security tab and click Add... 
  5. Search and select for created user 
  6. Select Full Control for permissions
  7. Click Apply button
  8. Click Advanced button
  9. Find the created user and click Edit 
  10. Change "Apply onto" field to "This object and all child objects
  11. Click OK and OK 
  12. Go to webNetwork Server Management console (8090 console)
  13. Enter new service account and password on Directory Services tab
  14. Validate user/password then click Save
  15. Go to Settings tab and click Shutdown
  16. Startup webNetwork service again




IMPORTANT - limitations of above service account:
  • Members of Enterprise/Domain Admins will not be able to login to webNetwork because we cannot update their swareXXX attributes (hence the need for a secondary regular-user accounts for domain admin members)
  • Must use groups/users for assignments; the Account Operators group does not give write access to OUs, although you can add write to specific OUs manually
  • May experience errors in webNetworkTrace.log (start-up log) about missing ability to flush schema; lines should all start with INFO and webNetwork will still function
  • webNetwork updates that require additional schema extensions (new features), you will need to switch the service account to a higher-privileged account or configure the schema credentials in Server Management Console (8090 console) 
  • Full control of the Stoneware OU will allow webAdmin users to create new users and groups; if you wish to remove this right, you'll need to edit the security further on Stoneware OU further



Reference:
    • Related Articles

    • Creating a directory service account

      Problem:  Need to create service account for directory services (LDAP) connection. Cause:  Unified Workspace uses a "proxy" style account to be able to integrate into your directory. This proxy account is the only user that accesses the LDAP server ...
    • UW Active Directory Modifications

      Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...
    • Active Directory

      Active Directory Sync Tool With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features. DNSFilter can be deployed easily and quickly in your Active Directory environment. ...
    • Microsoft command line tools for Active Directory

      How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
    • User password expiration / lockouts in Microsoft Active Directory

      How can I show accounts that are locked out in AD ? http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx Can I dump password expiration for users in AD ? AdFind.exe to dump the password expiration. Stoneware download / Utilities has this ...
    • Popular Articles

    • Old Browser Versions

      Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time.   This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
    • LCS Redirection

      Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
    • Time windows allows for Service Shutdown

      Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : http://support.microsoft.com/kb/146092 To specify the wait time, do the ...
    • How to disable password saving - Internet Explorer

      Having multiple methods for saving a password in the browser can cause confusion for the user.   To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
    • How to disable password saving - Chrome

      Having multiple methods for saving a password in the browser can cause confusion for the user.  To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
    • Recent Articles

    • Lenovo Unified Workspace 7.0.0.63 Released

      Highlights of Unified Workspace 7.0.0.63 If you need assistance with your update, please e-mail support at support@lenovosoftware.com or visit https://unifiedworkspace.com/support/ for more information. Below is a list of enhancements and fixes for ...
    • How to fix customized login and profile after upgrading to v7.0

      With the release of 7.0 the default login page has been modified to simplify the customization process.  If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • MySQL 8 SSL

      Issue Admin is making a database connection to a MySQL 8 database.  When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...
    • 7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

      excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 7.0.0.63, and higher. (For older 6.5 releases of UW, please see this article.) ...