Active Directory (On-Premises) Access and Rights Delegation

Overview

This guide explains how to configure access from the Hideez Enterprise Server (HES) to an on-premises Active Directory (AD), retrieve the user list, and perform password management operations. It also describes how to delegate rights for changing user passwords to non-administrative accounts. These configurations are essential for enabling features such as password change, account unlocking, and secure authentication workflows within HES.

1. Connecting to AD to Retrieve the User List

Any AD user can retrieve the list of other users.
If password changes are not required, connect to AD using an account with minimal privileges.

2. Changing Passwords, Locking, and Unlocking AD Users

These actions can only be performed by:
- AD Administrators.
- Members of the Account Operators or Domain Admins group.
- Users with delegated rights to change passwords. ()

To connect to AD from the HES side, use an account with the appropriate permissions.

3. Delegating Rights to Change Passwords

To delegate rights to another user or group, follow these steps (administrator rights are required):

Launch the Active Directory Users and Computers (ADUC) Console:
- Right-click on the OU containing the users.
- Select Delegate Control from the menu.

Select the User or Group for Delegation:

Choose the user or group that needs the right to change passwords or other additional permissions:

Granting Rights:

Mark the necessary rights for delegation:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon

Important Note:

If you delegate rights to a regular user, to change passwords, they will be able to change passwords for all regular users except administrators.

PreviousUser-Initiated Password Changes NextSAML integration

Last updated 6 months ago

Was this helpful?