• State Not Answered
  • Replies 2 replies
  • Subscribers 63 subscribers
  • Views 3464 views
  • Users 0 members are here
Options
Related

What quest service accounts need domain admin access?

Gregory.aaron1
over 5 years ago

Hello all,

I am trying to figure out which Quest service account need domain admin access.

We have:

Active roles

change auditor

Enterprise reporter

RMAD

GPOAdmin

each one has their own service account. the only one we know that does not need domain admin access is RMAD

Is there a way to provision ARS to not need domain admin access.

Thank you.

  • 0 over 4 years ago

    The only account with DA permission in our environment is Migration Manager and Password Manager. Others like Active Roles/Change Auditor/RMAD do not have DA access.

  • 0 over 4 years ago

    Please consider few points:

    #1. ARS, RMAD, EReporter  might and recommended to have few service accounts (svc1 - runs the app, svc2 - accesses AD)

    #2. all service accounts accessing AD might be granted granular rights without DA.

    #3. in very common scenario, the following accounts might be Domain Admins (or Domain\built-in Administrators): svc-ars-proxy, svc-ca-install-agent, svc-ereporter-proxy, svc-rmad-install-agent, svc-gpoadmin-proxy.

    I would recommend to contact PSO, in case you need to line up a story with your service accounts.