Minimum privileges and permissions required

    Overview

    By default, ADSelfService Plus functions seamlessly when the configured service account is a member of the Domain Admins group.

    In environments that follow the principle of least privilege, you can instead use a delegated service account that has only the permissions required for the features you enable.

    Note: If you do not provide authentication details while adding domains, ADSelfService Plus acquires privileges in one of the following ways: If ADSelfService Plus is installed to run as a console application and no credentials are specified, it uses the permissions of the user account that installed the product. If ADSelfService Plus is installed to run as a service and no credentials are specified, it uses the permissions of the account configured to run the service.

    Feature-wise permission requirements

    FeatureMinimum permissions required
    Self-service password resetReset password, Read pwdLastSet, and Write pwdLastSet on user objects
    Self-service account unlockRead lockoutTime and Write lockoutTime on user objects
    Self-update user attributesRead and Write on required user attributes
    Display fine-grained password policyRead for msDS-PasswordSettings objects and msDS-PasswordSettingsContainer objects
    Self-service mail group subscriptionRead Members and Write Members on group objects
    NTLM single sign-onCreate and Read for computer objects
    Force enrollment using logon scriptRead scriptPath and Write scriptPath on user objects
    View deleted users reportMembership in the Domain Admins group
    Login agent installationMembership in the Domain Admins group
    Failover configurationMembership in the Domain Admins group
    Note: The service account referred to here is the account configured on the Domain Settings page.
    required privileges and permissions active directory 1

    Fig 1: Domain configuration page with service account credentials

    Granting permissions for all features

    If you wish to enable all standard ADSelfService Plus features (password reset, account unlock, self-update, and NTLM SSO) without using a Domain Admin account, delegate the permissions listed below to the ADSelfService Plus service account.

    Step 1: Delegate user management

    1. Open Active Directory Users and Computers (ADUC).
    2. Right-click the target domain or OU and select Delegate Control.
    required privileges and permissions active directory 2

    Fig 2: Selecting Delegate Control in Active Directory Users and Computers

    1. Click Next on the welcome screen.
    required privileges and permissions active directory 3

    Fig 3: Delegation of Control Wizard welcome page

    1. Click Add, select the user account or service account, and click OK. Then click Next.
    required privileges and permissions active directory 4

    Fig 4: Adding the ADSelfService Plus service account

    1. Select Delegate the following common tasks and enable the following options:
      • Reset user passwords and force password change at next logon
      • Read all user information
      • Modify the membership of a group
    required privileges and permissions active directory 5

    Fig 5: Selecting common delegation tasks

    1. Click Finish.

    Step 2: Delegate attribute modifications

    1. Repeat steps 1-4 listed in Step 1.
    2. Select Create a custom task to delegate and click Next.
    required privileges and permissions active directory 6

    Fig 6: Choosing a custom delegation task

    1. Select Only the following objects in the folder.
    2. Check User Objects from the list and click Next.
    required privileges and permissions active directory 7

    Fig 7: Selecting User objects for delegation

    1. Check General and Property-specific.
    2. Grant Read and Write permissions for the specific attributes users are allowed to update (e.g., mobile, department).
    required privileges and permissions active directory 8

    Fig 8: Granting read and write permissions for user attributes

    1. Click Finish.

    Step 3: Delegate NTLM SSO permissions

    1. Repeat steps 1-4 listed in Step 1.
    2. Select Create a custom task to delegate and click Next.
    3. Select Only the following objects in the folder.
    4. Select Computer Objects from the list and check Create selected objects in this folder. Click Next.
    required privileges and permissions active directory 9

    Fig 9: Selecting Computer objects for NTLM SSO delegation

    1. Select General. Under Permissions, check Read and click Next.
    required privileges and permissions active directory 10

    Fig 10: Granting read permissions on Computer objects for NTLM SSO delegation

    1. Click Finish.

    Step 4: Delegate password policy visibility

    1. Repeat steps 1-4 listed in Step 1.
    2. Select Create a custom task to delegate and click Next.
    3. Select Only the following objects in the folder.
    4. Check msDS-PasswordSettings objects and msDS-PasswordSettingsContainer objects from the list, and click Next.
    required privileges and permissions active directory 11

    Fig 11: Selecting password settings objects

    1. Check the General box. Under Permissions, check Read and click Next.
    required privileges and permissions active directory 12

    Fig 12: Granting read permission for password policy visibility

    1. Click Finish.

    Granting feature-specific permissions

    If you only require specific features, follow the delegation steps below for the relevant capability.

    Self-service password reset

    1. In ADUC, right-click the target domain or OU and select Delegate Control.
    2. Click Next in the welcome dialog box.
    3. Click Add and select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate, and click Next.
    5. Check Only the following objects in the folder. Select User objects from the list, and click Next.
    required privileges and permissions active directory 13

    Fig 13: Selecting User objects for password reset delegation

    1. Check the General and Property-specific boxes.
    2. Under Permissions, check the Reset password, Read pwdLastSet, and Write pwdLastSet boxes and click Next.
    required privileges and permissions active directory 14

    Fig 14: Granting password reset permissions

    1. Click Finish.

    Self-service account unlock

    1. In ADUC, right-click the target domain or OU and select Delegate Control.
    2. Click Next in the welcome dialog box.
    3. Click Add and select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate, and click Next.
    5. Select Only the following objects in the folder. Select User objects from the list, and click Next.
    required privileges and permissions active directory 15

