3 Replies Latest reply on Dec 4, 2009 12:34 PM by sabramo

    AD Sync Account Rights?

      Does anyone know what rights are required for the account performing AD Sync?

      In our 2003 domain, a regular domain user account works fine.

       

      In a seperate 2008 domain, only a domain admin account seems to work.

      McAfee support tells me to use a domain admin account.

      This seems rediculous from a security standpoint!

       

      Does anyone know if there's a specific right that a generic domain user account can be given to query LDAP for syncing w/ EPO ?

        • 1. Re: AD Sync Account Rights?
          jstanley

          The ePO 4.X AD Sync does not write anything to the AD so you need full read permissions but not write/modify permissions. My guess would be that user accounts on a Windows 2008 AD do not have full read permissions.

          1 of 1 people found this helpful
          • 2. Re: AD Sync Account Rights?

            Oddly enough, using a USER account from the 2008 domain did not work, possibly because the trust is only 1 way.

            However, using our standard EPO (domain user) account from the original 2003 domain works fine.

             

            I suspect the caveat has to do with the one-way-trust, and that a regular user WOULD work if the EPO server was in the new 2008 domain.

            • 3. Re: AD Sync Account Rights?

              Since the trust between is only 1 way, we couldnt use a domain-user account in the new/2008 domain.  using a domain-user account in the original domain (the trustED domain) did work.