Sun Identity Manager 8.1 Resources Reference

Required Administrative Privileges

This section describes Active Directory permission and reset password permission requirements.

Active Directory Permissions

The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.

Identity Manager Functionality

Active Directory Permissions

Create Active Directory User accounts 

Create User Objects 

To create the account enabled, you must have the ability to Read/Write the userAccountControl property. To create with the password expired, you must be able to Read/Write the Account Restrictions property set (includes the userAccountControl property). 

Delete Active Directory User accounts 

Delete User Objects 

Update Active Directory User accounts 

  • Read All Properties

  • Write All Properties

    Note: If only a subset of the properties are to be managed from Identity Manager, then Read/Write access can be given to just those properties.

Change/Reset AD User account passwords 

Unlock AD User accounts 

Expire AD User accounts 

User Object permissions: 

  • List Contents

  • Read All Properties

  • Read Permissions

  • Change Password

  • Reset Password

    User Property permissions:

  • Read/Write lockoutTime Property

  • Read/Write Account Restrictions Property set

  • Read accountExpires Property

    To set permissions for the lockoutTime property, you should use the cacls.exe program available in the Windows 2000 Server resource kit.

Reset Password

The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.

Pass-Through Authentication

To support Active Directory (AD) pass-through authentication:

Note –

If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the Gateway.

The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.

Accessing Deleted Objects

The administrative account must have access to the Deleted Objects container in the active directory. By default, only Administrators and the System account have access to this container. Other users can be granted access to this container. For information on granting access to the Deleted Objects container, see Microsoft Knowledge Base article 892806.