When configuring an Active Directory Management Agent (AD MA) in FIM, a service account has to be foreseen which will be used to connect to Active Directory and perform changes. Most of the guides kindly suggest to use “administrator”, or at least they use it as an example.
However If you want to use an account with limited (read: normal) privileges it’s actually quit easy to setup:
- Create/Delete/Modify permissions for user objects in the OU’s where FIM will maintain user objects.
- “Replicating Directory Changes” on the directory partition of the domain you’re connecting FIM to
If you forget to configure this last option, you will see the following error:failed-search replication access was denied. Error Code 8453
As a reference the following KB article can be used: KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account
In the article two possible procedures are explained: using ADUC or Adsiedit. If you want to perform this change using the command line, the following command can be used:
- dsacls dc=corp,dc=contoso,dc=com" /G CORP\FIM_AD_Permisssions:CA;"Replicating Directory Changes"
Also do not forget to run an import with the AD MA first before trying to provision users with the declarative provisioning from the portal. If you forget to do this you will get the error Object "CN=user,OU=containsusers,DC=corp,DC=contoso,DC=com" does not have a parent object in management agent "AD MA"."