2.4 Creating an Administrative Account

In a test environment, use the Administrator account until you get the Active Directory driver working. Then create an administrative account that has the proper rights (including restricted rights) for the Active Directory driver to use exclusively to authenticate to Active Directory.

Doing this keeps the Identity Manager administrative account insulated from changes to other administrative accounts. Advantages to this design are:

  • You can use Active Directory auditing to track the activity of the Active Directory driver.

  • You can implement a password change policy as with other accounts, then make necessary updates to the driver configuration.

The Multi-Domain Active Directory driver allows you to set up an administrative account in two ways:

  • Using Single Administrative Account for the Forest

  • Using Individual Administrative Accounts for Each Domain

When setting up a single administrative account for the forest, ensure that the account is a member of Enterprise Admins group. An administrator can create proxy account with minimum permission to operate the driver. Administrator can create account for the entire forest or individual accounts for all configured domains.

This account name and password are stored in the driver configuration. Therefore, you must change this password whenever the account password changes. If you change the account password without updating the driver configuration, authentication fails the next time the driver is restarted.

At a minimum, this account must be a member of the Administrators group and have Read and Replicating Directory Changes rights at the root of the domain for the Publisher channel to operate. You also need Write rights to any object modified by the Subscriber channel. Write rights can be restricted to the containers and attributes that are written by the Subscriber channel.

Permissions for Remote PowerShell Execution

To establish a remote PowerShell session, ensure that the following prerequisites are met:

  • Enable the remote PowerShell (if not enabled) by executing the Winrm quickconfig on the configured domain controllers.

  • The user should have sufficient permission to run the remote PowerShell. To provide the required permission, execute the following command in the Powershell framework:

    Cmd = Set PSSessionConfigration -Name Microsoft.PowerShell – showSecurityDescriptorUI

NOTE:This process needs to be followed for each domain controller as these PowerShell settings do not replicate.

Permissions for Exchange Provisioning

To provision Exchange mailboxes, your Identity Manager account must have “Act as part of the Operating System” permission for the logon account and must be a member of the “Organizational Management” group.

Permissions for Inter-domain Moves

To enable an object move between two domains, the domain administrative account configured in the driver for the source domain must also be a member of Domain Admins group of the destination domain.