Chat now with support
Chat with Support

Active Administrator 8.4 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator

Home

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Home module.

Home page

Open to all users, but some items may not be available if the user does not have the required permission.

Must have read access to the entire domain:

Must have the appropriate permissions on the target user account:

Must have the appropriate permissions on the target group:

Must have the appropriate permissions on the target computer:

N/A

Dashboard

Open to all users.

Must be a member of the AA_User group and have read access to the domains being managed.

Search

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Search module.

Search

Open to all users.

Requires Read access to the Active Directory® domains being searched.

Active Directory object commands, such as move or rename, require the appropriate permissions on the target objects.

N/A

Certificates

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Certificates module.

NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New. See Defining role-based access in the Quest® Active Administrator® User Guide for detailed information.

Certificate Landing Page

Must have the Active Administrator Certificate Management role.

Must be a member of the AA_Users group.

Certificate Management

Must have the Active Administrator Certificate Management role.

Must be a member of the AA_Admins group and the Administrators group on the target server.

Certificate Search

Must have read access to the Certificate Repository in the Active Administrator share.

Must have read and remote registry access to the target computer.

Must be a member of the AA_Users_Group.

Certificate Authority (CA)

N/A

Must be a member of the AA_Admins_Group and have Active Directory read access

Must have read access to the CA server via remote registry to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

Must be a full administrator on the CA server to get the status of the CA service and to stop and start the service.

Must be a full administrator on the CA server to back up the CA server

Certificate Repository

Must have the Active Administrator Certificate Management role.

Must have read and write access to the CertificateRepository folder in the Active Administrator Share.

Security and Delegation

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Security & Delegation module.

NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New. See Defining role-based access in the Quest® Active Administrator® User Guide for detailed information.

Security Landing Page

Must have any of these Active Administrator roles: Security, Active Templates, or Password Policies.

Must be a member of the AA_Users group and have read access to all domains being managed.

Security

Must have the Active Administrator Security role.

Must have read access to view all objects in the selected domain and must have the appropriate permissions on the target Active Directory® object to perform actions.

To view the Active Templates applied to the object, must have permissions to the ActiveTemplate folder in the Active Administrator share.

User Logon Activity

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

The workstation logon audit agent must run under the local system account.

Locked Out Accounts

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group and have read access to all user objects in the selected domains.

Password Policies

Must have the Active Administrator Password Policy role.

To view all of the password policies, the must have read access to the policies in the selected domain.

To create, edit, or delete the password policies, must have the appropriate permissions on the selected policy.

N/A

Delegation Status

Must have the Active Administrator Active Templates role.

To create new, edit, or delete delegations on objects, must have full control access on the target object.

Must have read/write access to the ActiveTemplates folder in the Active Administrator share.

To maintain permissions for delegations, must have full control access on the target objects.

Active Templates

Must have the Active Administrator Active Templates role.

To create new, edit, or delete delegations on objects, must have full control access on the target object.

To create new, edit, or delete Active Templates, must have read/write access to the ActiveTemplates folder in the Active Administrator share.

To maintain permissions for delegations, must have full control access on the target object.

Inactive Accounts

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

Must have read access to all users in the selected domains.

To perform actions, must have the appropriate permissions on the target object.

To move an object, must have the appropriate permissions on the target object and the target location.

Password Reminder

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

Must have read access to all users in the selected domains.

Account Expiration

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group and have read access to all user objects in the selected domains.

Purge Account History

Must have the Active Administrator Full Control role.

Must be a member of the AA_Admins group.

Related Documents