AD MA account Rights?
Hi, When setting up the AD MA, we are using an AD service account to read and write data to and from AD. For reading data from AD, we need the "Replicating Directory Changes" right in AD (as per: http://support.microsoft.com/kb/303972/en-us) But what are the minimum rights we need to: 1. write/update data back to AD 2. read/write/update Exchange data Thank you, SK
April 24th, 2011 2:53am
On Sun, 24 Apr 2011 06:48:45 +0000, S.Kwan wrote: But what are the minimum rights we need to: 1. write/update data back to AD 2. read/write/update Exchange data You need to ask yourself, "What permissions would I require if I were doing these operations using Active Directory Users and Computers or the Exchange Management Console"? The answer to that question will provide you with the answer to your questions. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca It is now pitch dark. If you proceed, you will likely fall into a pit.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 3:12am
Thanks Paul, just thought I could also get a pointer to a similar http://support.microsoft.com article :-)
April 24th, 2011 3:17am
On Sun, 24 Apr 2011 07:13:36 +0000, S.Kwan wrote: Thanks Paul, just thought I could also get a pointer to a similar http://support.microsoft.com <http://support.microsoft.com/kb/303972/en-us>?article :-) Since everyone's AD and Exchange environments are different, providing proscriptive guidance on permission requirements is kind of tough. What works for some may not work for others. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Don't hit the keys so hard, it hurts.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 3:22am
If you want extra informaton regarding the required permissions for certain actions, I can recommend these whitepapers. They're for 2003,but they're still valid: Best Practices for Delegating Active Directory Administration Best Practices for Delegating Active Directory Administration Appendices There's a table in there somewhere which lists permissions in a very detailed way for specific actions: like unlock account, enable account, change password, write attribute, ... http://setspn.blogspot.com
April 24th, 2011 10:13am
thank you Thomas, will download them right away
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 10:30am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics