none
Configuring Directory managing service with minimal security permissions RRS feed

  • Question

  • Hi, sorry for my English )

    Is anyone know what minimal security permissions need Sharepoint account to manage Distribution groups in AD.

    For configuring Incoming e-mail, Microsoft says that :

    "To use Directory Management Service on a SharePoint farm or on a remote server farm, you must configure the application pool identity account for the SharePoint Central Administration Web site to have the Create, delete, and manage user accounts user right to the container that you specify in AD DS. The preferred way to do this is by assigning the right to the application pool identity account for the SharePoint Central Administration Web site. An AD DS administrator must set up the OU and assign the Create, delete, and manage user accounts right to the container. The advantage of using Directory Management Service on a remote server farm is that you do not have to assign rights to the OU for multiple farm service accounts. "

    But our corporate policy denied to give so width permissions to service account. Will this service work if I give only the Manage groups right to it?

     

    Monday, August 16, 2010 2:29 AM

Answers

  • No, it needs Create as well. I don't think there's a way around this. You could try explaining to the domain administrators that you only need this permission on a single OU. If they still won't do it, you just may not be able to use that feature. I get this a lot with government users.
    Monday, August 16, 2010 6:27 PM