-
Title
Using lower level rights for ActiveRoles Server Service Account (Non-Domain Admin) -
Description
If you want to use a non-domain admin account for your managed domain(s), can you do it?
-
Resolution
This can be done, depending on which actions/operations are required from ActiveRoles Server. (eg. Create/delete users, computers, OU's, etc.) but NO exchange permissions.
Simple Example:
1. Using Active Directory Users and computers, right-click on your domain and choose Delegate Control.
2. Add in the selected ARS service account OR Managed Domain Account and click NEXT
3. Choose 'Create a custom task to delegate' and click NEXT
4. Choose 'This folder, existing objects in this folder, and creation of new objects in this folder' then click NEXT
5. Un-select GENERAL. Select 'CREATION/DELETION OF SPECIFIC CHILD OBJECTS'
6. Enable these any object in the list for read/write you want the ARS service to access. Example: Create and Delete computer objects, then NEXT and FINISH.The above steps will allow you to setup an ARS service account with limited rights. In addition, you'll need to follow the steps on page 12 of the ActiveRoles Quick Start Guide (attached), under the section "Configuring the Administration Service Account": (See attached PDF document).(Steps 1 through 7 of 'To grant permissions for Adminstration Service Publication in Active Directory' and steps 1 through 9 of 'To grant the Replicate Directory Changes permission'.7. Use this new account as your managed domain account or ARS service account.8. Restart ActiveRoles Server Service before the changes will take effect. -
Attachments