Set Permissions for Your Microsoft Active Directory (AD) Account

You use your Microsoft Active Directory (AD) domain administrator account to create an AD Bridge. Before creating this bridge, you must set permissions for your account. You must set these permissions so that you can install the bridge and configure delegated authentication for it.

With delegated authentication, Oracle Identity Cloud Service identity domain administrators and security administrators don’t have to synchronize user passwords between AD and Oracle Identity Cloud Service. Users can use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and applications protected by Oracle Identity Cloud Service.

See Understand Delegated Authentication for more information about delegated authentication.

Topics:

• Set Permissions to Synchronize Users, Groups, and Group Membership

• Set Permissions to Propagate Changes to Microsoft Active Directory

• Set Permissions for Delegated Authentication

Set Permissions to Synchronize Users, Groups, and Group Membership

You set permissions for your Active Directory Bridge service account so that you can synchronize users, groups, or OUs between Microsoft Active Directory (AD) and Oracle Identity Cloud Service

1. Use your domain administrator credentials to sign in to the machine that contains your AD server.
2. Open a command window.
3. Set the Generic Read permissions for the users, groups, and organizational units (OU) in the AD domain that you want to import into Oracle Identity Cloud Service:

   dsacls <AD_Domain_Name> /I:T /g "<AD_Domain_Name>\<User/Group_Name>:GR"

   Note:

   <AD_Domain_Name> is the name of the domain that you're associating with Oracle Identity Cloud Service and <User/Group_Name> is the username of your domain administrator account.

   /I:T: This parameter specifies the objects to which you are applying the permissions. T is the default, which means you can propagate inheritable permissions to this object and child objects down to one level only.

   /g: This parameter grants the permissions that you specify to the user or group. For example, /g {<user> | <group>}:<permissions>.

   <permissions>: This parameter specifies the type of permissions that you are applying.

   • GR: Generic Read
   • GW: Generic Write
   • LC: List the child objects of the object
   • RP: Read Property
4. Set the List Children and Read properties for the cn=Deleted Objects container with inheritance. This container is also in the AD domain that you're associating with Oracle Identity Cloud Service.
   dsacls "cn=deleted objects,<AD_Domain_Name>" /takeOwnership
   dsacls "cn=deleted objects,<AD_Domain_Name>" /I:T /g "<AD_Domain_Name>\<User/Group_Name>:LCRP"

   Note:

   If you don't have the above permissions, then the AD Bridge won’t be able to synchronize deleted users, groups, or OUs between AD and Oracle Identity Cloud Service. This will cause inconsistencies between AD and Oracle Identity Cloud Service.

Set Permissions to Propagate Changes to Microsoft Active Directory

You set permissions for your Active Directory Bridge service account so that you can propagate changes you have done in Oracle Identity Cloud Service to Microsoft Active Directory (AD) through the AD Bridge.

1. Use your domain administrator credentials to sign in to the machine that contains your AD server.
2. Open a command window.
3. Set the Generic Write permission for the users, groups, and organizational units (OU) in the AD domain, if you want to propagate the changes you have done in Oracle Identity Cloud Service to Active Directory.

   dsacls <AD_Domain_Name> /I:T /g "<AD_Domain_Name>\<User/Group_Name>:GW"

Set Permissions for Delegated Authentication

You set permissions for your Microsoft Active Directory (AD) domain administrator account so that you can configure delegated authentication for the AD Bridge.

1. Open Active Directory Users and Computers.
2. Right-click the user, group, or organizational unit (OU) that you want to delegate, and then click Delegate Control.
3. On the Delegation of Control wizard, click Next, and then click Add.
4. On the Select Users, Computers, or Groups dialog box, in the text area, enter the user name or group name that needs to be granted permissions to configure delegated authentication.
5. Click Check Names to verify that the user or group has been created in AD. If it hasn't been created, then create it.
6. Click OK, and then click Next.
7. Select the Delegate the following common tasks option, and then select Reset user passwords and force password change at next logon.
8. Click Next, and then click Finish.
   The next steps explain how to set specific permissions to lock and unlock user accounts.
9. Right-click on the newly modified user or group, and select Properties.
10. Select the Security tab, click Advanced.
11. On the Advanced Security Settings, click Add.
12. On the Permission Entry wizard, click Select a principal, and enter the same user name or group name that has been granted reset permission.
13. Click OK.
14. In the Applies to field, select Descendant User objects.
    The list of permissions allowed for the user account (Principal) displays.
15. Scroll down and enable Read lockoutTime, and Write lockoutTime.
16. Click OK and continue to click OK until the end of the setup.
    The user account now has permissions to change passwords for all the user objects present in the high-level context.