Grant Access to the Users' OU
-----------------------------

By default all domain users have read access to user information in Active Directory.
We need to give this service account the additional permission to update AD user
and contact objects. This is accomplished by modifying specific ACLs in Active Directory.

In our example, all our users are in the Organization Unit called ``FlexCorp Sites``.
This OU contains multiple sub-units, each of which can contain user and contact
objects. We will use the **Active Directory Users and Computers Management** console
to modify the ACL of the FlexCorp Sites Organizational Unit.

1. Navigate to the FlexCorp Sites in the navigation pane.
#. Right-click **FlexCorp Sites** and choose **Properties** from the context menu.
#. Click the **Security** tab and click **Add...**.
#. Enter the name of your service account in the **Enter the object names to select**
   text box and click **OK**.
#. Select the **Write** check box and confirm that the **Read** check box is already
   selected In the **Allow** column .

   Organizational Unit Security Tab

   |MS-image022|

#. Click **Advanced** to open the **Advanced Security Settings for FlexCorp Sites**
   dialog.
#. Click the **Permissions** tab, then choose the **V4UC-Service** account and
   click **Edit**.

   Service Account Advanced Security Settings

   |MS-image023|


#. Choose the **This object and all descendant objects** option from the drop-down
   list in the **Applies to** column.
#. Click **OK** three times.

   Service Account Permission Entry

   |MS-image024|



.. |MS-image022| image:: images/MS-image022.png
.. |MS-image023| image:: images/MS-image023.png
.. |MS-image024| image:: images/MS-image024.png