Permissions for Service Account/ADSI
By default SSRPM used the ADSI interface to set and change a password. Based on our experience and the documentation of those functions, we know it should work if the SSRPM service account has the following permissions on user objects:
- Object
- Read All Properties
- Reset Password
- Read All Properties
- Properties
- Write pwdLastSet
- Write userAccountControl
- Read lockoutTime
- Write lockoutTime
- Write pwdLastSet
SSRPM can also be configured to use the Network Management Functions (NET) for setting and changing passwords. The NET functions are lower level functions than the ADSI functions and Microsoft recommends using ADSI. However, in some situations it is preferable to use NET functions, because those functions are more transparent than the ADSI functions. If SSRPM uses the NET functions the Service Account requires different permissions.
We recommend the following permissions:
- Object
- List Contents
- Read All Properties
- Read Permissions
- Modify Permissions
- Reset Password
- List Contents
- Properties
- Write Account Restrictions
- Write General INformation
- Write Logon Information
- Write Description
- Write Account Restrictions
Permissions for .NET
In order to use .NET functions, the SSRPM service requires the following permissions:
- Object
- List Contents
- Read All Properties
- Read Permissions
- Modify Permissions
- Reset Password
- List Contents
- Properties
- Write General Information
- Write accountExpires
- Write description
- Write homeDrive
- Write homeFolder
- Write logonHours
- Write logonWorkStation
- Write profilePath
- Write scriptPath
- Write userAccountControl
- Write userParameters
- Write General Information
It might be preferable to simplify the list of write permissions, which is possible since most of the write permissions are part of “Write Account Restrictions” and “Write Logon Information.”
The permission “Account Account Restrictions” includes:
- Object
- Write accountExpires
- Write msDS-User-Account-Control-Computed
- Write pwdLastSet
- Write userAccountControl
- Write userParameters
- Write accountExpires
The permission “Logon Information” includes:
- Object
- Write homeDrive
- Write homeFolder
- Write lastLogonTimestamp
- Write logonWorkstations
- Write logonHours
- Write logonWorkStation
- Write profilePath
- Write scriptPath
- Write homeDrive
So a simplified list would require these permissions to:
- Object
- List Contents
- Read All Properties
- Read Permissions
- Modify Permissions
- Reset Password
- List Contents
- Properties
- Write Account Restrictions
- Write General Information
- Write Logon Information
- Write Description
- Write Account Restrictions