what previledges the ILM server admin account needs to import user data from AD, and reset password for end user through portal?

In order for the AD Management Agent to work against AD the minimum permissions required to the AD user object configured to run the MA is "Replicate Directory Changes" extended right on the domain NC head, i.e. allow "replicate directory changes" defined on the domainDNS object itself. This, in addition to the default permissions for user objects is enough to import data from AD.To reset passwords using SSPR you require two additional extended rights for the user and/or inetOrgPerson object classes, defined at a container of your choosing. These extended rights are "Change Password" and "Reset Password".Hope this helps?

In order for the AD Management Agent to work against AD the minimum permissions required to the AD user object configured to run the MA is "Replicate Directory Changes" extended right on the domain NC head, i.e. allow "replicate directory changes" defined on the domainDNS object itself. This, in addition to the default permissions for user objects is enough to import data from AD.To reset passwords using SSPR you require two additional extended rights for the user and/or inetOrgPerson object classes, defined at a container of your choosing. These extended rights are "Change Password" and "Reset Password".Hope this helps? sounds a quite cool answer ! :-) I will study a digest before I dig for more details if I need. Thanks!