Yveau
asked on
How to setup impersonation without local admin privileges ?
Experts,
Here is the situation:
We are using a domain service account (domainX\A) that runs our service on a Windows 2003 machine and has a lot of permissions. For that reason, we cannot can get a hold of the password.
We are given the password of a domain application account (domainX\B) that we should use to connect to the database with. No problem, until we let the service account (domainX\A) do an impersonation to setup the connection using Windows Integrated Security with account domainX\B. We discovered that we manage to get it working when we make domainX\B member of the local admin group, which is something we are not allowed to do. We are not allowed to log on to the machine using that account.
So the Question is, what permissions should we set/use/give to the domain application account domainX\B, to get this impersonation working, but not risking that people who know the password for that domainX\B account can do anything on the machine (that is logging on to it, both at the console and using RDP) ? Or is this not possible at all, ... as a result of the strict security policies within our company ?
I would really like to know if you guys have a solution for me ...
Hope to hear from you soon ...
Yveau
Here is the situation:
We are using a domain service account (domainX\A) that runs our service on a Windows 2003 machine and has a lot of permissions. For that reason, we cannot can get a hold of the password.
We are given the password of a domain application account (domainX\B) that we should use to connect to the database with. No problem, until we let the service account (domainX\A) do an impersonation to setup the connection using Windows Integrated Security with account domainX\B. We discovered that we manage to get it working when we make domainX\B member of the local admin group, which is something we are not allowed to do. We are not allowed to log on to the machine using that account.
So the Question is, what permissions should we set/use/give to the domain application account domainX\B, to get this impersonation working, but not risking that people who know the password for that domainX\B account can do anything on the machine (that is logging on to it, both at the console and using RDP) ? Or is this not possible at all, ... as a result of the strict security policies within our company ?
I would really like to know if you guys have a solution for me ...
Hope to hear from you soon ...
Yveau
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much CocoBill, works like a charm !!!
Yveau
Yveau
These options didn't correct my error...
ASKER
I'm going to test it and get back to you with the results ...