Oftentimes, helpdesk operators are given access to accounts with privileges covering a broad range of tasks.
A better approach is to apply delegated permissions for the specific task in hand, and then to remove those privileges once the action has been completed.
STEALTHbits Privileged Activity Manager (SbPAM) can allow AD rights to be dynamically added to a helpdesk operator account at the point it is required. To do this you will need to create a new Activity.
Step 1) Create a new Activity called ‘Helpdesk Password Reset’ and assign it to the Active Directory Platform:
Step 2) In the Pre-Session area, add a new step:
Step 3) Choose the ‘Add ADUC Permission’ as the Step Type. For AD Object Type, select ‘user’; for AD Organizational Unit, enter the Distinguished Name of the OU you wish to set the permission on; for AD Rights to be Added, select ‘Reset Password’:
Step 4) in The Session area, add a new step called ‘Monitor for User Login’:
Step 5) In the post-session area, add a new step called ‘Remove ADUC Permission‘, Be sure to enter the same information as in step 3 above:
You should see an activity that resembles the following:
Step 6) Add the new Activity to an Access Policy
This Activity will allow users to be given the dynamic right to reset passwords on the given OU.
Start a Free Stealthbits Trial!
No risk. No obligation.