    Fig 15: Selecting User objects for account unlock delegation

    1. Uncheck General and check Property-specific.
    2. Under Permissions, check Read lockoutTime and Write lockoutTime, and click Next.
    required privileges and permissions active directory 16

    Fig 16: Granting lockoutTime permissions

    1. Click Finish.

    Directory self-update

    1. In ADUC, right-click the target domain or OU and select Delegate Control.
    2. Click Next in the welcome dialog box.
    3. Click Add and select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate, and click Next.
    5. Select Only the following objects in the folder. Select User objects from the list, and click Next.
    required privileges and permissions active directory 17

    Fig 17: Selecting User objects for self-update delegation

    1. Check the General.
    2. Under Permissions, check the Read and Write. You can also grant Read and Write permissions for specific attributes that need to be available. Click Next.
    required privileges and permissions active directory 18

    Fig 18: Granting read and write permissions for self-update

    1. Click Finish.

    Display fine-grained password policy

    1. In ADUC, right-click the target domain or OU and select Delegate Control.
    2. Click Next in the welcome dialog box.
    3. Click Add and select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate, and click Next.
    5. Check Only the following objects in the folder. Select msDS-PasswordSettings objects and msDS-PasswordSettingsContainer objects from the list and click Next.
    required privileges and permissions active directory 19

    Fig 19: Selecting password settings objects for policy display

    1. Check the General box.
    2. Under Permissions, select Read and click Next.
    required privileges and permissions active directory 20

    Fig 20: Granting read permission for password policy display

    1. Click Finish.

    Self-service mail group subscription

    1. In ADUC, right-click the desired domain or OU, and select Delegate Control from the context menu.
    2. Click Next in the welcome dialog box.
    3. Click Add to select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate, and click Next.
    5. Check Only the following objects in the folder. Select Group objects from the list, and click Next.
    required privileges and permissions active directory 21

    Fig 21: Selecting Group objects for mail group subscription

    1. Uncheck General and check Property-specific.
    2. Under Permissions, check the Read members and Write members boxes and click Next.
    required privileges and permissions active directory 22

    Fig 22: Granting Members attribute permissions

    1. Click Finish.

    Synchronizing AD objects with ADSelfService Plus

    To synchronize AD objects with ADSelfService Plus without errors:

    1. Open the ADUC console, right-click the desired domain or OU, and select Properties.
    2. In the Security tab, click Add to select the ADSelfService Plus user or service account.
    3. In the Permissions section, allow Replicating Directory Changes.
    4. Click OK.
    required privileges and permissions active directory 23

    Fig 23: Enabling Replicating Directory Changes permission

    Single sign-on to ADSelfService Plus via NTLMv2

    1. In ADUC, right-click the desired domain or OU, and select Delegate Control from the context menu.
    2. Click Next in the welcome dialog box.
    3. Click Add to select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate and click Next.
    5. Select Only the following objects in the folder.
    6. In the given list, select Computer objects and Create selected objects in this folder and click Next.
    7. Check the General box.
    8. Under Permissions, check Read and click Next.
    9. Click Finish.

    Force enrollment using a logon script

    To enforce users to enroll in ADSelfService Plus by modifying their logon script path:

    1. Open ADUC, right-click the desired domain or OU, and select Delegate Control from the context menu.
    2. Click Next in the welcome dialog box.
    3. Click Add to select the ADSelfService Plus user account or service account, then click OK. Click Next.
    4. Select Create a custom task to delegate and click Next.
    5. Select Only the following objects in the folder. Check User objects from the list, and click Next.
    6. Uncheck General and check Property-specific boxes.
    7. Under Permissions, check Read scriptPath and Write scriptPath and click Next.
    required privileges and permissions active directory 24

    Fig 24: Granting scriptPath permissions for force enrollment

    1. Click Finish.

    Features that require Domain Admin membership

    View deleted users report

    The minimum requirement to view this report is Domain Admin membership since accessing AD Recycle Bin or Tombstone objects requires elevated privileges.

    Windows login agent (GINA) installation

    Domain Admin privileges are required to push the installation via the ADSelfService Plus console. If you cannot provide Domain Admin credentials, install the login agent manually using Group Policy Objects (GPO) or SCCM. This method requires no elevated privileges within the ADSelfService Plus application.

    Failover configuration

    Domain Admin privileges are required only during initial setup. After setup, you can switch to a lower-privileged service account.

    Service account privileges to run the ADSelfService Plus service

    The service account referred to here is the account configured in the Log On tab under the ADSelfService Plus Service Properties.

    required privileges and permissions active directory 25

    Fig 25: Configuring the ADSelfService Plus service account

    Local server folder permissions

    The service account running the application and the local user account used to launch the application must have Full Control permissions over the ADSelfService Plus installation directory (By default: C:\Program Files\ManageEngine\ADSelfService Plus).

    Failure to grant these permissions will prevent:

    • Service Pack upgrades.
    • Report generation.
    • Starting the product
    • Product license application
    • Database backups and restorations.
    • Employee photo synchronization.
    • Self-update options
    • Dashboard graph updates.

    Failover environment

    If you switch to a lower-privileged service account after completing the initial failover configuration, the service account must have Share permissions to ensure uninterrupted folder sharing between both instances.

    MS SQL database configuration

    When an external Microsoft SQL server database is used, the service account configured to run the service must have SQL server login access and the required privileges (db_owner, bulkadmin).