How to create a limited-privilege AD user for VERDE's LDAP integration

            Product Line:  VERDE

            VERDE requires an AD service account user in two places:  In the LDAP Server page to provide access to VERDE and in the Session Settings to provide dynamic AD join capabilities to Windows guests. The easiest way to provide the right amount of privileges to this service account is to give Domain Administrator privileges to the account. If this is not desirable from a security standpoint, you can limit the privileges to this service account. Here are the instructions:


            • · Create a new AD Security Group (let's call it "VERDE Admins")

            • · Find the OU where new computer objects are created. This is the top-level "Computers" OU ("CN=Computers,DC=example,DC=com") but if you have a custom OU defined in your Session Settings, please set the following permissions on this OU.

            • · In "AD Users & Computers", right click on the "Computers" OU and select "Delegate Control"

            • · In the resulting wizard, select the newly created AD Security Group ("VERDE Admins"), click next, and click "Create a custom task to delegate", click next.

            • · Select "Only the following objects in the folder" then tick “Account objects”, "Computer objects" from the list and also tick "Create selected object in folder" and "Delete selected object in folder". click next.

            • · Select "Full Control" from the list, click next. (selecting Full Control will also check all other boxes)

            • · In the summary screen you should now read the following summary:

             

            You chose to delegate control of objects 
            in the following Active Directory folder:

                example.com/Computers

            The groups, users, or computers to which you
            have given control are:

                Verde Admins (EXAMPLE\verdeadmins)

            They have the following permissions:

                Full Control

            For the following object types:

                Computers

            • · Click Finish.

            • · Create a Service Account user and make it a member of two security groups:

            • · "Domain Users"

            • · Your newly created security group, in our example "VERDE Admins"

             

            Now you can use this newly created Service Account for both the LDAP Server and Session Settings objects.

             


            Updated: 23 Jan 2018 04:00 AM
            Helpful?  
            Help us to make this article better
            0 0