Note: Applies to Directory hybrid (on-premises AD) deployments only
The service account operating the Directory Service needs read/write permissions to target Active Directory Organizational Units (OUs). Directory encourages a least-privilege approach, granting granular permissions for the Active Directory user object(s) that Directory is required to modify.
To delegate permissions for the service account from Active Directory Users and Computers:
1 Right click on the target AD container and select ‘Delegate Control’
2 Select the designated Directory service account
3 Choose ‘create a custom task’
4 Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’
5 Select the following general permissions, then Click ‘Next’ and then ‘Finish’
When configuring permissions, please ensure they are set to 'General'. In cases where attributes extend beyond the 'General' category, such as extension attributes (e.g., 'CustomExtensionAttribute1'), select the 'Property-specific' option and assign corresponding permissions accordingly.
- Read and write phone and mail options
- Read and write general information
- Read and write personal information
- Read and write public information
- Read and write web information
- Read All Properties
- Write All Properties
Comments
0 comments
Please sign in to leave a comment.