LDAP Group Server Configuration Specific to Active Directory on Windows 2000/2003

The optimal configuration of Active Directory is the group lookup string *:tokenGroups=*:objectSID, with recursive lookup disabled. This executes a single query to find group membership for a user. Unfortunately, this may not work on various domains due to permissions on the tokenGroups and memberOf attributes. In order to read these attributes, the authorized user must be expressly granted permission to read tokenGroups or memberOf for other objects in the directory.

Note: Although a Domain Admin account has this read permission by default, using such an account is highly discouraged. While Bomgar takes every measure to protect the security of your information, there may still be security risks from having these credentials frequently transmitted.

The recommended configuration is to create a specific account for the Bomgar Appliance to use for browsing the Active Directory server. Once this account is created, you can specifically grant the limited set of permissions necessary for this account to allow users to log into the Bomgar web interface or representative consoles without compromising your organization's security.

If you are unable to grant these permissions, you can still allow users to log into Bomgar with specific permissions based upon their groups. This can be accomplished by entering a user-to-group query of *:?=group:member, with recursive lookup on.

To expressly grant the permission to read a particular attribute to a specific user or group, the Active Directory ACL must be modified. To do this, the following command must be executed by a user who has schema modification permissions (e.g., a member of the Domain Admins built-in group):

dsacls [distinguished name of domain] /I:T /G "User or Group":rp;tokenGroups

dsacls Tool to modify the ACL of Active Directory.
[distinguished name of domain] The distinguished name of the domain object to begin modifying the permission.
/I:T Specifies that the ACL applies to this object and all sub-objects.
/G Indicates that this is a grant permission.
"User or Group" The user or group in the domain to which to grant permission.
rp Indicates that the permission is a special permission to read a property.
tokenGroups The property to which read permission is granted.

An example of this tool is as follows:

dsacls "DC=example,DC=local" /I:T /G "BomgarAppliance":rp;tokenGroups

This grants the account BomgarAppliance the permission to read the property tokenGroups on any object in the domain DC=example,DC=local.

More documentation about the dsacls tool can be found at http://support.microsoft.com/kb/281146.