> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Active Directory Permissions

> The minimum Active Directory permissions the TAMS service account requires, and the recommended way to delegate them.

TAMS performs all AD operations under the Windows service account identity it runs as. **No AD credentials are stored** in the application configuration or registry.

Grant this account the least privilege needed to unlock accounts — nothing more.

## Minimum Required Permissions

The service account must have the following permissions granted in Active Directory:

| Permission                                               | Scope                                               | Required For                                            |
| -------------------------------------------------------- | --------------------------------------------------- | ------------------------------------------------------- |
| Log on as a service                                      | Local machine                                       | Running the TAMS Windows Service                        |
| Read (objectClass, userPrincipalName, distinguishedName) | All user objects in the forest (via Global Catalog) | Forest-wide user lookup by UPN                          |
| Read all user properties                                 | User objects in the target domain                   | Checking `IsAccountLockedOut()` status                  |
| Reset Password / Unlock User Accounts                    | User objects in the target domain                   | Unlocking the AD account (`UnlockAccount()` + `Save()`) |

<Tip>
  **Recommended approach:** Create a dedicated service account and delegate the "Unlock User Accounts" task using the Active Directory **Delegation of Control Wizard**, scoped to the specific OUs containing end-user accounts. Avoid adding the account to `Account Operators` or `Domain Admins`.
</Tip>

## What the Service Does NOT Require

TAMS is intentionally scoped to a single privileged action. The service account does **not** need:

* Domain Admin or Enterprise Admin rights
* Write access to AD objects other than unlocking accounts
* The ability to create, delete, or move AD objects
* Access to password hashes or credential attributes
