Summary

This article describes the permissions needed in Active Directory for a user account performing the adjoin and adgroup operations as part of managing the BoKS AD Bridge function.

Reference Information

AD User Privileges Required for adjoin
To perform the adjoin operation in AD, you must have a certain minimum level of privileges for the operation to work. These privileges must allow the user to edit hosts, or Computer Objects, in the required location in Active Directory. To ensure that the user performing adjoin has the necessary privileges, follow these steps:

  1. In Active Directory, create a container, right-click it and select Delegate Control... The Delegation of Control Wizard is displayed.
  2. In the Wizard intro, click Next.
  3. In Users or Groups, click Add and add the non-administrator user, then click Next.
  4. In Task to delegate, select Create a custom task to delegate, then click Next.
  5. In Active Directory Object Type, select Only the following objects in the folder, check Computer Objects, and check Create selected objects in this folder, then click Next
  6. In Permissions, check the following:
      • Read and write personal information
      • Read and write public information
      • Reset Password
      • Read and write Account Restrictions
      • Validated write to DNS host name
      • Validated write to service principal name
  7. Click Next and then Finish.

For more information about using the Delegation of Control Wizard, see your Active Directory documentation set.

AD User Privileges Required for adgroup
To perform the adgroup operation in AD, you must have a certain minimum level of privileges for the operation to work. These privileges must allow the user to create, delete and manage groups in the required location in Active Directory. To ensure that the user performing adgroup has the necessary privileges, follow these steps:

  1. On the Active Directory controller, browse to the OU where you want the user to be able to create groups, in this example the OU is 'Test Dept' located under 'BoKS':

-ad.example.com

- BoKS

- Test Dept

  1. Right-click 'Test Dept'. Select Delegate Control... to start the Delegation of Control Wizard.
  2. In the Wizard intro, click Next.
  3. Click Add... and select the user, then click OK and Next >.
  4. Select Delegate the following common tasks: and check Create, delete and manage groups.
  5. Click Next > then Finish.

The user should now be allowed to create and delete groups under 'Test Dept' only using adgroup.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 14, 2019