Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
946 Views 3 Replies Latest reply: Sep 12, 2013 2:55 AM by a13xchan RSS
greg_2275 Newcomer 2 posts since
Feb 14, 2012
Currently Being Moderated

Feb 26, 2013 1:07 PM

Active Directory Sync

We have been using our domain admin account for EPO active directory synconizations and agent push installs.  We would like to use an account without domain admin rights to do the sync and installs going forward.  I know for the agent client installs that the user account will need local admin rights on the workstations.

Can someone tell me what rights that the account would need to allow the active directory sync?

 

Thanks in adavnce.

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    1. Feb 26, 2013 3:37 PM (in response to greg_2275)
    Re: Active Directory Sync

    For AD sync, any user memebr of administrator group or any user member of domain  is enough .So any user who is not in Domain Admin Group but a member of administrtor group  or member of  domain can do AD sync.But for Agent deployment user must have local admin rights on that machine wher agent is bein pushed.

     

    on 2/26/13 3:13:20 PM CST

     

    on 2/26/13 3:37:51 PM CST

    Post Timings: 6.00 AM to 3.00PM PDT
  • a13xchan Newcomer 18 posts since
    Jan 18, 2010
    Currently Being Moderated
    2. Jul 23, 2013 6:41 AM (in response to alexn)
    Re: Active Directory Sync

    After a bit of searching and opening up an SR i have just noticed this post. Adding an account to the administrators group is one of the worse things you can do and just as bad as using a domain admin account to sync the AD.

     

    A standard domain user will do however for me(us) this is not suffice as domain user contains too many privileges for a simple ad sync.

     

    I will report back on what mcafee have to say about this as using administrators, domain admins or domain user is not an option and the lazy way to get something to work.

     

    ***Update***

     

    'List Object',

    'Read Object Class'

    'Read Object GUID'

     

    Seems to return objects.

     

    Message was edited by: a13xchan on 7/23/13 6:41:31 AM CDT
  • a13xchan Newcomer 18 posts since
    Jan 18, 2010
    Currently Being Moderated
    3. Sep 12, 2013 2:55 AM (in response to a13xchan)
    Re: Active Directory Sync

    OK after two months of SR with mcafee a KB has been generated.

     

    http://kc.mcafee.com/corporate/index?page=content&id=KB79316

     

    Environment

    McAfee ePolicy Orchestrator (ePO) 5.0, 4.6, 4.5

     

    Summary

    The following is a support statement from ePO Product Management:

     

    Minimum permissions needed for an Active Directory (AD) user to synchronize computers with ePO:
    AD Synchronization requires a domain user on the AD environment to be synced with access to the containers they wish to synchronize. Although it may be possible to further restrict the rights on the user enumerating the AD environment, any further restrictions must be done by the customer. McAfee will not provide support for that determination.

     

    The following fields are used during an AD Synchronization:

    • Name
    • Distinguished Name
    • Description
    • Net BIOS Name
    • Object GUID
    • Object Category
    • Parent Container
    • Container

    Customers are free to harden the AD user account. However, McAfee recommends that you verify that the desired information will be synchronized.

    #

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points