This site requires JavaScript to be enabled
Customer Service > General > Create a Domain Service Account to run Active Directory Connector
Create a Domain Service Account to run Active Directory Connector
Article: KB0010601 Published: 02/23/2024 Last modified: 02/23/2024

Although it's no longer required to manually create a domain service account since ADC 4.3.0, we recommend maintaining a separate account for domain management and giving the domain service account the minimum permissions required to run a service and no other access. This maximizes your organization's security by ensuring that any credentials exposed in the course of domain service do not link back to any other high-access administrative accounts.

Prerequisites

Before beginning this process, install OneLogin's Active Directory Connector (ADC) on a member server, using a domain service account. Do not run the Active Directory Connector with an account that's managed by the Active Directory Connector.

The OneLogin Active Directory Connector must be installed on Windows Server 2012 R2 or later. As of April 3rd, 2024, no previous versions of Windows Server operating systems are supported for the OneLogin ADC.

  1. Create a new user in Active Directory and give it a descriptive name, e.g. OneLoginService.

  2. On the member server machine, open Computer Management and go to Groups in the console tree.

  3. Select the local administrators group, then click Add to Group.

  4. In the Select Users, Computers, or Groups dialog that appears, add your newly created user to the machine's local administrators group.

  5. Go to Active Directory Users and Computers. Right-click the domain and select Delegate Control to launch the Delegation of Control Wizard.

  6. Add your new domain service account to the Users or Groups list and select Create a custom task to delegate.

    Delegation of Control Wizard - Tasks to Delegate

  7. Delegate control of Only the following objects in the folder: User objects.

    Delegation of Control Wizard - Active Directory Object Type

  8. Configure the permissions you want to delegate. At minimum, you must enable the following, but may enable Read or Write for any additional attributes necessary to your domain management. To import additional attributes into OneLogin, grant Read permissions, and to enable OneLogin to provision attributes in Active Directory, select Write for those attributes.

    • Change Password
    • Reset password
    • Read lockout time
    • Write lockout time
    • Read Display Name
    • Read E-Mail Address(Others)
    • Read Logon Name
    • Read Logon Name (pre-Windows 2000)
    • Read Member Of
    • Read Middle Name
    • Read Name
    • Read objectSid
    • Read userAccountControl
    • Write userAccountControl
    Delegation of Control Wizard - Permissions

  9. If an ADC service is running, stop and restart it using the new service user's credentials.

  10. To provide the domain service account permission to view deleted users, install AD Lightweight Directory Services as a Role, then open Powershell or a command prompt and run the following commands:

    dsacls "CN=Deleted Objects,your_base_DN" /takeownership
    dsacls "CN=Deleted Objects,your_base_DN" /G your-domain\service-user:GR
Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo