Re: ADAM Service Account
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 May 2008 09:58:03 -0700
The best option is to use the default, Network Service.
It provides just sufficient privileges on the local machine (admin is too much), and it also has sufficient permissions in the domain, to be able to register SPNs on the computer account (which is needed for mutual auth), and to create SCPs.
Using a named service account means you have to take care of password changes, assigning appropriate permissions in AD for SPN registration and SCPs, assigning local permissions on the box to open an LDAP listener and to log security events, and maybe a few others... It only makes sense (in my view), if there's many different services running on the same machine, and you don't want to expose them to each other by sharing the service account. If ADAM is the only service on the box, then using NetworkService makes most sense.
--
Dmitri Gavrilov
SDE, Exchange
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
"jskalicky" <jskalicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:EB564BA8-4BEE-49B0-9693-4874BE0039E8@xxxxxxxxxxxxxxxx
I am trying to install ADAM in our domain on two seperate servers. One will
be the Master and the other will be a replica. I will be using a domain
account for the service. What permissions are necessary for the ADAM service
account in a domain? Do I just need to make it an admin on the local box?
Please advise....
.
- Follow-Ups:
- Re: ADAM Service Account
- From: jskalicky
- Re: ADAM Service Account
- References:
- ADAM Service Account
- From: jskalicky
- ADAM Service Account
- Prev by Date: AD Sync Problem
- Next by Date: Error Userenv Netlogon without WINS
- Previous by thread: ADAM Service Account
- Next by thread: Re: ADAM Service Account
- Index(es):
Relevant Pages
|
