Ping a Specific Port

Question

user35213

Asked: 2011-10-05 06:01:47 +0800 CST2011-10-05 06:01:47 +0800 CST 2011-10-05 06:01:47 +0800 CST

Services Accounts

772

We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable.

I am looking to change this as soon as possible but am fairly new to AD permissions. The main use of the service account is for LDAP queries so I have assigned the account Domain User membership. The trouble is that it also requires the ability to reset a password on behalf of a user. I was looking in to Delegate Control but can only see a "Reset User Passwords and Force Change at next Logon". What is needed is for the reset to occur but the force change not to be set. I tried to specify a role manually but am somewhat out of my depth with the sheer number of different permissions.

Has anyone got any guidance on what permissions are required to delegate control of password resets to another user?

1 Answers

Voted

MDMarra · Answer 1 · 2011-10-05T06:10:03+08:00

Best Answer

MDMarra

2011-10-05T06:10:03+08:002011-10-05T06:10:03+08:00

The minimum granular permissions that you need to delegate this task is:

Reset Password    
Read pwdLastSet    
Write pwdLastSet

You should create a new security group, delegate these permissions to it using the Delegation Wizard, and then add the service account to the new group.

3

Services Accounts

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?