Skip to main content

Active Directory Service Account

· 14 min read
Pradeep Kadambar
Pradeep Kadambar
Creator

This blog provides a step-by-step guide to creating and assigning permissions to a service account in Active Directory, with a focus on integrating RSA Governance & Lifecycle (RSA G&L). It outlines the process to ensure the service account has the necessary permissions to securely read and write data into AD.

Create the Service Account

  1. Open Active Directory Users and Computers (ADUC).
  2. Navigate to the Organizational Unit (OU) where you want to create the service account.
  3. Right-click on the OU and select New > User.
  4. Fill in the following details:
    • First Name: Enter a name for the service account (e.g., "Service").
    • Last Name: Enter a last name for the service account (e.g., "Account").
    • User Logon Name: Specify a unique logon name (e.g., svc_account).
  5. Click Next.
  6. Set a strong password for the service account and configure the following options as needed:
    • Check Password never expires if required for long-term use.
    • Uncheck User must change password at next logon.
  7. Click Next, then click Finish to create the service account.

Grant Permissions

Grant Read/Write Permissions on Base DN

  1. Open Active Directory Users and Computers (ADUC).
  2. Navigate to the OU or domain where you want to assign permissions (e.g., dc=example,dc=com or an OU like Users).
  3. Right-click on the target OU or domain and select Properties.
    • If the Security tab is not visible, enable it by clicking View > Advanced Features in ADUC.
  4. Go to the Security tab.
  5. Click Add, enter the name of your service account, and click OK.
  6. In the "Permissions" section:
    • Check Read and Write permissions for objects you want the service account to manage.
    • For more granular control, click Advanced:
      • Select your service account from the list and click Edit.
      • Specify permissions for specific object types (e.g., users, groups):
        • Allow: Read all properties, Write all properties.
        • Allow: Create user objects, Delete user objects.
        • Allow: Add/remove members from groups.

Delegate Control (Alternative Method)

  1. Right-click on the OU or domain where you want to delegate control.
  2. Select Delegate Control from the context menu.
  3. In the Delegation of Control Wizard:
    • Click Next, then add your service account.
    • Choose tasks like:
      • Create, delete, and manage user accounts.
      • Modify membership of a group.
      • Read all user information.
  4. Complete the wizard to assign delegated permissions.