Active Directory Service Account Credentials
For the Clever IDM Enterprise system to successfully manage accounts in Active Directory, a service account credential is required. We recommend creating a specific and secure account within Active Directory and placed in an Organizational Unit where other service accounts are stored. This account should have permissions to do the following, at a minimum:
Manage User Accounts
Change Passwords
Move Accounts between Organizational Units
Enable and Disable Accounts
Delete Accounts
Rename Accounts
Create Groups
Manage Group Membership
Assign Group Owners
Delete Groups
Rename Groups
If password synchronization from Active Directory back to Clever IDM Enterprise is selected, the password filter must be installed in order to capture password change events. Additionally, the service account credentials must have the ability to detect any replication changes in the account based on attribute values changing; this right is listed as the DS-Replication-Get-Changes extended right at the root of the partition. This directory right is not typically a right granted to Account Managers, and may require adding the right to the service account through manual methods as indicated in this technical article from Microsoft.