First of all, please note that you SHOULD NOT give help desk workers these permissions, because it entails allowing them to read and write OTP secrets. This is like letting them export everyone's AD password at will.

Opening the data partition

In ADSI Edit, open the AuthLite partition, which is under distinguished name:


NOTE: In the above command you must replace the <dc=sandbox,dc=local>  portion with the LDAP syntax distinguished directory context of YOUR  domain. (It will be the FQDN of your domain with "DC=" before each part, and a comma in place of each period.)

Full management permissions

  • Add the user or group to have Full Control on the CN=AuthLiteKeys  container
  • Go into the Security->Advanced view on the CN=AuthLiteKeys  container, find the line representing the user or group you added above, and Edit that rule. Change the Applies section from This object only to be This object and all descendent objects
  • Add the user or group to have Read access to the CN=AuthLiteHashes container