Delegating permissions to an AD Service Account



Active Directory 2003 or higher.


When configuring your user database in LogonBox a service account is required in order to give LogonBox the ability to synchronise users and reset passwords. The easiest option available is to set the domain Administrator account as the Service Account which is something we wouldn't recommend in a production environment, but can be used whilst you are testing the product if you wish.

Instead, you can delegate a set of permissions to a service account of your choice, this article shows you how to create a new user within your Active Directory and delegate the required permissions so that it will be able to serve as the LogonBox Service Account.


Optional: Create a Service Account OU

You may wish to consider creating a new OU that will hold the service account. Setting this up in a new OU will reduce the risk of any mistakes affecting the rest of the domain, plus you could then also filter out this OU in the Sync so that its password will not be able to be reset accidentally from LogonBox.



Create the LogonBox Service User Account

When the new OU has been created you can create the user account that is going to be the service account. You will probably want to set a fixed password for this account so that it does not expire.


Delegate Control

To delegate control to the user select the OU that user will be responsible for controlling (or the top level of the domain if you want the service account to work with all users), right click and select the Delegate Control option.

When you reach the Users or Groups section of the wizard click the Add button then enter the name of the service account, click Check Names to confirm the user, then click OK to continue through the wizard.


When you are prompted to select the tasks to delegate ensure that “Create, delete, and manage user accounts” and “Reset user passwords and force password change at next logon” are both selected.

Complete the Delegation of Control wizard.


The user should now have sufficient privileges to function as the Service Account for LogonBox.


Test the new service account

Lets now test the new user account to ensure that it is able to function and will work correctly as a Service Account.

Go to the Users & Permissions menu and click Configure User Database. Set the Service Username and Service Password to the new user that was created.


If you delegated only on a single OU, you should restrict the directory to only the OUs that have delegated control to the Service Account (those identified in the step titled 'Delegate Control').

This can be done in the Filter tab. In this example, we are filtering only OU=LogonBox. Click Update to save the changes and start a syncronise.


Now lets try to reset a user's password, on the Users page, click the gears icon next to a user, then click Set Password.


If successful, you should get a success notification at bottom right.


You can now test a user performing a self service, which should also work.