Active Directory (On-Premises) Access and Rights Delegation

Overview

This guide explains how to configure access from the Hideez Enterprise Server (HES) to an on-premises Active Directory (AD), retrieve the user list, and perform password management operations. It also describes how to delegate rights for changing user passwords to non-administrative accounts. These configurations are essential for enabling features such as password change, account unlocking, and secure authentication workflows within HES.

1. Connecting to AD to Retrieve the User List

• Any AD user can retrieve the list of other users.

• If password changes are not required, connect to AD using an account with minimal privileges.

2. Changing Passwords, Locking, and Unlocking AD Users

• These actions can only be performed by:

  • AD Administrators.

  • Members of the Account Operators or Domain Admins group.

  • Users with delegated rights to change passwords. ()

3. Delegating Rights to Change Passwords

To delegate rights to another user or group, follow these steps (administrator rights are required):

1. Launch the Active Directory Users and Computers (ADUC) Console:

   • Right-click on the OU containing the users.

   • Select Delegate Control from the menu.

1. Select the User or Group for Delegation:

Choose the user or group that needs the right to change passwords or other additional permissions:

1. Granting Rights:

• Mark the necessary rights for delegation:

  • Create, delete, and manage user accounts

  • Reset user passwords and force password change at next logon