Page History

Creating a service account for working with the user catalog and system data storage

For Indeed Certificate Manager system to operate properly, certain rights to access Active Directory objects and certification authorities are required. You can distribute the privileges between several accounts, or create one with maximum rights for system management, depending on the requirements of the company security policy.

Create a

service account (say, servicecm)

to perform data saving and reading operations in the Active Directory

storage.

Configuring the user catalog in Active Directory

Grant the created service account (servicecm) the necessary permissions to work with the object (domains, containers, organizational unit) where the Indeed Certificate Manager users will be located. This account will be used to read and write user attributes.

To do this, do the following:

1. Open Security property of the object (domain, container or unit) that contains the Indeed CM system users.

1. Click Advanced. Click Add. Click Select

1. a principal.
2. In the Enter the object name to select text box, type service account (servicecm)

1. . Click OK.
2. In the Applies to list box, select Descendant User objects

1. .

1. In the Permissions list, activate:
   • List contents

   • Read all properties permission.

     Info
     By default, permission to read all user properties is granted to all accounts in the

1. • domain.

1. • 
     

   • Reset password - Required to be able to Resetting the user password via the system interface.
2. In the Properties list, set the following permissions:
   • Write pwdLastSet - Also required to be able to reset the user's password.
   • Write thumbnailPhoto or Write jpegPhoto - Required to Photo uploading to a user in Active Directory via the system interface.
   • Write userAccountControl - Required for the enable option Enforce smart card logon.
3. Click ОК and then 

1. Apply.

If reading all user properties

are forbidden the domain security policies, then set the rights for the service account access only to

the required user attributes according to

Table 3 and attributes of the object (domain, container or organizational unit) in which are located the Indeed CM users.

1. On the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains the Indeed CM users.
2. For the This object and all descendant objects.
   • In the Permissions click the List contents check box.
   • In the Properties click the check boxes next to:
     • Read сanonicalName
     • Read Distinguished Name
     • Read objectClass
     • Read objectGuid
     • Read showInAdvancedViewOnly
3. For the Descendant user objects: User objects.
   • In the Permissions check the List contents.
   • In the Properties select read/write the following sets of properties and attributes corresponding to Table 3:
     • Read personal Information
     • Read general Information
     • Read account restrictions
     • Read public Information
     • Write pwdLastSet
     • Write thumbnailPhoto or Write jpegPhoto
     • Write userAccountControl

Table

3 – Attributes used by Indeed CM to work with user directory.