Introduction

Most organisations use Microsoft Active Directory as their user directory. When implementing DualShield they will need to connect their DualShield authentication server to their Active Directory server, so that DualShield can carry out operations such as searching users, reading account properties etc. The access from DualShield to AD requires a user account with necessary access rights and privileges. 

DualShield is capable of performing most of the tasks that are required of it, and requires no additional access rights other than those it would have by default as a Domain User.

There are however three optional features of the software that if used would require additional task access privileges to be designated.



Optional Features

Lock/Unlock User Accounts:

In order for DualShield to be able to lock and unlock users, write access is required to the Active Directory property "Write lockoutTime”.

Enable/Disable User Accounts:

In order for DualShield to be enable or disable user accounts, write access is required to the Active Directory property “Write account restrictions”.

Change and Reset Users Passwords:

In order for DualShield to be enable or disable user accounts, write access is required to the Active Directory properties "Write Useraccount Control” and “Write pwdLastSet” .

Additionally, these features also need to obtain the permissions “Change Password” and “Reset Password”.


Creating a Domain User Account

First we need to create a user account called “DualShield” that will be a member of the group “Users”.

 

  1. From the server manager dashboard select “Tools”, then “Active Directory Users and Computers

     
  2. A new window opens titled “Active Directory Users and Computers”.
     

  3. Right click on the folder named “Users”, then Select “New”, then “User”.
  4. A form will open with the title “New Object – User”. Type in “DualShield” at the prompts “First Name:” and “User logon name:”.DualShield” will automatically be copied to the other fields (as below). Click on “Next >” to supply the password information.
  5. Remove the tick from “User must change password at next logon”. Fill in the fields “Password” and “Confirm password” with a password compliant with your company password policy then click on “Next >”.
  6. A confirmation window will now open. Click on “Finish” to exit this window.
      1.  
         

Preparation for adding properties and permissions

The next steps will add this user account to the list of security managers of the users folder in preparation for designating the necessary additional write properties and permissions.


  1. You will now return to the window titled “Active Directory Users and Computers, Select the “Users” folder, Right click on the folder “Users” then select “Properties”.
  2. A new window now opens up headed “Users Properties”, Select the “Security” tab, then click on the “Add” button.
  3. A form now opens with the title “Select Users, Computers, Service Accounts , or Groups”.  In the field “Enter the object names to select (examples):”  type “DualShield”, Click on “Check Names”.   You will return to the window below with the account name updated, then click on the “OK” button.
  4. You will now return to the Users Properties form.,  The user “DualShield” has now been added to the list of users in the tab “Security”.  Cick on "Apply" then “Advanced.

Adding properties and permissions

We will now add the necessary additional properties and permissions to the user acount within the scope of the users folder.


  1. A window now opens titled “Advanced Security Settings for DualShield”, click on the “Add” button.
  2. A window now opens titled “Permission Entry for DualShield”, click on “Select a principle".
  3. A form now opens with the title “Select Users, Computers, Service Accounts , or Groups”.  In the field “Enter the object names to select (examples):” type “DualShield”, then click on “Check Names”.

    You will return to the window below with the account name updated, click on the “OK” button”.
     
  4. You will return to the form headed “Permission Entry for Dualshield”.  Against the option “Applies to:” select the last option “Descendant User objects”.  Next, in the section headed “Permissions:” select the permissions “Change password” and “Reset password”.

  5. We now need to select options “Write account restrictions” (to Enable/Disable users), “Write lockoutTime” (to Lock/Unlock users), “Write userAccountControl” (to Reset user passwords) and “Write pwdLastSet” (to Reset user passwords) in the “Properties:” section.

    Scroll down to the properties section and select “Write account restrictions”.

     

  6. Scroll down about halfway through the properties section then select “Write lockoutTime”.


     
  7. Scroll further down the properties section then select “Write pwdLastSet”.
    .
     
  8. Towards the end of the properties section then select “Write userAccountControl” then press the “OK” button.


     
  9. You will now return to the window titled “Advanced Security Settings for DualShield”.  Scroll through the list of permission entiries.  The 6 option selections made above will each create an entry in the permission entries list (in the example below they are the permissions int the “access” column from the “Reset password” to the “Write account restrictions”).  Click on the “Apply” button”.

  10. A window will now open with the title of “Permissions”, click on the “Yes” button.

    .
  11. You will now return to the window titled “Advanced Security Settings for Users”.

    In the section “Permission entries:” you will be able to find 6 entries against DualShield click on the “OK” button.

    .
  12. We have now return to the “Users Properties” window, and have created an account in the users folder called “DualShield” with the necessary security access rights, press “OK”.