Published: November 17, 2016
Applies to: Cayosoft Administrator 2.x and later.
Summary: When Cayosoft Administrator is installed, the default suggested configuration is to run the service account with elevated privileges in Active Directory. This is to allow the service to perform tasks on behalf of a user using the solution. Some customers may want to exclude VIP or other sensitive accounts from the possibility of administration by Cayosoft Administrator. One option to accomplish this is to deny the Cayosoft Administration Service the permissions to act on such objects.
Denying Cayosoft Administrator native rights to modify an Active Directory object
- Open the Active Directory Users and Computers native console
(press the Windows+R keys to open the Run dialog, type dsa.msc then Enter)
- Enable Advanced Features
(Click menu item View > Advanced Features)
- Find Domain Admins group (or any other object you want to hide from Cayosoft Administrator service account)
- Open Group Properties and click the Security tab
- Click Advanced button to open the Advanced Security Settings dialog box
- Click Add to add new Permission entry
- Click to Select security principal, then choose Cayosoft service account user
- Set Type as Deny
- Click Clear All in very bottom of the dialog, then select checkbox Full Access (or Write all properties if you want user to be able read group's properties)
- Close all dialog boxes to save changes