Configuring the Server User Account Access Rights

The ActivID CMS server user account is used to install ActivID CMS. (This directory account is defined when ActivID CMS is configured.)

The ActivID CMS server user account in Active Directory must have the following:

  • Read-access rights to all containers and groups available in ActivID CMS for performing searches.

    Use the Active Directory Service Interfaces editor (ADSI Edit) to set the read-access rights for the ActivID CMS server user on all containers and groups that ActivID CMS Server will search.

  • Administrative-access rights to register the Enrollment Agent certificate in the local computer certificate store.

    Give Enroll rights to the ActivID CMS server user on the Enrollment Certificate Computer certificate template.

  • Read-access rights to configure the user attributes for binding devices. For more information about the default user attribute for binding devices and how to configure the User Attributes List, see Setting Parameters for User Attributes.

  • Write-access rights to configure the user attributes for binding devices only if you are using the ActivID AAA Server for Remote Access.

  • If you choose to use the telexNumber attribute to bind the user to ActivID CMS and Active Directory (that is, the telexNumber user attribute is used by ActivID CMS to store the serial number of the device bound to the user), then you must edit the DSSEC.DAT file and remove the entry for the telexNumber before assigning the ActivID CMS user-access rights to this attribute. Microsoft includes, in the %windows%/System32/DSSEC.DAT file a list of hidden LDAP Lightweight Directory Access Protocol attributes that are not visible through the Active Directory security administration graphical user interfaces (for example, ADSIEDIT and Active Directory itself).

  • Write-access rights in Active Directory (on a user object) to update the device serial number allocated to users. It is recommended that you add the ActivID CMS server user account to the Account Operators Group.

  • Write-access rights to configure the user attributes for storing device serial numbers. For more information about how to configure the User Attributes List, see Setting Parameters for User Attributes.

    Note: Write-access must be given to the telexNumber attribute which is the default user attribute used by ActivID CMS. If you choose another user attribute, make sure that the ActivID CMS server user has write-access to the chosen attribute.
    Important: It is recommended that you grant the ActivID CMS server user ONLY those rights specified above (do not grant any Domain Administrator or Enterprise Administrator account privileges). Refer toInstalling ActivID CMS.