Required Permissions

Service Account Permissions

A service account is a special user account that is created for the sole purpose of running a particular service or application on the Windows operating system. Services use the service accounts to log on and interact with the operating system. The service account must have appropriate permissions on Active Directory. The Domain Controller must be accessible from the IQService host computer.

Note
The permissions discussed in the following section grant limited account creation privileges to a user. This user can create and modify most accounts. It cannot manage the administrator user account, the user accounts of administrators, the server operators, account operators, backup operators, and print operators. To manage these user types, you must assign the appropriate security permissions or add the user to groups having higher permissions. For example, domain administrators.

The service account specified in the application must be the member of the Account Operators group.

More granular permissions can be assigned to users for specific portions of the directory, but this is discouraged by Microsoft best practices for Active Directory access control.

The required permissions depend on the use cases that are implemented, but could include:

Operations

Service Account Permissions

Load Accounts

  • Read All Properties

  • Read Members

Provision Accounts

  • Write All Properties

  • Write Members

  • Create User Objects

Password Management

  • Change Password

  • Reset Password

Permissions for Special Operations

Some special operations need additional permissions.

Operations

Service Account Permissions

Delta Aggregation

Additional permissions are required for "Replicating directory changes" and "Read permissions on the Deleted Object Container". For more information, refer to Required Permissions for Delta Aggregation.

Provision Exchange Mailbox

Must be a member of Exchange Recipient Management group.

Microsoft Skype for Business Server

For the Active Directory connector, there are updated service account permissions to load and provision Microsoft Lync/Skype for Business. One of the following permissions is required, depending on the service account type:

  • For Microsoft Skype for Business Server user management, the service account must be a member of the CSUserAdministrator and one of the following domain groups:

    • RTCUniversalServerAdmins

    • Custom group with SQL permission

The required permissions for the Custom group and CSUserAdministrator domain group in SQL are:

Database Instance

Security login

Database Role Membership

Databases

RTCLOCAL

Group required to be added in SQL server: Custom Group and CSUserAdministrator

DB_Owner

RTC, XDS, RTCDYN

RTC

Group required to be added in SQL server: Custom Group and CSUserAdministrator

DB_Owner

RTCXDS, XDS

Permissions for Managing Group Managed Service Accounts (gMSA)

For managing Managed Service Accounts and Group Managed Service Accounts, the following permissions are required:

  • Aggregation and Refresh Account: Member of Account Operators group.

  • Create, Update, and Delete: In addition to Account Operators, service accounts must have full permission on the Active Directory container from which service account is to be managed.