It is necessary that we create six service accounts (as shown below). As a best practice, it is recommended that these accounts be created in a dedicated “Service Accounts” OU in Active Directory (and that a “Service Accounts” OU be created if one should not exist).
Account: | Purpose: |
FIMADMA | Connect FIM Sync Engine to Active Directory |
FIMMA | Connects FIM Sync Engine to the FIM Portal |
FIMSync | Connects FIM Sync Engine to SQL DB |
FIMService | The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run. |
FIMSQL | Connect FIM to SQL |
FIMPassword | Service Account for SSPR |
Once these accounts have been created, it is necessary that permissions be delegated accordingly. The following permissions are to be set at the OU which is to be managed:
FIMADMA | Create Child Objects |
Delete All Child Objects | |
Special Permissions | |
Descendant User Objects | Change Password |
Reset Password | |
Applies onto user objects | Special Permissions |
List Contents | |
Read All Properties | |
Write All Properties | |
Read Permissions | |
Apply onto This Object and all child objects | Create/Delete All Child Objects |
(Anything delete or create) |
Similarly, the following permissions must be set at the [root] of the domain:
FIMADMA | @ Root |
Read | |
Replicate Directory Changes | |
Read Domain Password Lockout Policies | |
Read other Domain Parameters |
Security Groups to be created
FIMSyncAdmins
FIMSyncOperators
FIMSyncJoiners
FIMSyncBrowse
FIMSyncPasswordSet
As a best practice, it is also a good idea to create a new OU to house objects managed by FIM. For simplicity, you may call it “FIMObjects”. Within this OU, it is also recommended that two additional OUs be created; “Users” and “Groups”. To simplify the process, you may use the “Delegation Control Wizard”, as shown below:
On all of the OU’s that you wish to delegate permissions for the FIM Synchronization Service to manage objects from, right click on the OU’s and select Delegation when the Delegation Wizard pops up click on Next
In the Users or Group window select the Service account that the Active Directory Management Agent that will be created on the Synchronization Service use to manage objects in Active Directory with.
In the Tasks to Delegate window verify that the Delegate the following common tasks: radial is selected and select the following:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Create, delete and manage groups
- Modify the membership of a group
Note: Keep in mind you will only select the options that are relevant to the task. For example only Users will be in an OU do not select the options for Create, delete and manage groups or Modify the membership of a group. Additionally if the users that will be managed will not be able to reset their password than there is probably no reason to select the Reset user passwords and force password change at next logon option.
**** If you additionally want to delegate the ability to enable/disable user accounts ****
Tick the 'Create a custom task to delegate' radio button and click the 'Next' button.
Tick the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.
At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:
Change Password
Reset Password
Read userAccountControl
Write userAccountControl
To download this post as a Word document, please click here.