Configuration Specific to Active Directory on Windows 2000/2003

By default, Active Directory requires that a bind username and password be used to search the LDAP directory store. This user account must have permission to read the attributes you specified in the User Query for all users you want to be able to authenticate against this LDAP server.

Although a Domain Admin account has this read permission by default, using such an account is highly discouraged. While BeyondTrust takes every measure to protect the security of your information, there may still be security risks from having these credentials frequently transmitted.

The recommended configuration is to create a specific account for the B Series Appliance to use for browsing the Active Directory server. Once this account is created, you can specifically grant the limited set of permissions necessary for this account to allow users to log into the BeyondTrust web interface or access consoles without compromising your organization's security.

To expressly grant the permission to read a particular attribute to a specific user or group, the Active Directory Access Control List (ACL) must be modified. To do this, the following command must be executed by a user who has schema modification permissions (e.g., a member of the Domain Admins built-in group):

dsacls [distinguished name of domain] /I:T /G "User or Group":rp;tokenGroups

dsacls

Tool to modify the ACL of Active Directory.
[distinguished name of domain] The distinguished name of the domain object to begin modifying the permission.
/I:T Specifies that the ACL applies to this object and all sub-objects.
/G Indicates that this is a grant permission.
"User or Group" The user or group in the domain to which to grant permission.
rp Indicates that the permission is a special permission to read a property.
tokenGroups The property to which read permission is granted.

An example of this tool is as follows:

dsacls "DC=example,DC=local" /I:T /G "BeyondTrustAppliance":rp;tokenGroups

This grants the account BeyondTrustAppliance the permission to read the property tokenGroups on any object in the domain DC=example,DC=local.

For more information about the dsacls tool, please see How to Use Dsacls.exe.