2.4 Creating an Administrative Account

In a test environment, use the Administrator account until you get the Active Directory driver working. Then create an administrative account that has the proper rights (including restricted rights) for the Active Directory driver to use exclusively to authenticate to Active Directory.

Doing this keeps the Identity Manager administrative account insulated from changes to other administrative accounts. Advantages to this design are:

  • You can use Active Directory auditing to track the activity of the Active Directory driver.

  • You can implement a password change policy as with other accounts, then make necessary updates to the driver configuration.

This account name and password are stored in the driver configuration. Therefore, you must change this password whenever the account password changes. If you change the account password without updating the driver configuration, authentication fails the next time the driver is restarted.

At a minimum, this account must have Read and Replicating Directory Changes rights at the root of the domain for the Publisher channel to operate. For more information, see How to grant the Replicating Directory Changes permission in Windows. You also need Write rights to any object modified by the Subscriber channel. Write rights can be restricted to the containers and attributes that are written by the Subscriber channel.

To obtain delete events from Active Directory, you need permission to view the contents of the deleted objects container. By default, only built-in Administrators group has this permission. To grant this permission to a non-administrator such as the driver account, modify the permissions on the deleted object container by following the instructions from Microsoft documentation. Similarly, the driver account needs permissions to view the contents of the Password Sync registry. By default, only local system account has these permissions. If the driver is running as any other account, you must grant “Full Control” over the “Novell” registry keys and sub-keys to the driver account. For more information, see Configuring System Permissions.

To provision Exchange mailboxes, your Identity Manager account must have “Act as part of the Operating System” permission for the logon account.