So we've built FIM a long time ago and at the time specified domain groups for the SyncAdmins, SyncOperators, SyncJoiner, SyncBrowse and PasswordReset functions. Ordinarily we've always used the SyncAdmins group to do any work in Synchronization Service Manager in our dev and live environments, but now in Live they wish to clamp down on access to the console. However, i've noticed that the SyncBrowse group doesn't allow you to open the console and 'Browse' synchronisation which the name implies. It seems the functions are: SyncAdmins - Full Access to the console, All tabs etc. SyncOperators - Access to the console and the operations tab SyncJoiner - Access to the console and the Metaverse search and joiner tabs SyncBrowse - No access to the console! I'd have expected that sync browse allowed you to open the console and have read access but apparently not. Any thoughts?? Rob

From Installing the FIM 2010 Server Components: "The FIM Synchronization Service creates five security groups. The first three groups correspond to the FIM Synchronization Service user roles: Administrator, Operator, and Joiner. The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces: Connector Browse and Password Set. " Chris