Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Directory Sync

We have been using our domain admin account for EPO active directory synconizations and agent push installs.  We would like to use an account without domain admin rights to do the sync and installs going forward.  I know for the agent client installs that the user account will need local admin rights on the workstations.

Can someone tell me what rights that the account would need to allow the active directory sync?

Thanks in adavnce.

3 Replies
Level 14
Report Inappropriate Content
Message 2 of 4

Re: Active Directory Sync

For AD sync, any user memebr of administrator group or any user member of domain  is enough .So any user who is not in Domain Admin Group but a member of administrtor group  or member of  domain can do AD sync.But for Agent deployment user must have local admin rights on that machine wher agent is bein pushed.

on 2/26/13 3:13:20 PM CST

on 2/26/13 3:37:51 PM CST
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Active Directory Sync

After a bit of searching and opening up an SR i have just noticed this post. Adding an account to the administrators group is one of the worse things you can do and just as bad as using a domain admin account to sync the AD.

A standard domain user will do however for me(us) this is not suffice as domain user contains too many privileges for a simple ad sync.

I will report back on what mcafee have to say about this as using administrators, domain admins or domain user is not an option and the lazy way to get something to work.


'List Object',

'Read Object Class'

'Read Object GUID'

Seems to return objects.

Message was edited by: a13xchan on 7/23/13 6:41:31 AM CDT
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Active Directory Sync

OK after two months of SR with mcafee a KB has been generated.


McAfee ePolicy Orchestrator (ePO) 5.0, 4.6, 4.5


The following is a support statement from ePO Product Management:

Minimum permissions needed for an Active Directory (AD) user to synchronize computers with ePO:
AD Synchronization requires a domain user on the AD environment to be synced with access to the containers they wish to synchronize. Although it may be possible to further restrict the rights on the user enumerating the AD environment, any further restrictions must be done by the customer. McAfee will not provide support for that determination.

The following fields are used during an AD Synchronization:

  • Name
  • Distinguished Name
  • Description
  • Net BIOS Name
  • Object GUID
  • Object Category
  • Parent Container
  • Container

Customers are free to harden the AD user account. However, McAfee recommends that you verify that the desired information will be synchronized.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community