Skip to main content

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the Active Directory target system to perform operations.

The target system administrator should be a member of the Domain Admins group to list users, and should have the following permissions for password and account operations:

  • Read All Properties

  • Write All Properties

  • Modify Permissions

  • All Extended Rights

The administrator should also be able to enumerate domain controllers in the domain.

If you are targeting multiple domains in an Active Directory forest with this connector, the target system administrator should be a member of the Enterprise Admins group in the forest root, and the username should be entered into Bravura Security Fabric in UPN format. In this case, while the target system administrator does not need to be a user in the forest root domain, the forest root domain or a domain controller in that domain should be specified in the target address.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

If you want to configure this account with control limited to the users and services needed by Bravura Security Fabric rather than full administrative control, see Minimizing administrative account rights .

If you want to configure an account with specific delegated control, see Delegating control .

Minimizing administrative account rights

In most cases, you include the target system administrator account (such as psadmin) as part of the Domain Admins group; however, it is possible to set up this account not to have full control over the server and just to have control over the users and services that it needs. This involves removing the target system administrator account from the Domain Admins group and adding it to its own group, then giving that group control over users. Because this involves modifying settings for each user, you might want to set up a script to do this work.

The following instructions are for Windows 2012 Active Directory. Details may vary depending on your version of the software.

To minimize administrative account rights:

  1. Log into an Active Directory Domain Controller as a member of the Domain Admins group.

  2. Launch Active Directory Users and Computers .

  3. Remove the target system administrator for Bravura Security Fabric (for example, psadmin) from the Domain Admins group.

  4. Create a group (for example, psadmingrp) and set the scope to Global and type to Security.

    ad-limit-newgroup

  5. Add the target system administrator to the group you just created.

  6. Set the permissions for the new group that you created:

    1. Ensure that View > Advanced Features is selected.

    2. Right-click on the "user" container that the new group will be used to manage, and select Properties from the pop-up menu.

    3. Click the Security tab.

    4. Add the group to the list of Group or user names.

    5. Enable the Full Control checkbox in the Allow permissions column.

      ad-limit-security

    6. Apply the changes, then click OK to close the dialog box.

In this section: