Delegated Helpdesk security configuration

The Specops Password Reset Helpdesk tool can be configured to use either of the following security models:

  • Trusted subsystem model: When using the trusted subsystem model, access to the Helpdesk is controlled through the membership of the local security group “Specops Password Helpdesk Admins” on the Specops Password Reset Server. Users allowed to access the Helpdesk can reset the password of any user within the configured scope of management in the configured domains.
  • Delegated security model: When using the delegated security model, all server operations are performed in the security context of the user accessing the web page. This is useful in environment where the ability to reset passwords has been delegated to Helpdesk personnel. The delegated security model allows detailed logging and tracking of user activities in the system, and can be used to provide granular control over who is allowed to reset which password.

The Helpdesk tool uses the trusted subsystem security model by default. Specops Password Reset should be configured to use the model which best suits the security needs of your organization.

Configure the Helpdesk tool to use the delegated security model

To use the delegated security model, you need to complete the below configuration steps:

Configure the SPR service account:

  • Once the service account for the SPR server has been decided/created, edit the account settings for the account from Active Directory Users and Computers, and enable the account option “This account supports Kerberos AES 256 bit encryption“.

Configure Active Directory for Delegated Helpdesk:

  • For information on how to do this, click here.
  • Note that when installing the SPR web from the setup assistant on a domain-joined computer other than the SPR server, trust for delegation will be enabled for the SPR web computer account.

Configuring the SPR server computer account to be trusted for delegation:

The SPR server computer account does not need delegation configured.

Configure the SPR service user account to be trusted for delegation:

  1. From Active Directory Users and Computers, browse to the service account.
  2. Right-click on the service account, and select Properties.
  3. Select the Account tab.
  4. Verify that Account is sensitive and cannot be delegated is not enabled from the Account options list.
  5. Select the Delegation tab.
  6. Add delegation to domain controllers
    • From the delegation tab on the SPR service user account in Active Directory Users and Computers, select Trust this user for delegation to specified services only.
    • Select Use Kerberos only, followed by Add….
    • Select domain controller from the object picker
    • Select service type ldap with the DC’s fqdn.
    • Repeat this for the all domain controllers in the same site.
  7. Click OK.

Create a folder for logfiles and enable Full Control permissions for Specops Password Helpdesk Admins group:

  1. On the Specops Password Reset Server, create a new folder (e.g. C:\logfiles\PasswordReset).
  2. Right-click on the folder, and select Properties.
  3. From the security tab, click Edit….
  4. Click Add to add the Specops Password Helpdesk Admins group.
  5. Click Locations….
  6. Select the top node, and click OK.
  7. Click Advanced….
  8. Click Find Now.
  9. Select Specops Password Helpdesk Admins from the search results, and click OK.
  10. Click OK.
  11. Verify that the Specops Password Helpdesk Admins group is selected, and enable Full Control permissions for Specops Password Helpdesk Admins.
  12. Click OK.

Update the logfile path in the registry:

  1. Open the Registry Editor.
  2. Edit the following value to allow the SPR Server to write the trace file to the directory where the SPR Helpdesk Admins have permissions:
    • Navigate to HKLM\Software\Specopssoft\Specops Password Reset\Server\LogFilePath.
    • In the Value data field, enter the path you created in 3a. C:\logfiles\PasswordReset\PasswordResetServer.log
    • Click OK.
  3. Edit the following value to enable tracing.
    • Navigate to HKLM\Software\Specopssoft\Specops Password Reset\Server\Debug.
    • In the Value data field, enter 3.
    • Click OK.

Restart the SPR Server Service.

Grant the Act as part of the operating system privilege to the SPR service account. The privilege can be assigned either using a Domain Group Policy Object or using the “Local Security Policy” tool.

  • If you are using a GPO to assign the privilege, the setting can be found in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  • If you are using the “Local Security Policy” you need to complete the following steps:
  1. Open Local Security Policy on the SPR server.
  2. Expand the following items: Security settings, Local Policies, and click User Rights Assignment.
  3. Double-click the Act as part of the operating system
  4. Click Add User or Group….
  5. Add the SPR service account to the policy, and click OK.
  6. Click OK.

Enable the delegated security model in the Helpdesk tool. The delegated security model is enabled by modifying the following registry entry for the Specops Password Reset Server:

Registry key Description
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

UseDelegatedHelpdeskSecurity
Enables the delegated security model in the helpdesk. If the value is set to “1” the delegated security model will be enabled. If set to “0” the trusted subsystem security model will be used.

Default value: 0

Allow users to write events to the Application log on the SPR server. You will need to create the following registry entry on the Specops Password Reset Server:

Registry key Value
HKLM\SYSTEM\CurrentControlSet\
Services\EventLog\Application\

CustomSD
(REG_SZ)
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A
;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-
1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;BU)

Optional: If your organization is using fine-grained password policies, grant Helpdesk personnel read permissions to fine-grained password policies. If fine-grained password policies are used in the domain, you will need to grant the Helpdesk personnel read permission to see the correct password rules in the Helpdesk tool.

  • Log on to a domain controller with an account that has Domain Admin permissions in the domain.
  • Run the following command from a command prompt:
    dsacls “CN=Password Settings Container,CN=System,[domain_DN]” /I:S /G
    [group_name]:RP;;msDS-PasswordSettingsExample:
    dsacls “CN=Password Settings Container,CN=System,DC=example,DC=com” /I:S /G
    “example\Helpdesk Staff”:RP;;msDS-PasswordSettings