How to create a limited Active Directory service account

How to create a limited Active Directory service account

Problem:  For webNetwork installation, you will need a Schema Admin and Domain Admin account.  For daily operation, you will need a service account to connect to Active Directory, but you may not want to run it with this same high-level account.  webNetwork uses a "proxy" style account to connect into your directory.  This means the proxy account is the only user that accesses the Active Directory server.



Cause:  webNetwork must have the proper rights to be able to modify objects in the Active Directory tree or it will not function.  General guidelines are the service account needs read/write access on swareXXX attributes  and ability full access to swareXXX objects in Stoneware OU. 


Prerequisite(s):
  • Active Directory Users and Computers console
  • Domain Admins have two accounts (ex: joe-regular-user and joe-domain-admin-user)
  • webNetwork will need to be taken offline to switch account


Solution(s):  Create a lower-privileged account easily using the built-in Account Operators group.  

  1. Create a standard user in desired OU
  2. Add user to Account Operators group (under Builtin) 
  3. Right-click on Stoneware OU and click Properties 
  4. Go to Security tab and click Add... 
  5. Search and select for created user 
  6. Select Full Control for permissions
  7. Click Apply button
  8. Click Advanced button
  9. Find the created user and click Edit 
  10. Change "Apply onto" field to "This object and all child objects
  11. Click OK and OK 
  12. Go to webNetwork Server Management console (8090 console)
  13. Enter new service account and password on Directory Services tab
  14. Validate user/password then click Save
  15. Go to Settings tab and click Shutdown
  16. Startup webNetwork service again




IMPORTANT - limitations of above service account:
  • Members of Enterprise/Domain Admins will not be able to login to webNetwork because we cannot update their swareXXX attributes (hence the need for a secondary regular-user accounts for domain admin members)
  • Must use groups/users for assignments; the Account Operators group does not give write access to OUs, although you can add write to specific OUs manually
  • May experience errors in webNetworkTrace.log (start-up log) about missing ability to flush schema; lines should all start with INFO and webNetwork will still function
  • webNetwork updates that require additional schema extensions (new features), you will need to switch the service account to a higher-privileged account or configure the schema credentials in Server Management Console (8090 console) 
  • Full control of the Stoneware OU will allow webAdmin users to create new users and groups; if you wish to remove this right, you'll need to edit the security further on Stoneware OU further



Reference:

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...
      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...
      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...
      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...
      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...
      • Related Articles

      • Creating a directory service account

        Problem:  Need to create service account for directory services (LDAP) connection. Cause:  Unified Workspace uses a "proxy" style account to be able to integrate into your directory. This proxy account is the only user that accesses the LDAP server ...
      • UW Active Directory Modifications

        Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...
      • Microsoft command line tools for Active Directory

        How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
      • User password expiration / lockouts in Microsoft Active Directory

        How can I show accounts that are locked out in AD ? http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx Can I dump password expiration for users in AD ? AdFind.exe to dump the password expiration. Stoneware download / Utilities has this ...
      • Unable to create cluster

        The customer is doing a new install and can not get the cluster working. Customer gets the error: Unable to invoke insertIntoCluster How can we delete the cluster by hand and start over? Helped customer remove cluster by hand by: 1) Shut down the ...