Does anyone know what rights are required for the account performing AD Sync?
In our 2003 domain, a regular domain user account works fine.
In a seperate 2008 domain, only a domain admin account seems to work.
McAfee support tells me to use a domain admin account.
This seems rediculous from a security standpoint!
Does anyone know if there's a specific right that a generic domain user account can be given to query LDAP for syncing w/ EPO ?
The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.
Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.
However, using our standard EPO (domain user) account from the original 2003 domain works fine.
I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.
Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain. using a domain-user account in the original domain (the trustED domain) did work.