AD MA account Rights?
Hi,
When setting up the AD MA, we are using an AD service account to read and write data to and from AD.
For reading data from AD, we need the "Replicating Directory Changes" right in AD (as per:
http://support.microsoft.com/kb/303972/en-us)
But what are the minimum rights we need to:
1. write/update data back to AD
2. read/write/update Exchange data
Thank you,
SK
April 24th, 2011 2:53am
On Sun, 24 Apr 2011 06:48:45 +0000, S.Kwan wrote:
But what are the minimum rights we need to:
1. write/update data back to AD
2. read/write/update Exchange data
You need to ask yourself, "What permissions would I require if I were doing
these operations using Active Directory Users and Computers or the Exchange
Management Console"? The answer to that question will provide you with the
answer to your questions.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
It is now pitch dark. If you proceed, you will likely fall into a pit.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 3:12am
Thanks Paul, just thought I could also get a pointer to a similar
http://support.microsoft.com article :-)
April 24th, 2011 3:17am
On Sun, 24 Apr 2011 07:13:36 +0000, S.Kwan wrote:
Thanks Paul, just thought I could also get a pointer to a similar
http://support.microsoft.com <http://support.microsoft.com/kb/303972/en-us>?article :-)
Since everyone's AD and Exchange environments are different, providing
proscriptive guidance on permission requirements is kind of tough. What
works for some may not work for others.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Don't hit the keys so hard, it hurts.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 3:22am
If you want extra informaton regarding the required permissions for certain actions, I can recommend these whitepapers. They're for 2003,but they're still valid:
Best Practices for Delegating Active Directory Administration
Best Practices for Delegating Active Directory Administration Appendices
There's a table in there somewhere which lists permissions in a very detailed way for specific actions: like unlock account, enable account, change password, write attribute, ...
http://setspn.blogspot.com
April 24th, 2011 10:13am
thank you Thomas, will download them right away
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 10:30am