What are the minimum privileges for a AD user to change his own password only?

book

Article ID: 37662

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Introduction: 

When creating an Windows Agentless Endpoint in Enterprise Manager you have to specify a user who has the ability to change users password. This is typically a Domain Admin right. We have documentation on how to setup the user so that he has access to change other users password in AD without Domain Admin rights. However, these steps doesn't allow the user to change its own password. 

Question: 

How can I setup a user to be able to change its own password in Active Directory as the user is the Endpoint Administrator and the manged account? 

Environment:  

Privileged Identity Manager r12.8 and above

Windows Agentless Endpoint connecting to Active Directory with the Endpoint Administrator is not disconnected.   

Answer: 

In Active Directory right click on the OU that the user exist in and select Delegate Control. In the selected users and groups dialog box select the user who is setup as the Endpoint Administrator - the user who you want to manage its own password. In next option for selecting tasks to delegate chose 'Reset user passwords and force password change at next login'. Finish the wizard and now the user is able to manage its own password as both the Endpoint Administrator and the manged account. 

Additional Information:

You can find how to setup an AD user to manager password of other accounts in the following documentation location. 

Enterprise Administration Guide › Planning Your SAM Implementation › Implementation Considerations › Minimum Privileges for Managing an Active Directory Endpoint

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component: