What are the minimum Active Directory permissions required to run the CMN Directory Connector?
For CMN version 3.4 and later:
The CMN Active Directory service account no longer requires membership in the Exchange Organization Management group. a "Domain User" account with "Full Control" of the target Active Directory Organizational Unit should be sufficient for most environments.
The account must be able to read the AD schema (read rights on AD Configuration). Also we need permissions to List synchronized objects in synchronization scope and Read attributes used in mapping rules, scope filters, workflow step criteria, attribute synchronization rules e.t.c. + ‘objectGuid’, ‘distinguishedName’, ‘objectClass’, ‘objectCategory’ attributes.
To modify object attributes the account must have rights to modify those attributes. To create (provision) objects – rights to create specified object types in the specified container. To delete objects – rights to delete required objects.
Specifically, the following rights are required to the target Active Directory Organizational Unit:
* Read all properties (This object and all descendant objects)
* Write all properties (This object and all descendant objects)
* Delete subtree (This object and all descendant objects)
* Create Contact objects (This object only)
* Delete Contact objects (This object only)
For CMN version 3.3 and earlier:
1. Make this user a member of Exchange View-Only Administrators (if on Exchange 2007 or earlier) OR Organization Management (if on Exchange 2010).
2. Add the user to the ACL for the domain.
3. Give the user "Create/Delete All Child Objects" object permissions.
4. No other permissions are required except those granted by selecting "Create/Delete All Child Objects". This will need to be applied onto "This object and all child objects".
