The delegated security model is useful for larger Active Directory environment where certain users can only administer a subset of users – for example in a school setting where teachers are allowed to reset the passwords of the students in their class. In this scenario, all teachers should be added to the helpdesk group in uReset, and assigned reset permissions for their students in Active Directory.
Delegated Helpdesk Security Configuration
Using the delegated security model will grant granular control over the ability to reset passwords. If delegated security is not enabled, all members of the Helpdesk group are granted permission to read information/reset passwords for all users that reside in the scope of management. If delegated security is enabled, members of the Helpdesk group will also need explicit permission in Active Directory to perform a password reset.
You need to meet the following prerequisites to enable delegated security:
- Running on Windows Server 2012 or later
- The user running the Gatekeeper must have permissions to add new members to Access Control Assistance Operators When delegated security is enabled from the uReset Administration Tool, the Gatekeeper is automatically added to the Access Control Assistance Operators group.
- The user running the Gatekeeper must have permissions to update the Specops uReset settings in Active Directory located in: CN=Settings,CN=uReset,CN=Specops,CN=System,DC=domain,DC=company,DC=com
- Domain functional level Windows Server 2012 or later. All Domain Controllers, including the one that is communicating with the Gatekeeper, must be running Windows Server 2012 or later.
- The reset permission in Active Directory will be required for all helpdesk activity, including viewing information.
- On the uReset Administration tool, click Policies and Groups.
- On the Use delegated security row, click Change.
- Select the Enable delegated security checkbox, and click OK.
The group uReset Gatekeepers will be added to the Access Control Assistance Operators group.
Security and Technology
Being a member of the helpdesk and administrator group will grant access to the helpdesk portal and the search dialog, including the ability to find users from Active Directory. If a user is selected, and the helpdesk delegated security feature is enabled, an access check is performed by the Gatekeeper on the selected user to verify that the helpdesk member has reset permissions for the user.
The Gatekeeper uses the Windows Authz remote check APIs (introduced in Server 2012) to check for the reset password permissions. The password reset is performed by the Gatekeeper Service, and the logs will be found in the event log of the Gatekeeper. The event includes information on the Domain Controller where the reset was performed, who performed the password reset, for what user, and the user SID.