Minimum AD permissions needed by ILM

The AD management agent uses an account to connect to AD and, more often than not, this account is a member of Domain Admins. However in some organisations this is not acceptable. So what rights does it actually need?

The one domain-wide right you do need to grant is Replicate Directory Changes – and you can read all about how to set that here. If you don’t set this permission you will see a stopped-connectivity error, and event 6050 in the application log.

If you haven’t changed the default rights for the Authenticated Users group then you should not need to add any extra permissions at the Domain level. This group will give the ILM account sufficient rights to map out the directory OU tree and read the schema.

So then it just remains to give the service account rights to the OUs that it will be interested in:

  • Create/Delete specific object types as required,
  • Read/Write All Properties,
  • Reset Password (if using password sync).

Note that I’ve suggested read and├é┬áwrite to all properties even though, theoretically, you could go through picking out just the particular attributes ILM can change. Personally I would strenuously resist this approach as it would be a right nuisance every time an extra attribute was added to a flow rule. Point out that the attribute selection can also be restricted from the ILM side so, while it may have access to unneeded attributes, it is completely impossible for it to modify values it can’t even see.