Does anyone know what rights are required for the account performing AD Sync?
In our 2003 domain, a regular domain user account works fine.
In a seperate 2008 domain, only a domain admin account seems to work.
McAfee support tells me to use a domain admin account.
This seems rediculous from a security standpoint!
Does anyone know if there's a specific right that a generic domain user account can be given to query LDAP for syncing w/ EPO ?
The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.
Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.
However, using our standard EPO (domain user) account from the original 2003 domain works fine.
I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.
Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain. using a domain-user account in the original domain (the trustED domain) did work.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center