For AD sync, any user memebr of administrator group or any user member of domain is enough .So any user who is not in Domain Admin Group but a member of administrtor group or member of domain can do AD sync.But for Agent deployment user must have local admin rights on that machine wher agent is bein pushed.
on 2/26/13 3:13:20 PM CST
After a bit of searching and opening up an SR i have just noticed this post. Adding an account to the administrators group is one of the worse things you can do and just as bad as using a domain admin account to sync the AD.
A standard domain user will do however for me(us) this is not suffice as domain user contains too many privileges for a simple ad sync.
I will report back on what mcafee have to say about this as using administrators, domain admins or domain user is not an option and the lazy way to get something to work.
'Read Object Class'
'Read Object GUID'
Seems to return objects.
OK after two months of SR with mcafee a KB has been generated.
McAfee ePolicy Orchestrator (ePO) 5.0, 4.6, 4.5
The following is a support statement from ePO Product Management:
Minimum permissions needed for an Active Directory (AD) user to synchronize computers with ePO:
AD Synchronization requires a domain user on the AD environment to be synced with access to the containers they wish to synchronize. Although it may be possible to further restrict the rights on the user enumerating the AD environment, any further restrictions must be done by the customer. McAfee will not provide support for that determination.
The following fields are used during an AD Synchronization:
- Distinguished Name
- Net BIOS Name
- Object GUID
- Object Category
- Parent Container
Customers are free to harden the AD user account. However, McAfee recommends that you verify that the desired information will be synchronized.