Showing results for 
Search instead for 
Did you mean: 

AD Sync Account Rights?

Does anyone know what rights are required for the account performing AD Sync?

In our 2003 domain, a regular domain user account works fine.

In a seperate 2008 domain, only a domain admin account seems to work.

McAfee support tells me to use a domain admin account.

This seems rediculous from a security standpoint!

Does anyone know if there's a specific right that a generic domain user account can be given to query LDAP for syncing w/ EPO ?

3 Replies
McAfee Employee jstanley
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: AD Sync Account Rights?

The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.

Re: AD Sync Account Rights?

Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.

However, using our standard EPO (domain user) account from the original 2003 domain works fine.

I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.

Re: AD Sync Account Rights?

Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain. using a domain-user account in the original domain (the trustED domain) did work.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center