Grant Access to the Users’ OU

By default all domain users have read access to user information in Active Directory. We need to give this service account the additional permission to update AD user and contact objects. This is accomplished by modifying specific ACLs in Active Directory.

In our example, all our users are in the Organization Unit called FlexCorp Sites. This OU contains multiple sub-units, each of which can contain user and contact objects. We will use the Active Directory Users and Computers Management console to modify the ACL of the FlexCorp Sites Organizational Unit.

1. Navigate to the FlexCorp Sites in the navigation pane.

2. Right-click FlexCorp Sites and choose Properties from the context menu.

3. Click the Security tab and click Add….

4. Enter the name of your service account in the Enter the object names to select text box and click OK.

5. Select the Write check box and confirm that the Read check box is already selected In the Allow column .

   Organizational Unit Security Tab

   

6. Click Advanced to open the Advanced Security Settings for FlexCorp Sites dialog.

7. Click the Permissions tab, then choose the V4UC-Service account and click Edit.

   Service Account Advanced Security Settings

   

8. Choose the This object and all descendant objects option from the drop-down list in the Applies to column.

9. Click OK three times.

   Service Account Permission Entry