arpydays
May 22, 2016Nimbostratus
Minimum AD privileges for APM acct
Hi,
we need to allow for VPN users on APM to be able to change AD password (via tickbox on logon page) and also enter new password when it expires. I've read sol15008, which states;
- The user is added to Domain Users group.
- The user is granted the privilege to reset passwords of other AD users.
- The user is added to the Group Policy Creator Owners group (this is required for fine-grained password policy checks).
- The user is allowed to Read all properties (this is required for fine-grained password policy checks).
Is this the minimum that is required to allow this function? or can it be tightened further?
thanks