Showing results for 
Search instead for 
Did you mean: 

AD Sync Account Rights?

Does anyone know what rights are required for the account performing AD Sync?

In our 2003 domain, a regular domain user account works fine.

In a seperate 2008 domain, only a domain admin account seems to work.

McAfee support tells me to use a domain admin account.

This seems rediculous from a security standpoint!

Does anyone know if there's a specific right that a generic domain user account can be given to query LDAP for syncing w/ EPO ?

3 Replies
McAfee Employee jstanley
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: AD Sync Account Rights?

The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.

Re: AD Sync Account Rights?

Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.

However, using our standard EPO (domain user) account from the original 2003 domain works fine.

I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.

Re: AD Sync Account Rights?

Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain. using a domain-user account in the original domain (the trustED domain) did work.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.