Required Permissions

Service Account Permissions

A service account is a special user account that is created for the sole purpose of running a particular service or application on the Windows operating system. Services use the service accounts to log on and interact with the operating system. The service account must have appropriate permissions on Active Directory. The Domain Controller must be accessible from the IQService host computer.

Note
The permissions discussed in the following section grant limited account creation privileges to a user. This user can create and modify most accounts. It cannot manage the administrator user account, the user accounts of administrators, the server operators, account operators, backup operators, and print operators. To manage these user types, you must assign the appropriate security permissions or add the user to groups having higher permissions. For example, domain administrators.

The service account specified in the application must be the member of the Account Operators group.

More granular permissions can be assigned to users for specific portions of the directory, but this is discouraged by Microsoft best practices for Active Directory access control.

The required permissions depend on the use cases that are implemented, but could include:

Operations	Service Account Permissions
Load Accounts	Read All Properties Read Members
Provision Accounts	Write All Properties Write Members Create User Objects
Password Management	Change Password Reset Password Read pwdLastSet Write pwdLastSet
Enable/Disable Accounts	Read userAccountControl Write userAccountControl
Unlock Accounts	Read lockoutTime Write lockoutTime

Permissions for Special Operations

Some special operations need additional permissions.

Operations	Service Account Permissions
Delta Aggregation	Additional permissions are required for "Replicating directory changes" and "Read permissions on the Deleted Object Container". For more information, refer to Required Permissions for Delta Aggregation.
Provision Exchange Mailbox	Must be a member of Exchange Recipient Management group.

Microsoft Skype for Business Server

For the Active Directory source, there are updated service account permissions to load and provision Microsoft Lync/Skype for Business. One of the following permissions is required, depending on the service account type:

• For Microsoft Skype for Business Server user management, the service account must be a member of the RTCUniversalServerAdmins and CSUserAdministrator domain groups. The account must also be a member of the local Administrator group on the system running IQService.

• For Microsoft Skype for Business Server user management, a service account must be a member of a custom group with SQL permission and the CSUserAdministrator domain group. The account must also be a member of the local Administrator group on the system running IQService.

• The account must also be a member of local Administrator group on the system running IQService and ensure that:

  • IQService can access the Lync/Skype for Business Server through port 1433 of the SQL Server.

  • IQService accounts have direct access to the database to successfully provision the account.

The required permissions for the Custom group and CSUserAdministrator domain group in SQL are:

Database Instance	Security login	Database Role Membership	Databases
RTCLOCAL	Group required to be added in SQL server: Custom Group and CSUserAdministrator	DB_Owner	RTC, XDS, RTCDYN
RTC	Group required to be added in SQL server: Custom Group and CSUserAdministrator	DB_Owner	RTCXDS, XDS

Permissions for Managing Group Managed Service Accounts (gMSA)

For managing Managed Service Accounts and Group Managed Service Accounts (gMSA), the following permissions are required:

• Aggregation and Refresh Account: Member of account operators group.

• Create: In addition to account operators, service accounts must have full permission on the Active Directory container from which service account is to be managed.