What minimum permissions are required for the Synchronization Service or Quick Connect Service account?
In order for the product to function properly, the Service Account must have Administrator rights on the computer running the Synchronization Service or Quick Connect service. For example, the Service Account can be a member of the local Administrators group.
The product can be configured to use either Windows Authentication or SQL Server authentication for the connection to SQL Server. If you choose Windows Authentication, the connection is established using the Sync Service/Quick Connect Service account. In this case, the service account must be a member of the sysadmin role on the SQL Server.
If you choose SQL Server authentication, the connection is established with the override account you are prompted to specify when installing the product. This account must be a member of the sysadmin role on the SQL Server.
The minimum permissions required to create and update the Sync Service/Quick Connect databases are:
ACTIVE DIRECTORY PERMISSIONS
In order to post a Service Connection point to Active Directory, the Service Account requires the following minimum permissions, added via ADSIEdit:
A) The permission to create container objects in the System container
B) The permission to create serviceConnectionPoint objects in the System container
C) The permission to delete serviceConnectionPoint objects in the System container
D) The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
E) The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers
F) The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
In addition, the Quick Connect Sync Engine uses the Service Account when accessing managed resources, such as SQL Server or the Active Roles Administration Service, unless an override account is specified. This may require the addition of more permissions within the managed resource, as dictated by the desired access.
Note: If a GPO is set to control/limit some of the following settings:• SeTcbPrivilege (Act as part of the operating system)
• SeDelegateSessionUserImpersonatePrivilege (Obtain an impersonation token for another user in the same session)
The account won't have the permissions expected by the installer and the following error might show (even though Username/Password details are correct):