Views:

Applies To:

GroupID 9 and above

Summary:

You must have a service account to connect an identity store to an Active Directory domain. GroupID uses the account to access objects in Active Directory. If Microsoft Exchange is configured as the messaging provider for the identity store, you can also delegate permissions to this account to access Exchange objects.

You can use an existing account, provided it has the required permissions, or you can create a new one. It is recommended that you create a new service account rather than using an existing one. You must add the service account to the membership of the local Administrator group of the member server on which GroupID is installed.

Use an existing account as a service account

Verify that the account that you want to use as a service account has the following Active Directory and Exchange permissions (Exchange permissions are required if Microsoft Exchange is configured as the messaging provider for the identity store.)

Active Directory Recommended: Domain Admins
Minimum permissions:
  • Create and delete user, contact, and group objects
  • Modify user, contact, and group objects
Exchange 2010/2013/
2016/2019		 Recipient Management

Create a new service account

If you do not have a service account, you need to create one. Follow the three sets of instructions in this section to:

  1. Create a service account
  2. Delegate Active Directory permissions to the new account
  3. Delegate Exchange permissions to the new account
    (if Exchange is configured as the messaging provider for the identity store)

Create a service account

  1. Select either:
    • Server Manager from the Windows Start screen.

      OR

    • Server Manager from the Quick Launch toolbar available by default on the Windows taskbar.

      OR

    • Administrative Tools from the Windows Start screen.
       
  2. In case of Server Manager selection, select Tools > Active Directory Users and Computers.
    In case of Administrative Tools selection, select the Active Directory Users and Computers option from the Name column.
  3. In the directory tree, select the required container, point to New, and then click User. The New User dialog box is displayed.
  4. Enter the required information for the user.

After creating the user, you can click the container to view the newly created user.

Delegate Active Directory permissions to the new account

From the Active Directory Users and Computers console:

  1. Select Advanced Features from the View menu.
  2. In the left pane, right-click the domain name or organizational unit and select Properties. On the Properties window, select the Security tab.


     
  3. Click the Advanced button; the Advanced Security Settings window is displayed.


     
  4. Click the Add button. The Permission Entry window is displayed.


     
  5. Click the Select a principal link next to Principal. The Select User, Computer, Service Account, or Group dialog box is displayed.



    Type the name of the service account in the Enter the object name to select box. Click OK.
    The Permissions Entry window is displayed with all fields enabled.
     
  6. In the Applies to box, select This object and all descendant objects.
     
  7. Grant permissions to create and delete users, contacts, and groups.
     
    1. Scroll down the list of permissions in the Permissions box and select the check boxes for the options shown below:

       
       
    2. Click OK. The granted permissions are displayed on the Advanced Security Settings window, as shown below:

      6.jpg
       
  8. Grant permissions to modify users, contacts, and groups.

     
    1. Click the Add button on the Advanced Security Settings window. The Permission Entry window is displayed.
    2. Click the Select a principal link next to Principal. The Select User, Computer, Service Account, or Group dialog box is displayed.
      Type the name of the service account in the Enter the object name to select box and click OK. The Permissions Entry window is displayed with all fields enabled. 
    3. In the Applies to box, select the Descendant Contact objects option and select the Full control check box in the Permissions area. It is as follows:


       
    4. Click OK. The granted permissions are displayed on the Advanced Security Settings window, as shown below:


       
    5. Repeat steps a – d for Descendant Group objects and Descendant User objects on the Permission Entry window.
      The service account now has permissions to modify users, contacts, and groups. These permissions are displayed on the Advanced Security Settings window. It is as shown below:


       
  9. Click OK.

Delegate Exchange permissions to the new account

In addition to Active Directory permissions, the service account also needs access permissions for Exchange, when Exchange is configured as the messaging provider for the identity store. Instructions for delegating permissions for the supported Exchange Server versions are as follows.

For Exchange Server 2010/2013/2016/2019:

Launch the Exchange Management Shell and type the following command:

Add-RoleGroupMember  "Recipient Management" -Member domain name\user

Reference:

GroupID Administration Guide

Keywords: Permissions, Service account, GroupID, Active Directory, Exchange, provider, connect, identity store
Comments (0)