SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Configuring a Group with 'Least Privilege'

  1. Open Active Directory Users and Computers and create a new Group.
  1. Name the new group something meaningful (e.g. “SpyCloud ADG Least Privilege”).
  1. Right-click on the domain container and select Delegate Control.
  1. Click Next in the Delegation of Control Wizard.
  1. Put your new group name in the Enter the object names to select field (type in a portion of the group name and click Check Names to get a list of groups that match). Once your group is present, click OK
  1. Click **Next **in the following window.
  1. In the Tasks to Delegate window, leave Delegate the following common tasks select and check the box next to Reset user passwords and force password change at next logon.
  1. Click Next and then complete this task delegation by clicking on Finish.
  1. Repeat Steps 3 through 6. In the Tasks to Delegate window, select Create a custom task to delegate.
  1. In the Active Directory Object Type window, select** Only the following objects in the folder** and then check the box next to User objects and click Next.
  1. In the Permissions window, unselect **General **and select Property-specific. Under Permissions, select **Read lockoutTime **and Write lockoutTime.

...and Read pwdLastSet and Write pwdLastSet.

...and **Read userAccountControl **and Write userAccountControl. Then click Next.

  1. Complete this task delegation by clicking on Finish.
  1. Repeat Steps 3 through 6. Repeat Step 9. In the Active Directory Object Type window, select This folder, existing objects in this folder, and creation of new objects in this folder and click Next.
  1. With General selected, check the boxes next to Replicating Directory Changes.

...and Replicating Directory Changes All then click Next.

  1. Complete this task delegation by clicking on Finish.

Your new group is now configured with a ‘least privilege’ configuration for running SpyCloud Active Directory Guardian. Create a new user to be used as your SpyCloud ADG service account and ensure it is added as a Member in your new group so that the delegate controls are properly applied for running the service.

If you have questions – open a Support Ticket via the SpyCloud portal or reach out to [email protected].


Updated 2 months ago