Note: Applies to Directory hybrid (on-premises AD) deployments only
The service account operating the Directory Service needs read/write permissions to target Active Directory Organizational Units (OUs). Directory encourages a least-privilege approach, granting granular permissions for the Active Directory user object(s) that Directory is required to modify.
To delegate permissions for the service account from Active Directory Users and Computers:
1 Right click on the target AD container and select ‘Delegate Control’
2 Select the designated Directory service account
3 Choose ‘create a custom task’
4 Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’
5 Select the following general permissions, then Click ‘Next’ and then ‘Finish’
- Read and write phone and mail options
- Read and write general information
- Read and write personal information
- Read and write public information
- Read and write web information
Comments
0 comments
Please sign in to leave a comment.