How to Create, Configure, and Delegate Permissions for the PGConnect Service Account

Owned by Mike Galinat
Last updated: Dec 12, 2023 by Christopher R. Perry
3 min read

Problem

You need a service account in Active Directory with the necessary permissions to allow for Self-Service Functionality via PortalGuard IdaaS. 

Solution

Determine whether or not your environment is configured to communicate with Active Directory using LDAPS over Port 636 and delegate the appropriate permissions to your newly created PGConnect service account. 

Important Note: It is required that your environment be configured in such a way that PGConnect is able to communicate with your Active Directory DC using LDAPS. 

Quick Navigation

Create the Service Account in Active Directory

  1. Open the Active Directory Users and Computers management interface.

  2. Find the container in which you would like to create the service account.

  3. Right-Click the container and choose 'New' -> 'User':

  4. Enter a first, last, and logon name.  In this case, the user's logon name is 'pgservice'.

  5. Click the 'Next' button and enter a password for the user.  BE sure to enter a very complex password as this account does have more rights than normal users.  

  6. Uncheck the 'User must change password at next logon' box.

  7. Check the 'Password never expires' box. 

  8. Your final results should resemble the following

  9. Click the 'Next' button to view a summary of the new user and then click 'Finish' to complete the user creation. 

Delegate Permissions - Active Directory

Follow these steps to delegate the required permissions to the PGConnect service account:

  1. The new service account does NOT need to be added to any additional groups - the user should remain only in the 'Domain Users' group. 

  2. In the left-hand frame, right-click on the highest-level container containing Active Directory user accounts.  Choose 'Delegate Control...'.

    • The PGConnect service account will be granted rights over User Objects only, however, the scope of the delegation will determine which users the account can manage.  You may choose to 'Delegate Control...' at the domain level, or at a lower level container/OU.  If you decide to 'Delegate Control...' at a lower container/OU level, be sure to do so on each container that holds users that will be using PGConnect.

  3. In the Delegation of Control wizard that appears, click the 'Next' button the advance past the welcome screen. 

  4. On the 'Users or Groups' screen, click the 'Add...' button and enter the logon name of the newly created service account.  Click the 'Check Names' button to validate your entry:

  5. Click the 'OK' button to return to the wizard and 'Next' to proceed to the 'Tasks to Delegate' screen.

  6. Select the following options to delegate and then click ‘Next’:

  7. Click ‘Finish’