Skip to main content

AD Connector – Service Account Permissions

The GrantFlow AD Connector executes directory operations using a dedicated service account that you control. This page defines the minimum permissions required for each capability and how to scope them safely.

Principles

  • Least privilege: delegate only what you need, precisely where you need it
  • Scoped access: target specific OUs, groups, or objects — avoid domain‑wide grants
  • Auditable: changes should be attributable to a non‑personal service account
Do not use Domain Admin

We strongly recommend that you do not use a Domain Admin (or equivalent) account for the connector.

Required permissions by use case

Read/Discovery

  • Read permissions on target OUs and attributes
  • Default Domain Users rights typically suffice for basic reads

Group membership management

  • Delegate "Modify Membership" on the specific security groups you will manage
  • Scope delegation to the target groups only (or to a dedicated Groups OU)
Protected groups and AdminSDHolder

Certain built‑in groups and privileged accounts (e.g., Domain Admins, Enterprise Admins, Schema Admins, Administrators, Account Operators, Backup Operators) are protected by AdminSDHolder and SDProp. To allow membership changes for these, assign the required permissions on the AdminSDHolder object's ACL so SDProp preserves them.

See Microsoft guidance: Protected accounts and groups in Active Directory.

Enable/Disable accounts

  • Delegate the "Enable/Disable Account" right on the OUs containing managed user objects
  • No Domain Admin membership is required

Password operations (optional)

  • Delegate "Reset password" on the OUs or specific users you intend to manage
  • Active Directory requires TLS for password changes — ensure LDAPS is enabled and DCs present valid certificates
TLS requirement for password changes

Password resets and changes must occur over LDAPS (TCP/636). Verify domain controller certificates and upload the root/intermediate CA to the connector as needed.

How to delegate (high level)

  1. In Active Directory Users and Computers, right‑click the target OU (or group), choose "Delegate Control…"
  2. Select the connector service account
  3. Add the specific tasks (e.g., "Reset user passwords", "Modify the membership of a group") or create a custom task to delegate granular rights
  4. Review and confirm

For AdminSDHolder scenarios, use ADSI Edit to adjust the ACL on CN=AdminSDHolder,CN=System,<domain DN> carefully and in accordance with your change control process.

Service account recommendations

  • Use a dedicated service account (regular user) with a strong, unique password
  • Consider a Group Managed Service Account (gMSA) if supported for automated password management
  • Deny interactive logon where appropriate; limit where the account can log on
  • Monitor audit logs and connector job history for changes executed by the service account

Related documentation

Last updated on