Assigning the required Active Directory permissions to the Custodian Manager synchronization account

Article:HOWTO58793  |  Created: 2011-08-01  |  Updated: 2013-07-12  |  Article URL http://www.symantec.com/docs/HOWTO58793
Article Type
How To


Subject


Assigning the required Active Directory permissions to the Custodian Manager synchronization account

By default, Custodian Manager uses the account under which the Accelerator Manager service is running when it synchronizes custodians and custodian groups with the corresponding Active Directory accounts. However, if you prefer, you can nominate a different account on a per-domain basis.

For instructions on how to specify a different user account for synchronization purposes, see the Administrator's Guide.

The nominated synchronization account must have certain delegated permissions to query the Active Directory domain.

To assign the required delegated permissions to the Custodian Manager synchronization account

  1. Open Active Directory Users and Computers.

  2. Right-click the domain object, and then select Delegate Control.

  3. In the Delegation of Control Wizard, click Next, and then click Add.

  4. In the Select Users, Computers, or Groups dialog box, enter the required account name, and then click OK, and then click Next.

  5. In the Tasks to Delegate page, in Delegate the following common tasks, check the following tasks, and then click Next:

    • Read all user information

    • Read all inetOrgPerson information

  6. Click Finish.

Giving the Custodian Manager synchronization account access to the Deleted Objects container

The Custodian Manager synchronization account must also have List Content and Read Property permissions on the Deleted Objects container in Active Directory. Without these permissions, it is not possible to deactivate any custodians and custodian groups whose Active Directory details have been moved to the Deleted Objects container.

The following article on the Microsoft website provides detailed instructions on how to view and set permissions on the Deleted Objects container:

http://technet.microsoft.com/en-us/library/cc816824(WS.10).aspx

Note:

You require a recent version of the dsacls command-line utility to complete the instructions in this article. Some older versions of the utility do not support all the required commands.

In brief, the procedure is as described below.

To give the Custodian Manager synchronization account access to the Deleted Objects container

  1. Open a Command Prompt window with administrator privileges.

  2. Take ownership of the Deleted Objects container by running the dsacls command-line utility, as follows:

    dsacls deleted_objects_dn /takeownership

    where the parameters are as follows:

    deleted_objects_dn

    The distinguished name of the Deleted Objects container.

    /takeownership

    Take ownership of the Deleted Objects container.

    For example:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

  3. Grant the List Content and Read Property permissions to the user account under which Custodian Manager synchronizes custodians and custodian groups, as follows:

    dsacls deleted_objects_dn /G user_or_group:permissions

    where the parameters are follows:

    deleted_objects_dn

    The distinguished name of the Deleted Objects container.

    user_or_group

    The user or group to whom the permissions apply.

    permissions

    The permissions to grant. For List Content and Read Property, specify the permissions as LCRP.

    For example:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\VaultAdmin:LCRP

See Specifying the user account under which to synchronize custodians


Legacy ID



v54993581_v41328188


Article URL http://www.symantec.com/docs/HOWTO58793


Terms of use for this information are found in Legal Notices