Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v1.0
v1.0
  • Home
  • How does Access Manager help prevent lateral movement
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Downloads
    • Creating a service account for the Access Manager service
    • Choosing between the Microsoft and Lithnet agents for LAPS support
    • Installing Access Manager
      • Access Manager Agent
      • Access Manager Service
  • Configuration
    • Setting up Authentication
      • Setting up smart card authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
    • Deploying features
      • Setting up Microsoft LAPS
      • Setting up Bitlocker access
      • Setting up Just-in-Time access
      • Setting up password encryption and history
      • Installing in a Failover Cluster
      • Integrated Windows authentication
    • Importing authorization rules
      • Importing BitLocker permissions
      • Importing local administrators group membership
      • Importing Microsoft LAPS permissions
      • Importing mappings from a CSV file
      • Importing rules from Lithnet LAPS web app
  • Help & Support
    • Frequently asked Questions
    • Troubleshooting
    • Getting Support
  • Advanced help
    • Advanced help topics
      • Access evaluation in Access Manager Service (AMS)
      • Performing an offline discovery of local admins
      • Script-based authorization
      • Backing up Access Manager
      • Recovering from a lost encryption certificate private key
    • Application help pages
      • Active Directory
      • Audit variables
      • Auditing Page
      • Auditing scripts
      • Authentication Provider
      • Authorization Page
      • BitLocker Page
      • Effective Access Page
      • SMTP Server Settings
      • High Availability Page
      • Proxy Settings
      • Jit Access Page
      • Licensing-Page
      • Local Admin Passwords Page
      • Rate Limits Page
      • User Interface Page
      • Web Hosting Page
Powered by GitBook
On this page
  • Schema
  • Domain Permissions

Was this helpful?

  1. Advanced help
  2. Application help pages

Active Directory

PreviousApplication help pagesNextAudit variables

Last updated 3 years ago

Was this helpful?

Schema

A list of forests is shown along with an indication of the deployment status of the Microsoft LAPS schema, and the Lithnet Access Manager schema.

You can use the Deploy Schema... button to access a script that will deploy the Lithnet Access Manager schema to the selected forest. You'll need to run this script as a member of the Schema Admins group in the forest you need to update.

If you need to deploy the Microsoft LAPS schema, refer to the Microsoft guides on how to complete this process.

Domain Permissions

In order for the Access Manager service to evaluate user permissions, its service account needs to be a member of two built-in groups of each domain. The first is the Windows Authorization Access Group. This allows the service account to compute the tokenAndUniversalGroups for a user in the directory. This ensures that the service account can see the user's full group membership.

The second group is the Access Control Assistance Operators group. This allows Access Manager to ask a domain controller in a trusting forest to perform access checks on its behalf. Membership in this group is not technically required in the domain and forest that the Access Manager Service runs in.

These groups provide read only access to authorization information within the domain.