Active Directory Orchestration Service Account permissions

Michael Bachme1
Kilo Guru

‎06-08-2016 08:11 AM

What permissions need to be granted the service account to create/modify OUs and Users?

Labels:
0 Helpfuls
  • 1,058 Views
3 REPLIES 3

robpickering
ServiceNow Employee
ServiceNow Employee

‎06-09-2016 06:54 AM

At my former company we tried to create a service account that was limited just to the necessary permissions, it ends up being a trial and error exercise, because you may end up Orchestrating different activities, and those will fail because you haven't granted additional permissions beyond just object creation and deletion.  



We ended up making the service account used for Orchestration a Domain Admin.   There is certainly a way to make it less privileged depending on your purposes, but there is no clear documentation as every installation and usage would be different.



-Rob


0 Helpfuls

Daniel Lauz
Kilo Explorer
In response to robpickering

‎03-14-2018 11:24 AM

Hi Rob,

We here are in the same situation than you a few years ago (trying to get an AD service account running with relevant credentials for Orchestration tasks).
We'd rather not ending up with an admin account as stated.

Did you get any accurate information since that time ? I can't imagine there's no solution since this issue is raised.

Daniel 

 

 

0 Helpfuls

Steve Kelly
Mega Sage
In response to Daniel Lauz

‎09-04-2019 01:44 PM

Hi Daniel,

Did you end up with a solution for this? We are trying to get Integration Hub running with the AD Spoke but we are running into issues. The documentation is extremely unclear as to AD permissions needed, and we do not want to grant Domain Admin understandably.

Thanks,

Steve

0 Helpfuls