Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring User Accounts with Limited Permissions

Configuring limited permission user accounts minimizes the possibility of security compromises during communications between Juniper Identity Management Service and its data sources.

To configure limited permission user accounts on the data sources, perform these tasks:

Configuring Limited Permission User Accounts

For each new user account:

  1. From the Start menu, select Active Directory Users and Computers.
  2. Navigate to the forest’s Users container.
  3. Right-click Users and select New Users.
  4. Specify a descriptive first and middle name and any username or pre-Windows 2000 username.
  5. Specify a password according to your organization’s password policy.
  6. Clear the User must change password at next login check box.
  7. Select the User cannot change password check box.
  8. Select the Password never expires check box.

Configuring Properties for Limited Permission User Accounts

To set properties for each new user account:

  1. Right-click a user and then select Properties.
  2. Select the Remote Control tab.
  3. Clear the Enable Remote Control check box.
  4. Select Remote Desktop Services Profile.
  5. Select the Deny this user’s permissions to log onto remote desktop session host server check box.
  6. Select the Dial-in tab and select the Deny Access check box.

Adding Limited Permission User Accounts to Active Directory Groups

To add each new user account to an Active Directory group:

  1. Select Built-in under the forest.
  2. Select the Event Log Readers group and add the JIMS-EventLogRemoteAccess account.
  3. Select the Distributed COM Users group and add the JIMS-PC-Probe account.
  4. Select the Remote Management Users group and add the JIMS-PC-Probe account.
  5. Select the Domain Admins group and add the JIMS-PC-Probe account.

Defining Group Policies for Limited Permission User Accounts

To define group policies for each new user account:

  1. From the Start menu, select Group Policy Management.
  2. In the Group Policy Manager, select the forest, select Default Domain Policy, and right-click Edit.
  3. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  4. Select Deny Logon locally, select Define these policy settings, and add each new user account.
  5. Select Deny Logon through Remote Desktop Services, select Define these policy settings, and add each new user account.
  6. Select Deny Logon through Terminal Services, select Define these policy settings, and add each new user account.
  7. Select Deny logon as a batch job, select Define these policy settings, and add each new user account.
  8. Select Deny Logon as a service, select Define these policy settings, and add each new user account.