Profile Import Account

Question

Hi guys,

Quick question here, now when installing SharePoint on a server farm environment, it is recommended to use least privileged account. However I have observed that an ordinary domain user account doesn't have read permission to AD in order import user profile. However, if I use an account that is part of the Domain Admins it works.

Please I just need a better clarification as regards administrative accounts while installing SharePoint.

Thank you

Answer 1

I think this may come down to domain policy.  I have never had any service account set as a Domain Admin, and the accounts can read the profile info.  If the policy prohibits domain users from browsing the info you should be able to have an exception for that account versus making the account a domain admin.

---

SharePoint Developer | Administrator | Evangelist -- Twitter -- Blog - http://nextconnect.blogspot.com

Answer 2

Hi Guys.

A regular domain account has read access to all user accounts in the domain by default. The user profile import account needs only read access.

You may have a group policy in place, or more likey in place on the OU containing the "service" accounts preventing this access. This will cause many problems and it's essential that all sharepoint service acocunt have read access. You can diagnose the issue by checking the security event log on the domain controller.

hth
s.

---

Cheers, Spence ~ www.harbar.net ~ Microsoft Certified Master | SharePoint 2007

Answer 3

Spence Is correct, by default every user account is able to read from AD and those darn AD Admins have probably restricted the ServiceAccounts...But hey the gopod news is they are doing their jobs and will probably know when asked if this is the case....


-Ivan

---

Ivan Sanders http://linkedin.com/in/iasanders http://dimension-si.com/blog

Answer 4

Thanks guys for this info, 'am grateful