As Active Roles performs operations on objects on behalf of delegated users, the Active Roles service account which is used to manage the Active Directory domain requires adequate permissions. All internal test scenarios and the One Identity Active Roles Support Model all assume that the domain is being managed using an account that is a member of the Domain Admins role group. If this configuration is not leveraged, then guidance and documentation provided by the One Identity Support Team may not be relevant.
It is possible to separate the tasks performed by the service account from domain management by specifying distinct accounts for the service and for managing the domain. In this configuration scenario, the service account can be configured to run with the minimum permissions specified below, but the proxy account should be a member of the Domain Admins role group in order to stay within the One Identity Active Roles Support Model.
Access to the Administration Service Computer
The service account must be a member of the local Administrators group on the computer running the Active Roles Administration service.
Service Publication in Active Directory
For Active Roles clients to discover available Active Role services, the service account must be able to publish itself in Active Directory. On the Aelita sub-container, under the System container in the domain, grant the following rights:
• Create ServiceConnectionPoint Objects
Access to Managed Domains
The service account must have at least Read Permissions in any Managed Domain. In addition, the service account must have Modify Permissions rights on the Active Directory objects and containers where the Active Roles security synchronization feature will be utilized.
To manage Exchange recipients on Exchange Server 2010, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. See the following steps for details.
To configure the service account or the override account
1.- Add the account to the Recipient Management role group. For instructions, see “Add Members to a Role Group” at http://technet.microsoft.com/library/dd638143(EXCHG.141).aspx.
The Exchange 2010 management tools are not required on the computer running the Administration Service.
Exchange 2013 and 2016
To manage Exchange recipients on Exchange Server 2013 or 2016, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. For details, see the steps that follow.
5.- Restart the Administration Service after changing the configuration of the account: Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.
Permission to read Exchange configuration data
To perform Exchange recipient management tasks, Active Roles requires Read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights. For example, the service account is a member of the Domain Admins or Organization Management group. Otherwise, provide the account Read permission in the Microsoft Exchange container, using the ADSI Edit console.
NOTE: The following instructions apply to the ADSI Edit console that ships with Windows Server 2012 or Windows Server 2012 R2.
To provide Read access to the service account using the ADSI Edit console:
1.- Open the ADSI Edit console, and connect to the Configuration naming context.
2.- In the ADSI Edit console, navigate to the Configuration/Services container, right-click Microsoft Exchange in that container, and then click Properties.
3.- On the Security tab in the Properties dialog box that appears, click Advanced.
4.- On the Permissions tab in the Advanced Security Settings dialog box, click Add.
5.- On the Permission Entry page, configure the permission entry:
a.- Click Select a principal and select the desired account.
b.- Ensure that the Type box indicates Allow.
c.- Ensure that the Applies onto box indicates: This object and all descendant objects.
d.- In the Permissions area, select the List contents and Read all properties checkboxes.
e.- Click OK.
6.- Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.
Support for Exchange Remote Shell
When performing Exchange recipient management tasks on Exchange Server 2010 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server. Hence, it is not required to install the Exchange management tools on the computer running the Administration Service.
To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:
Remote Shell also requires the following: