Permissions required by the Synchronization Service or Quick Connect Service Account (4254151)

What minimum permissions are required for the Synchronization Service or Quick Connect Service account?

LOCAL PERMISSIONS

In order for the product to function properly, the Service Account must have Administrator rights on the computer running the Synchronization Service or Quick Connect service. For example, the Service Account can be a member of the local Administrators group.

SQL PERMISSIONS

The product can be configured to use either Windows Authentication or SQL Server authentication for the connection to SQL Server. If you choose Windows Authentication, the connection is established using the Sync Service/Quick Connect Service account. In this case, the service account must be a member of the sysadmin role on the SQL Server.

If you choose SQL Server authentication, the connection is established with the override account you are prompted to specify when installing the product. This account must be a member of the sysadmin role on the SQL Server.

The minimum permissions required to create and update the Sync Service/Quick Connect databases are:

1. dbCreator initially for the override account (Sync Service/Quick Connect service account)
2. Once the database is created, dbCreator can be revoked as the override account will automatically be granted dbOwner on the databases it creates

ACTIVE DIRECTORY PERMISSIONS

In order to post a Service Connection point to Active Directory, the Service Account requires the following minimum permissions, added via ADSIEdit:

1. The permission to create container objects in the System container

2. The permission to create serviceConnectionPoint objects in the System container

3. The permission to delete serviceConnectionPoint objects in the System container

• Right-Click on the System Container and choose 'Properties'
• Select 'Security' Tab
• Click on the 'Advanced' button
• On the 'Permissions' tab, click the 'Add' button
• Select the account you are working with and click 'OK'
• You will be viewing the 'Permission Entry for '
• Select 'Object' tab
• Apply onto 'This object and all child objects'
• Allow 'Create Container Object'
• Allow 'Create serviceConnectionPoint'
• Allow 'Delete serviceConnectionPoint'

4.  The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers

• Right-Click on the Policies Container and choose 'Properties'
• Select 'Security' Tab
• Click on the 'Advanced' button
• On the 'Permissions' tab, click the 'Add' button
• Select the account you are working with and click 'OK'
• You will be viewing the 'Permission Entry for '
• Select 'objects' tab
• Apply onto 'Container' objects
• Allow 'Read permissions'
• Apply onto 'serviceConnectionPoint' objects
• Allow 'Read permissions'

5. The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers

• Right-Click on the Policies Container and choose 'Properties'
• Select 'Security' Tab
• Click on the 'Advanced' button
• On the 'Permissions' tab, click the 'Add' button
• Select the account you are working with and click 'OK'
• You will be viewing the 'Permission Entry for '
• Select 'Properties' tab
• Apply onto 'serviceConnecitonPoint' objects
• Allow 'Write displayName'
• Allow 'Write serviceBindingInformation'

6/ The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

• Right-Click on the System Container and choose 'Properties'
• Select 'Security' Tab
• Click on the 'Advanced' button
• On the 'Permissions' tab, click the 'Add' button
• Select the account you are working with and click 'OK'
• You will be viewing the 'Permission Entry for '
• Select 'Properties' tab
• Apply onto 'serviceConnectionPoint objects'
• Allow 'Write keywords'

NOTE: The Active Roles Synchronization Service and Quick Connect Sync Engines use the Service Account when accessing managed resources, such as SQL Server or the Active Roles Administration Service unless an override account is specified. This may require the addition of more permissions within the managed resource, as dictated by the desired access.