and more in a single search tool across platforms. Read the announcement here. |
02/21/2024 06:34 PM
Hello,
As we're attempting to get a successful connection for an ADSI connector and we're running into error. Leadership has been reluctant to provide the Service Account we're using Domain Admin privileges in AD.
The errors we're getting state "User does not have access to create group" and "User does not have access to manage group". The current service account we're using doesn't have access to administrate groups in a handful of OUs (as we're attempting "least privilege"), other then that it has full create, manage, move, and delete permissions throughout the forest.
Link to "Preparing for ADSI Integration" guide below. It mentions that Domain Admin is required, then goes on to say that "Least Privilege" can be applied.
https://docs.saviyntcloud.com/bundle/ADSI-v2021x/page/Content/Preparing-for-Integration.htm#Preparin
Can anyone help clarify what it needed for the Service Account permissions for ADSI?
Thank you!
Adam
02/21/2024 06:49 PM
Below permissions are required for the Import/Provisioning operations:
Import:
-Directory Replication permission
Provisioning:
-Read
-Write
Create/Delete child object provisioning:
-Create all child objects
-Delete all child objects
Move operation:
-Migrate SID history
Refer
02/22/2024 08:14 AM
Thank you, Rushikesh,
What privileges are required for installation?
Best,
Adam
02/22/2024 08:34 PM
installation of ?
02/23/2024 09:42 AM
For clarity this is the error we're getting during the initial "save and test" on the connection.
02/25/2024 10:36 AM
Above are saviynt features access. Does logged in users have ROLE_ADMIN or sav role with feature added for ADSI ?
02/26/2024 08:01 AM
Yes, user has SAV_ADMIN role.
02/26/2024 07:20 PM
Add below features in custom Sav roles