On the SEP Manager that we are installing now, we could like a set of client groups to by synchronized with our Active Directory domain. To configure this synchronization, I will need to supply a user name and password, and we will have to create a service account for this purpose.
For obvious reasons, we would like to create an account that has the permissions needed to synchronize successfully, and no other permissions. Can somebody tell me what this set of permissions would be? Does the synchronization need to write or change anything on the AD server?
I've run the synchronization successfully with a domain administrator username, but I'd like to avoid doing that in production, if possible.