Imanami Community

I was hoping to find the recommended permssions necessary to run DTM and SmartDL.  What is recommended method of applying the correct permissions short of giving a service account Domain Admin rights over the entire domain?

Hello rotondim,

To successfully create a SmartDL you must have the following permissions at the container level (these are minimum permissions required):
Create Group Objects (allow) [This object only]

List Contents (allow) [This object and all child objects]
Read All Properties (allow) [This object and all child objects]
Write All Properties (allow) [This object and all child objects]
Read Permissions (allow) [This object and all child objects]
All Validated Writes (allow) [This object and all child objects]

All these permissions can be set using Active Directory Users & Computers with View->Advanced selected from the main window.

Additionally, if you want the email domain to be pre-populated when creating a group you must have a minimum of View Exchange Admin rights at the Exchange Organization level (this can be set via the Exchange System Manager).

It is important to note that even if your account has been granted the above permissions, you could experience problems if someone has denied permission to your account or a security group you are a member of.  Deny permissions all override grant permissions.

To successfully create users and contacts using DTM 3.0 you can use the Delegation of Control Wizard in Active Directory Users and Computers to limit permissions for the DTM account.  The Microsoft article below provides detailed steps on performing this task:

Step-by-Step Guide to Using the Delegation of Control Wizard

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

Please post back with questions you have about the information provided above.  Looking forward to hearing from you soon.