Prerequisites
-
Create an Active Directory service account with the required permissions. A service account is a special user account that is created for the sole purpose of running a particular service or application on the Windows operating system. Services use the service accounts to log on and interact with the operating system.
-
Before you start using the connector, install and register IQService on any Windows system with any of the supported Operating Systems. For more information on installing and registering IQService, see IQService.
-
If the Authentication Type is set to Strong , then the IQService host must be in the same domain or in a trusted domain.
-
For managing Terminal Services (Remote Desktop Services profile) attributes, install the IQService on a server class Windows Operating System.
-
-
Secure Active Directory connector.
-
For an application managing multiple domain trees, either from same or different forests, there must be two-way trust relationship between them.
-
For managing Managed Service Accounts (MSA) or group Managed Service Accounts (gMSA), the following prerequisites are required:
-
For reading
msDS-GroupMSAMembership
andmsDS-AllowedToActOnBehalfOfOtherIdentity
gMSA object properties, IQService is required and Active Directory Module for Windows PowerShell must be enabled on the IQService Host. -
For Provisioning operations of MSA and gMSA objects, IQService is required and Active Directory Module for Windows PowerShell must be enabled on the IQService Host.
-
-
To use group Managed Service Account (gMSA) for forest and domain settings, ensure you select Strong (SASL) as the authentication type.
The permissions for gMSA accounts are similar to those of service accounts. No special permissions are needed for gMSA accounts. For more information, refer to Required Permissions.
Important
Configuration of IQService is mandatory to utilize gMSA as a service account for forest and domain settings in Active Directory. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.Refer to Using gMSA as a Service Account, for more information.