Banks, credit unions, insurance companies,
The Netwrix Password Manager service account
Since this software is used to change/reset passwords and unlock Active Directory (AD) user accounts, the service account must be powerful enough to perform these operations. We recommend using an account which is a member of the Domain Administraitors group and local Administrators group on the computer where the product is installed.
If you do not want to use a Domain Administrator account, on the computer where NetWrix Password Manager is installed, create an account with the following rights and permissions.
1. On the machine where the Pasword Manager service is installed:
Alternatively, you can add the service account to the local Administrators group
2. In Active Directory the service account should have the following rights for all managed accounts:
To grant these rights to the service account in AD, do the following:
NOTE. A less privileged service account is not able to unlock and reset passwords for protected domain groups (domain admins, enterprise admins, etc) because of AdminSDHolder Access control mechanism.
AdminSDHolder is a container inside Active Directory that maintains a master list of permissions for objects that are members of privileged groups in Active Directory. Access control prevents access of non-privileged accounts to this container.
Below are some of the protected groups that cannot be handled without domain admin rights:
More information about it here: