Active Directory Permissions

it is strongly recommended that the activate orchestrator account is a member of the “domain admins” group for the active directories that activate will be managing the reason for this is that the activate orchestrator account will touch many different parts of the microsoft infrastructure such as active directory multiple types of objects across multiple organizational units user objects and their attributes security groups distribution groups organizational units read access to all domain objects microsoft exchange microsoft ntfs file systems across multiple servers home and profile drives as well as shared data areas these could be both server shares and dfs shares filers and filer servers for shared data system centre configuration manager (sccm & mecm) office 365 and azure other provisioning systems for more detailed information about active directory permissions issues, please refer to the table 'activate orchestrator account permissions options 'below, this section also covers off the permissions you require for the password manager module activate orchestrator account permissions options true 330,331 unhandled content type unhandled content type unhandled content type unhandled content type the above is only a guide as the exact delegated rights that the orchestrator service account will need depends on the activate modules being deployed and the specific way a customer’s environment has been configured and can only be determined when testing the required modules note to reduce the complexity of implementing activate within your organisation, it is strongly recommended that the activate orchestrator account be a member of the domain admins group activate is not responsible for debugging permissions issues if the activate orchestrator account is not a member of the domain admins group for each active directory you are wanting activate to manage activate web service ad account the activate web portal must run under a domain account this can be the same service account that is used to run the activate orchestrator (above), or alternatively you may wish to create a separate activate web service account in active directory if this is the case, create a separate ad account (with the appropriate rights) to easily demark it from the activate orchestrator account e g svcactivateweb there are certain actions that result in an email notification being sent to an end user if these actions do not require activate to execute a workflow, then the email notification is sent directly from the web site rather than requiring the orchestrator service to do this these actions include request more info – as part of the approval process responding to a more info request as part of the approval process forwarding a request for approval the following specific rights need to be assigned for the activate web service ad account before the installation local administrator on the activate server local administrator rights on the activate web server send as rights on the orchestrator service account on the active directory account that will be used for the orchestrator service account above grant the ‘send as’ permissions to the web service account so the web service account can send emails on behalf of the orchestrator service account the following specific rights for the activate web service ad account will be granted automatically during the installation microsoft sql server the activate web service ad account requires connection rights to the sql server hosting the activate db the activate web service ad account will be added to activate administrator sql database role on the activate database internet information services (iis) the activate web service ad account must be a member of the iis wpg or the iis iusrs local group on the activate web server depending on the operating system version on some servers this cannot be done automatically as part of the installation process, so you may have to add the activate web service ad account to the local iis group manually