Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Creating a Special Active Directory User for Identity Synchronization for Windows

Example Bank creates a special user that Identity Synchronization for Windows uses when connecting to Active Directory. This user is created in the cn=Users container in the domain. After the user is created, a minimum set of administration rights is assigned to this user.

Note –

Identity Synchronization for Windows automatically creates a similar user with limited privileges in Directory Server. This user is created as the uid=PSWConnector,<synchronized suffix\> user.

ProcedureTo Assign Administration Rights to the Special User

  1. In the Tree pane of the Active Directory Users and Computers window, right-click the container icon.

  2. From the All Tasks menu, choose Delegate Control.

    The Delegation of Control Wizard is displayed.

  3. In the Selected User and Groups list, select the special user and click Next.

  4. In the Tasks to Delegate window, select Create a Custom Tasks to Delegate, and click Next.

  5. In the Only the Following Objects in the Folder section, select User Objects.

    Identity Synchronization for Windows manages only User objects, so it is sufficient to delegate control of these objects.

  6. In the Show These Permissions list of the Permissions window, select these options:

    • General

    • Property-Specific

    • Full Control

      Because Example Bank requires the synchronization of users from Directory Server to Active Directory, the special user is given full control of user objects in the domain.

    Note –

    If you specify a user with default Active Directory permissions, some operations will succeed, for example, an idsync resync operation from Active Directory to Directory Server. Other operations, such as detecting and applying changes in Active Directory, can fail abruptly.

    If Example Bank is synchronizing the deletions from Active Directory to Directory Server, even Full Control is insufficient. You must use a Domain Administrator account to detect account deletions in Active Directory.