How to create a limited Active Directory service account

How to create a limited Active Directory service account

Problem:  For webNetwork installation, you will need a Schema Admin and Domain Admin account.  For daily operation, you will need a service account to connect to Active Directory, but you may not want to run it with this same high-level account.  webNetwork uses a "proxy" style account to connect into your directory.  This means the proxy account is the only user that accesses the Active Directory server.



Cause:  webNetwork must have the proper rights to be able to modify objects in the Active Directory tree or it will not function.  General guidelines are the service account needs read/write access on swareXXX attributes  and ability full access to swareXXX objects in Stoneware OU. 


Prerequisite(s):
  • Active Directory Users and Computers console
  • Domain Admins have two accounts (ex: joe-regular-user and joe-domain-admin-user)
  • webNetwork will need to be taken offline to switch account


Solution(s):  Create a lower-privileged account easily using the built-in Account Operators group.  

  1. Create a standard user in desired OU
  2. Add user to Account Operators group (under Builtin) 
  3. Right-click on Stoneware OU and click Properties 
  4. Go to Security tab and click Add... 
  5. Search and select for created user 
  6. Select Full Control for permissions
  7. Click Apply button
  8. Click Advanced button
  9. Find the created user and click Edit 
  10. Change "Apply onto" field to "This object and all child objects
  11. Click OK and OK 
  12. Go to webNetwork Server Management console (8090 console)
  13. Enter new service account and password on Directory Services tab
  14. Validate user/password then click Save
  15. Go to Settings tab and click Shutdown
  16. Startup webNetwork service again




IMPORTANT - limitations of above service account:
  • Members of Enterprise/Domain Admins will not be able to login to webNetwork because we cannot update their swareXXX attributes (hence the need for a secondary regular-user accounts for domain admin members)
  • Must use groups/users for assignments; the Account Operators group does not give write access to OUs, although you can add write to specific OUs manually
  • May experience errors in webNetworkTrace.log (start-up log) about missing ability to flush schema; lines should all start with INFO and webNetwork will still function
  • webNetwork updates that require additional schema extensions (new features), you will need to switch the service account to a higher-privileged account or configure the schema credentials in Server Management Console (8090 console) 
  • Full control of the Stoneware OU will allow webAdmin users to create new users and groups; if you wish to remove this right, you'll need to edit the security further on Stoneware OU further



Reference:

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • LanSchool Documentation Guides

        LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...

      • Lenovo Unified Workspace 7.0.1.41 Released

        Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...

      • Related Articles

      • Creating a directory service account

        Problem:  Need to create service account for directory services (LDAP) connection. Cause:  Unified Workspace uses a "proxy" style account to be able to integrate into your directory. This proxy account is the only user that accesses the LDAP server ...

      • UW Active Directory Modifications

        Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...

      • Microsoft command line tools for Active Directory

        How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...

      • Account Locked message

        User is getting a message when logging into webNetwork that says : Account Locked This means that the directory ( Microsoft Active Directory or Novell eDirectory ) has detected too many invalid logins and has locked the account for intruder attempts. ...

      • User password expiration / lockouts in Microsoft Active Directory

        How can I show accounts that are locked out in AD ? http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx Can I dump password expiration for users in AD ? AdFind.exe to dump the password expiration. Stoneware download / Utilities has this ...