Showing results for 
Search instead for 
Did you mean: 
Level 7

Active Directory Sync

We have been using our domain admin account for EPO active directory synconizations and agent push installs.  We would like to use an account without domain admin rights to do the sync and installs going forward.  I know for the agent client installs that the user account will need local admin rights on the workstations.

Can someone tell me what rights that the account would need to allow the active directory sync?

Thanks in adavnce.

0 Kudos
3 Replies
Level 14

Re: Active Directory Sync

For AD sync, any user memebr of administrator group or any user member of domain  is enough .So any user who is not in Domain Admin Group but a member of administrtor group  or member of  domain can do AD sync.But for Agent deployment user must have local admin rights on that machine wher agent is bein pushed.

on 2/26/13 3:13:20 PM CST

on 2/26/13 3:37:51 PM CST
0 Kudos
Level 9

Re: Active Directory Sync

After a bit of searching and opening up an SR i have just noticed this post. Adding an account to the administrators group is one of the worse things you can do and just as bad as using a domain admin account to sync the AD.

A standard domain user will do however for me(us) this is not suffice as domain user contains too many privileges for a simple ad sync.

I will report back on what mcafee have to say about this as using administrators, domain admins or domain user is not an option and the lazy way to get something to work.


'List Object',

'Read Object Class'

'Read Object GUID'

Seems to return objects.

Message was edited by: a13xchan on 7/23/13 6:41:31 AM CDT
0 Kudos
Level 9

Re: Active Directory Sync

OK after two months of SR with mcafee a KB has been generated.


McAfee ePolicy Orchestrator (ePO) 5.0, 4.6, 4.5


The following is a support statement from ePO Product Management:

Minimum permissions needed for an Active Directory (AD) user to synchronize computers with ePO:
AD Synchronization requires a domain user on the AD environment to be synced with access to the containers they wish to synchronize. Although it may be possible to further restrict the rights on the user enumerating the AD environment, any further restrictions must be done by the customer. McAfee will not provide support for that determination.

The following fields are used during an AD Synchronization:

  • Name
  • Distinguished Name
  • Description
  • Net BIOS Name
  • Object GUID
  • Object Category
  • Parent Container
  • Container

Customers are free to harden the AD user account. However, McAfee recommends that you verify that the desired information will be synchronized.

0 Kudos