Could I ask one of the FIM developers to list the necessary permissions & proper security group membership for the service accounts used in FIM.This information isscattered throughout the various instructions and I think it would be helpful to have it listed together.The instructions ask for two Domain User Accounts to be created. Lets call them FIMSERVICE & FIMSYNC.FIMSERVICE- What Security Groups should this account belong to?- What Permissions should be assigned to this account?- Where should this account be used?FIMSYNC- What Security Groups should this account belong to?- What Permissions should be assigned to this account?- Where should this account be used?

>FIMSERVICE>- What Security Groups should this account belong to?Domain Users, FIMSyncBrowse, FIMSyncPasswordSet- What Permissions should be assigned to this account?>- Where should this account be used?For running Forefront Identity Manager Service.> FIMSYNC>- What Security Groups should this account belong to?Domain users.- What Permissions should be assigned to this account?>- Where should this account be used?For running Forefront Identity Manager Synchronization Service.FIMMATo connect to FIM Service database. Is setin FIM MA (Management Agent) properties.It belongs to Domain users.J.

Hi...This text is in Installaion Guide. Create an e-mail enabled domain service account to run the FIM Service To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Outlook integration feature, an Exchange mailbox must also be created for this account. To use the FIM Add-in for Outlookfeature, you must set up the domain service e-mail account on a server that hosts Microsoft Exchange Server2007. This account will also be used to send email notifications from FIM 2010. This account should not be granted local administrator permissions. Important You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If you do not, and any e-mail accounts move messages from the e-mail Inbox, the e-mail processor does not see these messages. In addition, after the e-mail processor reads a message from the Inbox, it moves the message to another folder, potentially causing problems for other accounts that attempt to use that e-mail account. Create a service account to run the FIM Synchronization Service You must create a service account to run the FIM Synchronization Service, this service account must be a domain service account. This account does not have to be a local administrator account. Create a domain FIM management agent account You must create a domain service account that is reserved for the exclusive use of the FIM management agent (MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup, it can give the account the required rights. This account does not have to be a local administrator account. Understanding the Purpose of the FIM management agent account The purpose of this account is for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows will run. The account used for the FIM MA should be considered as a trusted account; you should not use it to access the FIM Portal. If you do, all requests made through the FIM Portal with this account will skip AuthN and AuthZ. If you later change this account in the FIM Synchronization service, you must also run a change install on the FIM Service to update the service with the new account information. Configure the service accounts running the FIM 2010 server components in a secure manner As mentioned above, there are two service accounts used to run the FIM server components. They are called the FIM Service service account and FIM Synchronization Service service account in this guide. The FIM MA account is not considered a service account and should be a regular user account. To configure the server(s) running the FIM server components in a secure manner, the service accounts should be restricted. The easiest way to do this is by running Local Security Policy from Administrative Tools, navigate to Local Policies\User Rights Assignment and add the service account to the policy. Use the following restrictions on the service accounts: Deny logon as a batch job Deny logon locally Deny access to this computer from the network The service accounts should not be a member of the local administrators group. The FIM Synchronization Service service account should not be a member of the security groups used to control access to FIM Synchronization Service (groups starting with FIMSync, e.g. FIMSyncAdmins). Add the FIM Service service account to the FIM Synchronization Service security groups Add the service account used by the FIM Service to the FIMSyncAdmins group. This will allow the FIM Service to configure the FIM Synchronization service. If you plan to use the Password reset feature of FIM 2010, add the service account used by FIM Service to the security group FIMSyncPasswordSet. Restart the FIMService service for group membership to be effective. I hope this will help youRegards,Paulo

I remember reading in the RC0 docs that the FIM MA & FIM Sync accounts could be the same account, is this still true?The Active Directory Management Agent should be running as the FIM Sync account, correct?What account should the "Forefront Identity Manager Password Reset Client Service" Service be using?

Hi again...My last post explain the use of all 3 accounts.The AD MA must be configured with a domain privileged account (an account that can read and write in AD)..."If you plan to use the Password reset feature of FIM 2010, add the service account used by FIM Service to the security group FIMSyncPasswordSet"In FIM Password Reset you will use the FIM Service Account... no other account is mentioned to use: Forefront Identity Manager Synchronization Service (FIMSynchronizationService)=> domain\fimsyncservice (e.g.) Forefront Identity Manager Service (FIMService) => domain\fimservice (e.g.) FIM Management Agent => domain\FIMMACheers,Paulo

When Password Reset is installed it adds a third service named:"Forefront Identity Manager Password Reset Client Service".By default it runs as NETWORK SERVICE. I'm assuming this should be changed to the FIM Service account, is that correct?

nope network service is fineThe FIM Password Reset Blog http://blogs.technet.com/aho/