All, I was installing BHOLD this weekend in my lab, and I was a bit surprised that the BHOLD Core module needs to be installed by a Domain Admin level account. If we pre-create the Service account with the proper SPN, and the needed groups, as well as set that account to logon as a service on the target server, what else is going on that would require Domain Admin during setup? On my first read through, I thought the BHOLD account itself needed Domain Admin to function, which seemed quite wide a role, but on re-reading it's only the account for which you are installing with. I'm following the directions as per the technet link here: http://technet.microsoft.com/en-us/library/jj134095(v=ws.10) I wanted to make sure that the BHOLD account itself had no reliance on being Domain Admin to function, especially if it's being used as the AppPool Identity. Thanks, Jef----- http://jeftek.com

I have installed the suite and it is running using the service account, and that service account is a regular account that does not have any other memberships as far as i could see. Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

This is a great question and I just posted the same question before I saw yours, sort of. You are asking if the service account needs domain admins to run the service. I am asking why the install needs domain admins at all. What is this install changing or what does it need access to in the domain that only a domain admin has access to? I really hope someone from the product knows the answer.Paul N Smith

The Bhold Account (default b1user) don't need to be a Domain Admin (or related) to function properly. This b1user account only needs the IIS_IUSRS group since this Bhold Account (b1user) will also be use for the application pool and the BholdApplicationGroup (this group will be used in MSSQL for granting access to database-objects)

I think the question is why does the user account "installing" needs to be domain admin, in other words what does the installer configure on behalf off the installing user.Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

Ok, I did not understand it properly then.... There are several things which are done during installation (as far as I can remember) - creating database - putting rights on the install folders - putting rights on the registry folder - creating the bhold website - installing the b1service - it will create a RSA container (aspnet_regiis -pc ....)

Thanks that makes more senseNeed realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

Ok, I did not understand it properly then.... There are several things which are done during installation (as far as I can remember) - creating database - putting rights on the install folders - putting rights on the registry folder - creating the bhold website - installing the b1service - it will create a RSA container (aspnet_regiis -pc ....) What is the RSA container? Is that an OU in AD that is created during the install? Doesnt sound like it. in any case none of those items require a domain admin. I'd give real money if the product team would just answer the question.Paul N Smith

in fact it is a certificate for encrypting data in the web.config file (mainly). It also is available in your code, if you have the proper rights(manageable), where you can use it for encrypting other types of data. It is - for example - also used to encrypt sensitive data in the registry (passwords), and on several other places... you can find more information here: http://msdn.microsoft.com/en-us/library/53tyfkaw So this means that it isn't a OU in AD nor an OU in Bhold (of course there is 1 OU created by default, the root OU, but this OU has nothing to do with RSA).

Some changes have been made to the BHOLD Core installer that requires the need to be a domain administrator. Some checks are performed (like the prerequisites) during the installation. The 'old' version of the BHOLD Core did not require you to be a domain admin, so you can assume that these new 'checks' carried out by the installer require these access rights - or the REAL required access rights have not been researched yet so domain admin rights are advised to be on the safe side.Remy de Vries Technical Consultant Elephant Security