Installation
Prerequisites
Active Directory Permissions
5 min
the activate {{orchestrator account}} must have the required permissions on all remote systems if you choose to use delegated permission for the activate job service account, you should account for an additional 40 80 hours for implementation due to the complexity in determining all the delegated permissions required across the entire infrastructure challenges with delegated permissions although delegated permissions in active directory (ad) are easy to implement through the delegation wizard, it is not ideal for reporting or removing permissions it is also very difficult to determine what permissions are missing when there is an error with an activate job as detail on the permission denied is not provided by net, meaning that additional time is spent on debugging the permissions issue experience has shown that 70% 85% of issues with failed activate jobs are related to permissions and this will be dramatically reduced or eliminated by allowing the activate orchestrator account to have domain admin rights the following are potential issues if you choose to give the activate orchestrator account delegated permissions ad tools there are very few tools to debug permission issues and there is no wizard to remove the delegated permissions implementation time – although the wizards to set up ad delegated dermissions are easy to use, they do not cover off granular settings such as securing extensionattribute attributes in ad the implementation effort and costs for deploying activate is always increased significantly if delegated permissions are chosen debugging permission errors net does not inform you what permissions are missing when you cannot make the change you require on the ad object this means the support and project teams need to spend an increased amount of time determining what permission is missing support effort – due to the nature of the net error messages the support effort and cost is increased user experience – as activate jobs fail because of incorrect permissions, users lose confidence in the self service system and stop using it and start to call the service desk again this means roi is not obtained example activate task create user the create user task demonstrates the infrastructure scope needed for permissions create user in ad in the appropriate ou update ad attributes (e g , manager, department) set password create and configure mailbox (on prem exchange or office 365) create and secure home folder update user with home folder path configure lync settings configure remote desktop services attributes add to ad groups based on department and location add to ad groups based on selected service items add the user’s computer to sccm collections activate module overview for domain admin access true 165,165,165,166left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type insufficient permissions are a leading cause of activate job failures domain admin access is the simplest way to reduce operational risks and support overhead