none
MSOL Created AD Account and Group - RRS feed

  • Question

  • I've recently installed Forefront Identity Manager 2010 R2 and we are in the process of creating a tenant connection to Office 365 and setting up Exchange Federation.

    I have installed FIM 2010 R2 and have setup DIRSYNC, and we've noticed an account and group were automatically created in the AD Domain USERS OU.

    MSOL_xxxxxxxxxxxxxx (user)

    MSOL_AD_Sync_Richcoexixtence (group) with the MSOL user the only member.

    2 questions:

    1). What is this User/Group used for? (as during the install I had to supply another AD Domain credential which I would have thought would have been used for the SYNC process.

    2). Can this MSOL user/group be pre-created or have the password modified in some fashon? (our Security folks want to "set" the password on the MSOL user to a known value?)?

    THANKS

    Friday, April 11, 2014 12:07 PM

All replies

  • Hi,

    why do you install FIM when you install DirSync?

    DirSync installs the FIM 2010R2 Synchronization Service on it's own. In General Dirsync is FIM2010 Sync Engine with a frontend which makes the configuration of the FIM and some scary automatic things in the whole forest.

    Also Dirsync creates a service, which starts the runprofiles of the management agents.

    1a) The Group "MSOL_AD_Sync_Richcoexixtence" is created by dirsync and has been granted permissions in every domain in the forest (because of this dirsync wants enterprise admin rights) for the write-back attributes described in the article http://support.microsoft.com/kb/2256198/en-us.

    1b) The account "MSOL_<identifier>" is also created by dirsync and is added to the MSOL_AD_Sync... group. Also this account has been granted "Replicate Directory Changes" in every domain in your forest for the dirsync ldap control.

    1c) there is a third account which is created by dirsync..but this account is local and is named "AAD_<identifier>".

    2.) you can change the password. the account is used in the ad management agent. so you have to go in the FIM Synchronization Service Manager and change it.

    In big environments dirsync is crap...

    regards


    • Edited by baschuel Friday, April 11, 2014 2:01 PM
    • Proposed as answer by baschuel Saturday, April 19, 2014 12:00 PM
    Friday, April 11, 2014 2:00 PM
  • THANKS for the response.

    To change the Password for the MSOL_xxxxxxxxxx account that was automatically created, it appears I can open the Active Directory Connector and under the option for "Connect to Active Directory Forest" is the MSOL account and a blank password field???

    Simply change it there is my presumption??

    Also, sorry if I miss-stated. We installed the dirsync tool which I guess installed FIM on it's own.

    THANKS

    Friday, April 11, 2014 2:23 PM
  • Yes simply change it there, the Password is always empty if you go this Option.

    regards

    Friday, April 11, 2014 5:02 PM