Environmental Preparation (Server 2008/R2)

It is necessary that we create six service accounts (as shown below). As a best practice, it is recommended that these accounts be created in a dedicated “Service Accounts” OU in Active Directory (and that a “Service Accounts” OU be created if one should not exist).

Account: Purpose:
FIMADMA Connect FIM Sync Engine to Active Directory
FIMMA Connects FIM Sync Engine to the FIM Portal
FIMSync Connects FIM Sync Engine to SQL DB
FIMService The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.
FIMPassword Service Account for SSPR

Once these accounts have been created, it is necessary that permissions be delegated accordingly. The following permissions are to be set at the OU which is to be managed:

FIMADMA Create Child Objects
Delete All Child Objects
Special Permissions
Descendant User Objects Change Password
Reset Password
Applies onto user objects Special Permissions
List Contents
Read All Properties
Write All Properties
Read Permissions
Apply onto This Object and all child objects Create/Delete All Child Objects
(Anything delete or create)

Similarly, the following permissions must be set at the [root] of the domain:

Replicate Directory Changes
Read Domain Password Lockout Policies
Read other Domain Parameters

Security Groups to be created






As a best practice, it is also a good idea to create a new OU to house objects managed by FIM. For simplicity, you may call it “FIMObjects”. Within this OU, it is also recommended that two additional OUs be created; “Users” and “Groups”. To simplify the process, you may use the “Delegation Control Wizard”, as shown below:

On all of the OU’s that you wish to delegate permissions for the FIM Synchronization Service to manage objects from, right click on the OU’s and select Delegation when the Delegation Wizard pops up click on Next


In the Users or Group window select the Service account that the Active Directory Management Agent that will be created on the Synchronization Service use to manage objects in Active Directory with.



In the Tasks to Delegate window verify that the Delegate the following common tasks: radial is selected and select the following:

  1. Create, delete, and manage user accounts
  2. Reset user passwords and force password change at next logon
  3. Create, delete and manage groups
  4. Modify the membership of a group



Note: Keep in mind you will only select the options that are relevant to the task. For example only Users will be in an OU do not select the options for Create, delete and manage groups or Modify the membership of a group. Additionally if the users that will be managed will not be able to reset their password than there is probably no reason to select the Reset user passwords and force password change at next logon option.


**** If you additionally want to delegate the ability to enable/disable user accounts ****
Tick the 'Create a custom task to delegate' radio button and click the 'Next' button.

Tick the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.

At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:

Change Password
Reset Password
Read userAccountControl
Write userAccountControl


To download this post as a Word document, please click here.

Skip to main content