Fortinet black logo

Cookbook

Configuring least privileges for LDAP admin account authentication in Active Directory

Configuring least privileges for LDAP admin account authentication in Active Directory

An administrator should only have sufficient privileges for their role. In the case of LDAP admin bind, you can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups.

For information about Active Directory, see the product documentation.

To configure account privileges for LDAP authentication in Active Directory:
  1. In the Active Directory Users and Computers administrative console, right-click the Organizational Unit (OU) or the top-level domain you want to configure and select Delegate Control.
  2. In the Delegation of Control Wizard dialog, click Next.
  3. In the Users or Groups dialog, click Add... and search Active Directory for the users or groups.
  4. Click OK and then click Next.
  5. In the Tasks to Delegate dialog, select Create a custom task to delegate and click Next.
  6. Select Only the following objects in the folder and scroll to the bottom of the list. Select User objects and click Next.
  7. In the Permissions dialog, select General.
  8. From the Permissions list, select the following:
    • Change password
    • Reset password
  9. Clear the General checkbox and select Property-specific.
  10. From the Permissions list, select the following:
    • Write lockoutTime
    • Read lockoutTime
    • Write pwdLastSet
    • Read pwdLastSet
    • Write UserAccountControl
    • Read UserAccountControl
  11. Click Next and click Finish.

Configuring least privileges for LDAP admin account authentication in Active Directory

Configuring least privileges for LDAP admin account authentication in Active Directory

An administrator should only have sufficient privileges for their role. In the case of LDAP admin bind, you can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups.

For information about Active Directory, see the product documentation.

To configure account privileges for LDAP authentication in Active Directory:
  1. In the Active Directory Users and Computers administrative console, right-click the Organizational Unit (OU) or the top-level domain you want to configure and select Delegate Control.
  2. In the Delegation of Control Wizard dialog, click Next.
  3. In the Users or Groups dialog, click Add... and search Active Directory for the users or groups.
  4. Click OK and then click Next.
  5. In the Tasks to Delegate dialog, select Create a custom task to delegate and click Next.
  6. Select Only the following objects in the folder and scroll to the bottom of the list. Select User objects and click Next.
  7. In the Permissions dialog, select General.
  8. From the Permissions list, select the following:
    • Change password
    • Reset password
  9. Clear the General checkbox and select Property-specific.
  10. From the Permissions list, select the following:
    • Write lockoutTime
    • Read lockoutTime
    • Write pwdLastSet
    • Read pwdLastSet
    • Write UserAccountControl
    • Read UserAccountControl
  11. Click Next and click Finish.