After using the Active Directory (AD) wizard in WinAdmin, you must exit WinAdmin and log in to again using the Windows service account credentials specified when you initially launched the AD wizard. Once you have logged in, select the new AD ID source and search for the user to whom you wish to assign rights.
Note that any AD user account can be used to log in to the WinAdmin application and perform user searches. However, the WinAdmin application will only let the AD service account credentials assign rights to users.
In this screenshot, we are logged in as a normal user account. Note that the checkboxes to assign privileges are missing:
Now, we are logged in with the vedsvc service account specified when we started the AD wizard. Note that the permissions checkboxes are now visible:
While any AD user can log in to the WinAdmin application, they will be unable to assign themselves permission to gain access to the system. As a best practice, director administrators should ensure that domain users do not have logon rights to director systems to prevent unauthorized users from using WinAdmin. However, even if these users can access the server they are still unable to gain administrative access to the director application itself.
Comments