Permissions Required To Administer Specops Password Policy
Specops Password Policy is designed to be administered by users with full administrative access in Active Directory. All administrative components run under the context of the user logged into Windows and interact directly with areas of Active Directory where we store our configurations.
We understand in certain environments it may be necessary to delegate administrative access to other groups. This article serves as a high-level guide for delegating the necessary permissions.
Many of these locations refer to new objects. IT admins have the option of letting a domain admin create the initial configuration, which will create these objects automatically, creating them manually, or delegating access to allow another admin to create these objects.
System Container – Licensing
The following container stores information about the Password Policy license. Admins will need access to modify this object in order to install and update license keys:
System Container – Arbiters
The following container stores information about registered Arbiter servers. Admins will need access to modify this object in order to register/unregister Arbiter servers:
CN=Breached Password Protection,CN=Specops,CN=System,DC=domain,DC=com
Various configuration is stored in SYSVOL including:
- Domain settings (e.g. SMTP server settings)
- Breached Password Protection Express List Download and Update
- Language/translation files
- Policy Templates
Password Policy administrators will need full control of this folder:
Password Policy rules are stored in group policy objects. Any administrator with sufficient access can create/link an empty GPO, then grant the Specops Password Policy rights to modify that GPO via the GPMC in order to change the Password Policy settings within it.
Installation and upgrades of all software components requires administrative access on the system where that component is installed. With regards to the Password Policy Sentinel, domain administrator rights are required. For all other components (admin tools, Arbiter, Specops Authentication Client) only local admin rights on the target server/workstation are required.
Password Policy logs all activity to the Windows Application and Specops event logs on each domain controller. We recommend using a SIEM to forward any log events from Specops sources to a central location where access can be delegated rather than delegating direct access to read domain controller event logs.