3 Replies Latest reply: Sep 12, 2013 2:55 AM by a13xchan RSS

    Active Directory Sync


      We have been using our domain admin account for EPO active directory synconizations and agent push installs.  We would like to use an account without domain admin rights to do the sync and installs going forward.  I know for the agent client installs that the user account will need local admin rights on the workstations.

      Can someone tell me what rights that the account would need to allow the active directory sync?


      Thanks in adavnce.

        • 1. Re: Active Directory Sync

          For AD sync, any user memebr of administrator group or any user member of domain  is enough .So any user who is not in Domain Admin Group but a member of administrtor group  or member of  domain can do AD sync.But for Agent deployment user must have local admin rights on that machine wher agent is bein pushed.


          on 2/26/13 3:13:20 PM CST


          on 2/26/13 3:37:51 PM CST
          • 2. Re: Active Directory Sync

            After a bit of searching and opening up an SR i have just noticed this post. Adding an account to the administrators group is one of the worse things you can do and just as bad as using a domain admin account to sync the AD.


            A standard domain user will do however for me(us) this is not suffice as domain user contains too many privileges for a simple ad sync.


            I will report back on what mcafee have to say about this as using administrators, domain admins or domain user is not an option and the lazy way to get something to work.




            'List Object',

            'Read Object Class'

            'Read Object GUID'


            Seems to return objects.


            Message was edited by: a13xchan on 7/23/13 6:41:31 AM CDT
            • 3. Re: Active Directory Sync

              OK after two months of SR with mcafee a KB has been generated.





              McAfee ePolicy Orchestrator (ePO) 5.0, 4.6, 4.5



              The following is a support statement from ePO Product Management:


              Minimum permissions needed for an Active Directory (AD) user to synchronize computers with ePO:
              AD Synchronization requires a domain user on the AD environment to be synced with access to the containers they wish to synchronize. Although it may be possible to further restrict the rights on the user enumerating the AD environment, any further restrictions must be done by the customer. McAfee will not provide support for that determination.


              The following fields are used during an AD Synchronization:

              • Name
              • Distinguished Name
              • Description
              • Net BIOS Name
              • Object GUID
              • Object Category
              • Parent Container
              • Container

              Customers are free to harden the AD user account. However, McAfee recommends that you verify that the desired information will be synchronized.