Delegate Permissions to Manage License Containers

AD Bridge stores licenses for agents in Active Directory (AD). To store the licenses, one or more license containers need to be created using the BeyondTrust Management Console (BMC). Licenses are then imported into the container from the console.

Agents get licenses from the license container they are immediately subordinate to in the AD hierarchy. In most cases, a single license container placed in the hierarchy superordinate to all agents is sufficient. In some cases, additional licensing containers can be created for organizational or administrative reasons.

Overview of License Containers and Licenses in AD Bridge

Each license container and each imported license is stored in AD as an object of class container. Appropriate permissions must be defined for a licensing administrator to create and delete license containers and licenses.

In addition to granting permissions to a licensing administrator, AD Bridge computer objects must also be granted Write all properties permissions to each license object to write to their claimed license object. These rights will be automatically granted on each imported license when the license container is created, using the default option Allow Computers to Acquire Licenses Automatically.

For more information, see Create an AD Bridge License Container.

To run the BMC, the user account must be a domain user account and a member of the local Administrators group.

Delegate Permissions to a License Container

This guide shows how to apply the minimum permissions required to manage licensing. In general, if a user has full rights over an OU structure, they can administer all license functions over that OU. The following procedure shows how to add minimum permissions to a security principal (preferably a group) to manage licensing.

The procedure uses the ASDI Edit configuration tool. ADSI Edit exposes the specific permissions required at the minimum level. Active Directory Users and Computers (ADUC) or a command line tool such as DACLS do not expose the permissions to this level of granularity.

Steps might vary slightly between OS versions. Steps provided here are from Windows Server 2012.

  1. Using ADSI Edit, connect to the default naming context of the domain and browse to the OU where the license containers will be created.

Properties menu for an OU in ADSI Edit

  1. Right-click an OU, and then select Properties.

 

OU Properties dialog highlighting the Advanced button

  1. Click the Security tab, and then select Advanced.

 

Advanced Security Settings dialog for an OU

  1. Click Add.

 

Permission Entry dialog for an OU

  1. Click Select a principal, enter the name of the group to provide permissions to, and then click OK.

 

Permission Entry dialog for the security principal OU

  1. Select Allow, This object and all descendent objects, and then select the following permissions from the list and click OK:
    • Create Container objects
    • Delete Container objects

 

  1. Repeat steps 4 and 5 to add the group with a new set of permissions.

Permission Entry dialog, allow descendant container objects

  1. Select Allow, Descendent Container objects, and then select the following permissions from the list and click OK:
    • List contents
    • Read all properties
    • Write all properties
    • Delete
    • Delete subtree
    • Read permissions
    • Modify owner

 

The steps can be performed on an OU, or on the root of the domain. In some cases, especially to manage a licensing container at the domain root, it may not be preferable to grant even these restricted permissions as they allow the manipulation of all container class objects under the target. In these cases, a Domain Admin can create the licensing container first in the BMC and then follow the above steps. However, instead of targeting the parent OU, target the $LikewiseEnterpriseLicenses container created (turn on Advanced Features from the ADUC View menu to see the created license container).