Minimum Privileges

[Brad Baker]

One of our developers is wring an ASP application which will allow our users
to add, edit, and delete active directory accounts as well as changing
passwords from a password protected webpage.



My understanding is that the ASP code he is writing will call a COM
component which was written in house. The COM component will need to run
under an account with privileges to make changes to active directory.



I've been tasked with determining the minimum privileges an account would
need to make the changes above. I was thinking that the account would need
to be a member of domain users and account operators but I'm not sure if the
account would need to be a member of any other groups.



Does anyone have any experience doing something like this or have any
suggestions as to what minimal groups would be required for such an account?
Any advice, documentation, or resources anyone could recommend would be
appreciated.



Thank You,

Brad

 

[Paul Bergson]

I have some install notes that may be of some assistance. This will allow
you to run a command as a normal user in an elevated mode for one isntance
via IIS.

My install notes are as follows:


To run a web service in its own security credentials the system needs to run
in a specific application pool with a new identity for the access needed.


Create a new application pool
1. In IIS Manager, expand the local computer, right-click Application Pools,
point to New, and then click Application Pool.

2. In the Application pool name box, type the name of the new application
pool.

3. If the ID that appears in Application pool ID box is not the ID that you
want, type a new ID.

4. Under Application pool settings, click the appropriate setting. If you
click Use existing application pool as template, in Application pool name
box, right-click the application pool that you want to use as a template.

5. Click OK.


Assign the application/Virtual Directory to the application pool
1. In IIS Manager, right-click the application that you want to assign to an
application pool, and then click Properties.

2. Click the Virtual Directory, Directory, or Home Directory tab.

3. If you are assigning a directory or virtual directory, verify that
Application name is filled in. If the Application name box is not filled in,
click Create, and then type a name. (Note make sure the site and all of the
virtual directories that need to run with in this pool have been configured!
Look at each one within the site.)

4. In the Application pool list box, click the name of the application pool
to which you want to assign the Web site.


To change the account under which an application pool runs using IIS Manager

1. In IIS Manager, expand the local computer, expand Application Pools,
right-click the application pool, and then click Properties.

2. Click the Identity tab, and click either Predefined or Configurable.
Predefined refers to standard service names, such as Network Service (the
default), LocalSystem, or Local Service. Configurable refers to registered
user names.

. If you click Predefined, click a predefined account in the list box.

. If you click Configurable, in the User name and Password boxes, type the
user name and password of the account under which you want the worker
process to operate.

3. Click OK.



Add the following to the identity of the user used in the Application Pool

Open up the local security policy (Start/Programs/Administrative
Tools/Local Security Policy)
Security Settings/Local Policies/User Rights Assignments
Modify the following by adding the user to the assignments

- Replace a Process Level Token (SeAssignPrimaryTokenPrivilege)
- Adjust Memory Quotas for a process (SeIncreaseQuotaPrivilege)
- Generate Security Audits (SeAuditPrivilege)
- Bypass Traverse Checking (SeChangeNotifyPrivilege)
- Access this computer from a network (SeNetworkLogonRight)
- Logon as a Batch Job (SeBatchLogonRight)
- Logon as a Service (SeInteractiveLogonRight)
- Allow Logon Locally (SeInteractiveLogonRight)

Add the Identity to the local group of the web server to IIS_WPG


Restart the IISAdmin service and you should be good to go


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi,

I have users who do this through a Custom MMC. Basically all I had to do was
delegate control to the User or the Group for the OU. Right Click OU -
Delegate Control. These are just regular users who are members of the Domain
Users Account. They have no special Priviledges on the Domain except what I
have delegated above.

I also have also created an ASP web based app to change Active Directory
Users. However, I have only ever got it to work on a One DC domain. I have
multiple DC's with Quotas and multiple settings so I haven't yet got it to
work well enough to implement.

Cheers,

Lara