Active Directory Service Account Creation

Note: Applies to Directory hybrid (on-premises AD) deployments only

The service account operating the Directory Service needs read/write permissions to target Active Directory Organizational Units (OUs). Directory encourages a least-privilege approach, granting granular permissions for the Active Directory user object(s) that Directory is required to modify.

To delegate permissions for the service account from Active Directory Users and Computers:

1 Right click on the target AD container and select ‘Delegate Control’

2 Select the designated Directory service account

3 Choose ‘create a custom task’

4 Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’

5 Select the following general permissions, then Click ‘Next’ and then ‘Finish’

Read and write phone and mail options
Read and write general information
Read and write personal information
Read and write public information
Read and write web information

1 Right click on the target AD container and select ‘Delegate Control’

2 Select the designated Directory service account

3 Choose ‘create a custom task’

4 Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’

5 Select the following general permissions, then Click ‘Next’ and then ‘Finish’

Comments

Articles in this section

We're here to help!

1 Right click on the target AD container and select ‘Delegate Control’

2 Select the designated Directory service account

3 Choose ‘create a custom task’

4 Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’

5 Select the following general permissions, then Click ‘Next’ and then ‘Finish’

Articles in this section

Related articles

We're here to help!