TAMS performs all AD operations under the Windows service account identity it runs as. No AD credentials are stored in the application configuration or registry.
Grant this account the least privilege needed to unlock accounts — nothing more.
Minimum Required Permissions
The service account must have the following permissions granted in Active Directory:
| Permission | Scope | Required For |
|---|
| Log on as a service | Local machine | Running the TAMS Windows Service |
| Read (objectClass, userPrincipalName, distinguishedName) | All user objects in the forest (via Global Catalog) | Forest-wide user lookup by UPN |
| Read all user properties | User objects in the target domain | Checking IsAccountLockedOut() status |
| Reset Password / Unlock User Accounts | User objects in the target domain | Unlocking the AD account (UnlockAccount() + Save()) |
Recommended approach: Create a dedicated service account and delegate the “Unlock User Accounts” task using the Active Directory Delegation of Control Wizard, scoped to the specific OUs containing end-user accounts. Avoid adding the account to Account Operators or Domain Admins.
What the Service Does NOT Require
TAMS is intentionally scoped to a single privileged action. The service account does not need:
- Domain Admin or Enterprise Admin rights
- Write access to AD objects other than unlocking accounts
- The ability to create, delete, or move AD objects
- Access to password hashes or credential attributes