AD Permissions

Feb 10, 2009 at 11:05 AM
Hi burkeholland,

What are the minimum rights that the AD account used for the web part, need in order to update AD account details? We have tried an account in the "Account Operators Group" which doesnt appear to work, does it require "Domain Admin"?

Feb 26, 2009 at 11:08 AM
Hi, I hope that I can help you with this:

I am thinking that you are having problem with fact that you are trying to modify Domain Administrator -account with account that is member of "Account Operators Group", but not member of "Domain Administrator" -group. Only Domain Admins can modify other Domain Admins and that's that. Account Operators Group -member account can modify basic Domain Users by default. I hope your environment is configured "the right way", that there should be very limited number of DA's and not one of them in everyday use.

And for more with creating the service account for use with ADSS: best way in my opinion is to create basic Domain User account and then use Active Directory Users and Computers -snap-in  Delegate Control -tool to create a custom task to delegate (select only User objects in wizard) and then give Read/Write permissions to the Property-specific-fields. All property-spesific -values are not listed in wizard by default... to get more values you must edit DSSec.dat -file (remove the needed value from that list). It is located %SystemRoot%\System32\dcssec.dat .

It ain't the easiest way, but I think that it's bit careless to give too much permissions for service accounts.

-Henri
Feb 26, 2009 at 1:35 PM
Thanks very much Henri, we completley missed that... must have been half asleep