立即与支持人员聊天
与支持团队交流

Active Administrator 8.7 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator Appendix: Active Administrator Server Manager

Home

For all Active Administrator modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Home module.

Table 8. Required permissions for the Home module
Submodule
Console user account
AFS account

Home page

Open to all users, but some items may not be available if the user does not have the required permission.

Must have read access to the entire domain:
Active Directory Search

Must have the appropriate permissions on the target user account:
Reset Password
Unlock User Account
Enable/Disable User Account

Must have the appropriate permissions on the target group:
Add a user to a group
Remove a user from a group

Must have the appropriate permissions on the target computer:
Reset Computer Account

N/A

Dashboard

Open to all users.

Must be a member of the AA_User group and have read access to the domains being managed.

Search

For all Active Administrator modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Search module.

Table 9. Required permissions for the Search module
Submodule
Console user account
AFS account

Search

Open to all users.

Requires Read access to the Active Directory® domains being searched.

Active Directory object commands, such as move or rename, require the appropriate permissions on the target objects.

N/A

Certificates

For all Active Administrator modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Certificates module.

* 
NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New.
 
Table 10. Required permissions for the Certificates module
Submodule
Console user account
AFS account

Certificate Landing Page

Must have the Active Administrator Certificate Management role.

Must be a member of the AA_Users group.

Certificate Management

Must have the Active Administrator Certificate Management role.

Must be a member of the AA_Admins group and the Administrators group on the target server.

Certificate Search

Must have read access to the Certificate Repository in the Active Administrator share.

Must have read and remote registry access to the target computer.

Must be a member of the AA_Users_Group.

Certificate Authority (CA)

N/A
NOTE: Permissions apply to the AFS account or to the user account specified in the forest settings.

Must be a member of the AA_Admins_Group and have Active Directory read access

Must have read access to the CA server via remote registry to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

Must be a full administrator on the CA server to get the status of the CA service and to stop and start the service.

Must be a full administrator on the CA server to back up the CA server

Certificate Repository

Must have the Active Administrator Certificate Management role.

Must have read and write access to the CertificateRepository folder in the Active Administrator Share.

Security and Delegation

For all Active Administrator modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Security & Delegation module.

* 
NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New.
 
Table 11. Required permissions for the Security & Delegation module
Submodule
Console user account
AFS account

Security Landing Page

Must have any of these Active Administrator roles: Security, Active Templates, or Password Policies.

Must be a member of the AA_Users group and have read access to all domains being managed.

Security

Must have the Active Administrator Security role.

Must have read access to view all objects in the selected domain and must have the appropriate permissions on the target Active Directory® object to perform actions.

To view the Active Templates applied to the object, must have permissions to the ActiveTemplate folder in the Active Administrator share.

User Logon Activity

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

The workstation logon audit agent must run under the local system account.

Locked Out Accounts

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group and have read access to all user objects in the selected domains.

Password Policies

Must have the Active Administrator Password Policy role.

To view all of the password policies, the must have read access to the policies in the selected domain.

To create, edit, or delete the password policies, must have the appropriate permissions on the selected policy.

N/A

Delegation Status

Must have the Active Administrator Active Templates role.

To create new, edit, or delete delegations on objects, must have full control access on the target object.

Must have read/write access to the ActiveTemplates folder in the Active Administrator share.

To maintain permissions for delegations, must have full control access on the target objects.

Active Templates

Must have the Active Administrator Active Templates role.

To create new, edit, or delete delegations on objects, must have full control access on the target object.

To create new, edit, or delete Active Templates, must have read/write access to the ActiveTemplates folder in the Active Administrator share.

To maintain permissions for delegations, must have full control access on the target object.

Inactive Accounts

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

Must have read access to all users in the selected domains.

To perform actions, must have the appropriate permissions on the target object.

To move an object, must have the appropriate permissions on the target object and the target location.

Password Reminder

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group.

Must have read access to all users in the selected domains.

Account Expiration

Must have the Active Administrator Security role.

Must be a member of the AA_Admins group and have read access to all user objects in the selected domains.

Purge Account History

Must have the Active Administrator Full Control role.

Must be a member of the AA_Admins group.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级