Delegating Permissions

This page describes steps that can be followed to delegate permissions for performing various administrative tasks within the DigitalPersona AD environment. It includes the following main topics.

SMS/SMTP Management

To manage the SMS or SMTP settings provided through DigitalPersona GPOs, the following permissions can be assigned to a user or group.

• Read dpServersConfiguration

• Write dpServersConfiguration

Follow the steps below to add the above permissions to a user or group.

1. Open Active Directory Users and Computers and navigate to the Biometric Authentication Servers container.

   

2. Right-click on the Biometric Authentication Servers container and select Properties to display the Biometric Authentication Servers Properties dialog.

   

3. In the Biometric Authentication Servers Properties dialog, select the Security tab and click Advanced to display the Advanced Security Settings for Biometric Authentication Servers dialog.

   

4. In the Advanced Security Settings for Biometric Authentication Servers dialog, click Add to display the Permission Entry for Biometric Authentication Servers dialog.

   

5. In the Permission Entry for Biometric Authentication Servers dialog, click Select a principal.

6. Enter the User, Group or Built-in security principal to which you want to delegate SMS setting management.

7. Click Check Names and then click OK to close the dialog and return to the previous screen.

8. Ensure that the Type is Allow and the Applies to value is This object only.

9. In the lower portion of the Permission Entry for Biometric Authentication Servers dialog, scroll down to and select the following properties:

   • Read dpServersConfiguration

   • Write dpServersConfiguration

   

10. Click OK to apply the permissions and close the dialog.

License Management

To view and manage DigitalPersona Licenses, grant Full Control of the ADUC Licenses container to the User, Group or Built-in security principal that you want to manage your DigitalPersona licenses.

Follow the steps below to grant the required permission to a User, Group or Built-in security principal.

1. Open Active Directory Users and Computers and navigate to the Licenses container.

   

2. Right-click on the Licenses container and select Properties to display the Licenses Properties dialog.

   

3. In the Licenses Properties dialog, select the Security tab and click Advanced to display the Advanced Security Settings for Licenses dialog.

   

4. In the Advanced Security Settings for Licenses dialog, click Add to display the Permission Entry for Licenses dialog.

   

5. In the Permission Entry for Licenses dialog, click Select a principal.

6. Enter the User, Group or Built-in security principal to which you want to delegate License management.

7. Click Check Names and then click OK to close the dialog and return to the previous screen.

8. Ensure that the Type is Allow and the Applies to value is This object only.

9. In the lower portion of the Permission Entry for Licenses dialog, select Full Control.

   

10. Click OK to apply the permissions and close the dialog.

Account Control Settings

In order to delegate DigitalPersona Account Control settings to a group, for example a Helpdesk group, follow the steps outlined below.

DigitalPersona Account Control settings include the following:

• Use Windows password

• Randomize user's Windows password

• Use fingerprint

• Use fingerprint and PIN

• Use fingerprint and Windows password

• Use OTP and Windows password

• Use OTP and fingerprint

• Use PKI Smart Card

1. As a domain administrator, open the AD Users and Computers snap-in (ADUC).

2. Choose the OU where users you need to delegate rights to are located (it can be done on the domain level as well).

3. Right-click on it and choose Properties.

4. Choose the Security tab and click Advanced.

   

5. In the Advanced Security Settings dialog, click Add.

   

6. Click Select a principal.

   

7. In the Select Principal dialog, choose the group to which you want to delegate (for example the Help Desk group).

8. From the Applies To drop-down menu, choose Descendant User objects.

   

9. Scroll down and select the Write dpUserAccountControl permission.

   

10. Click OK to close the dialog and return to the Advanced Security Settings window.

    

11. Click OK.

Attended Enrollment

For instructions on delegating responsibility for Attended Enrollment, see Setting Up Attended Enrollment.

Delegating User Recovery with a One-Time Access Code

DigitalPersona provides the ability for domain administrators to delegate assisting users in recovering access to their computers when they are unable to log on with their existing credentials. For example, this can be used to delegate permission to a helpdesk group.

To delegate DigitalPersona User Recovery to a group:

1. As a domain administrator, open the AD Users and Computers snap-in (ADUC).

2. Right-click on the domain or OU for which you want the permission to be effective and select Properties.

3. On the Security tab, click Advanced.

   

4. On the Advanced Security Settings dialog, click Add.

   

5. In the Permissions Entry window, click Select principal.

   

6. In the Select User, Computer, Service Account, or Group dialog, select the group to which you want to delegate user recovery permission, and then click OK to close the dialog.

   

7. In the Permissions Entry window, from the Applies to drop-down menu and select Descendant User objects.

   

8. In the Permissions pane, select User Recovery (DigitalPersona) and then click OK to close the Permission Entry window.

9. Click OK again to close the Advanced Security Settings window.