none
Update properties on Domain Admin accounts RRS feed

  • Question

  • Hi

    Is there any way besides making the FIM action account member of Domain Admins to have it update properties on Domain Admin accounts?
    I would like to use FIM to synchronize information like name and phone numbers from the user regular  accounts to their admin accounts. But as they are Domain Admins I always get access denied.

    I tried to specifically add write permission on some of the attributes to FIM on one of the DA's and then FIM could update the info, but after a while the permission was gone again?

    Thanks

    Peter

    Tuesday, January 19, 2016 2:55 PM

Answers

All replies

  • Hi Peter,

    Best practice is not to run the FIM service accounts as domain admin or with admin permissions.  I would strongly urge not to tie identity management to the domain accounts and rather have business process around handling those few accounts. Another reason: if you were to tie in domain admin accounts to any identity management system, there is potential for those accounts to be accidentally deleted, passwords changed, etc.

    Best,

    Jeff Ingalls

    Wednesday, January 20, 2016 4:11 AM
  • Jeff, where does that 'best practice' has been stated? IMO, if you manage the identities with well defined process through a IAM system, it's always better way than doing something manually.

    To the original question, the reason why the permissions are gone is the AdminSDHolder which resets the ACLs on protected Active Directory groups on a schedule. More info can be found here:

    http://www.expta.com/2007/12/how-to-overcome-windows-protected.html

    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

    What you should do is to to modify the ACLs with ADSIEdit.msc,  browse to the CN=AdminSDHolder container under CN=System. Right-click the AdminSDHolder container ->  Properties -> Security tab, the ACL shown here will be used on each protected object, add your FIM ADMA account there.

    • Proposed as answer by Peter_Stapf Wednesday, January 20, 2016 8:44 AM
    • Marked as answer by Peter Sonander Wednesday, January 20, 2016 9:14 AM
    Wednesday, January 20, 2016 5:10 AM
  • Thanks for your reply

    I have one follow. Is it possible to set permissions on an attribute level for the Domain Admin accounts. As the AdminSDHolder is a container I can't select user object specific attributes?

    Thanks

    Peter

    Wednesday, January 20, 2016 2:38 PM
  • Thanks for your reply

    I have one follow. Is it possible to set permissions on an attribute level for the Domain Admin accounts. As the AdminSDHolder is a container I can't select user object specific attributes?

    Thanks

    Peter


    Don't think that's possible.

    • Edited by Narcoticoo Wednesday, January 20, 2016 4:00 PM
    Wednesday, January 20, 2016 4:00 PM
  • Hello,

    I certainly respect your view.  Here is my take.  Yes, you can work around not adding into DA group, but the business needs to understand the risk associated to connecting DA accounts into an automation stream.  Do you think they really get that risk? Many customers do not have a test environment then make a change, and in a matter of minutes lose their domain admin accounts.  I've seen DA havoc happen enough to warrant my claim and would be extremely suspicious of any product that had a handle on my company's domain admin accounts.

    As for the best practice statement, an announcement will be made soon.  Stay tuned.  :-)

    Best,

    Jeff Ingalls

    Thursday, January 21, 2016 3:53 AM
  • Of course it has to be planned correctly, using a FIM managed group that's a member of the built-in Domain Admins group is one way to go. This way you separate the managed part and FIM never really touches the actual DA group at all.
    Thursday, January 21, 2016 3:57 AM
  • I never, ever run service accounts as Domain Admin or nested into Domain Admin.  It opens the organization up to too much risk IMHO.

    Best,

    Jeff Ingalls

    Wednesday, February 3, 2016 2:28 PM
  • I wasn't talking about service accounts. I meant personal accounts (alter egos) that are assigned to admins and member of a group that's nested into domain admins -> FIM Managed Domain Admins without interfering the built-in groups too much.
    Wednesday, February 3, 2016 4:08 PM