FIM Active Directory Management Agent Permissions

Published on Wednesday, June 16, 2010 in

When configuring an Active Directory Management Agent (AD MA) in FIM, a service account has to be foreseen which will be used to connect to Active Directory and perform changes. Most of the guides kindly suggest to use “administrator”, or at least they use it as an example.

However If you want to use an account with limited (read: normal) privileges it’s actually quit easy to setup:

  • Create/Delete/Modify permissions for user objects in the OU’s where FIM will maintain user objects.
  • “Replicating Directory Changes” on the directory partition of the domain you’re connecting FIM to

If you forget to configure this last option, you will see the following error:failed-search replication access was denied. Error Code 8453


As a reference the following KB article can be used: KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account

In the article two possible procedures are explained: using ADUC or Adsiedit. If you want to perform this change using the command line, the following command can be used:

  • dsacls dc=corp,dc=contoso,dc=com" /G CORP\FIM_AD_Permisssions:CA;"Replicating Directory Changes"

Also do not forget to run an import with the AD MA first before trying to provision users with the declarative provisioning from the portal. If you forget to do this you will get the error Object "CN=user,OU=containsusers,DC=corp,DC=contoso,DC=com" does not have a parent object in management agent "AD MA"."

Related Posts

2 Response to FIM Active Directory Management Agent Permissions

17 March, 2015 14:35

You're suggested method of using the command line doesn't work. Sure its replicating directory changes?

08 June, 2015 23:31


Add Your Comment