Looking to confirm …
Can 2 separate accounts be used in the AD connector?
Read Only for aggregation
Admin for provisioning
We’re working on configuring Active Directory with a Read Only service account for aggregation with a separate Admin service account for IQService. The IQService account is restricted to create/update accounts within specific OU’s only vs. the read only account being able to aggregate everything.
We configured this as noted above and are receiving an “Access Denied” message in the IQService log for account provisioning but it’s also showing both the Read Only account AND Admin accounts as connecting to Active Directory (debug level enabled for logging).
If we replace the Read Only account (used in the aggregation configuration screen) with the Admin account, then provisioning works as expected.
@agutschow We only have the “Admin” account registered with IQService. This is also the same account that is configured in the Services as the “log on as” user.
The Read Only account is only configured in the Domain settings page (Forest settings is “blank”). The Admin account is configured in the IQService settings page.
From my experience, this is not possible. The service account configured under the Domain Settings of the source will be used for all aggregation and provisioning activities. The IQService User in the IQService Settings is used only for the TLS communication. You can actually see in verbose IQService logs that it logs onto the domain as the user in the Domain Settings, not the IQService user configured.
re: gMSA - Not at this client because they’re on the prior version of IQService yet. I’m aware of this as a new option in the latest IQService so we’ll be talking with them about that going forward.