Skip to main content
TAMS performs all AD operations under the Windows service account identity it runs as. No AD credentials are stored in the application configuration or registry. Grant this account the least privilege needed to unlock accounts — nothing more.

Minimum Required Permissions

The service account must have the following permissions granted in Active Directory:
PermissionScopeRequired For
Log on as a serviceLocal machineRunning the TAMS Windows Service
Read (objectClass, userPrincipalName, distinguishedName)All user objects in the forest (via Global Catalog)Forest-wide user lookup by UPN
Read all user propertiesUser objects in the target domainChecking IsAccountLockedOut() status
Reset Password / Unlock User AccountsUser objects in the target domainUnlocking the AD account (UnlockAccount() + Save())
Recommended approach: Create a dedicated service account and delegate the “Unlock User Accounts” task using the Active Directory Delegation of Control Wizard, scoped to the specific OUs containing end-user accounts. Avoid adding the account to Account Operators or Domain Admins.

What the Service Does NOT Require

TAMS is intentionally scoped to a single privileged action. The service account does not need:
  • Domain Admin or Enterprise Admin rights
  • Write access to AD objects other than unlocking accounts
  • The ability to create, delete, or move AD objects
  • Access to password hashes or credential attributes