Transcription of MIM Service Accounts, Groups and Permission …
1 MIM Service Accounts, Groups and Permission Details (MIM and AD Integration) The purpose of this document is to provide the details of Service accounts, security Groups and Permission required to install and configure Microsoft Identity Manger (M(M) 2016 in your environment. This article also provides a PowerShell script to automate Service accounts and group creation process. MIM Service account Details The following table provides the details of various Service and administrative accounts required for MIM installation and administration. The requirements and functionality details of these accounts are included in the Function column in the below table: account Name Application Function Mail Enabled MIM_Sync MIM MIM synchronization Service account .)
2 Microsoft Identity Manager Synchronization Service will run under this account . This account must be secured using (GPO) No MIM_Service MIM MIM Service account . MIM Service will run under this account . Must be secured (GPO). The Service email account is uses to process request and approvals. This account should be created for the exclusive use of the identity Management Service Yes MIM_MIMMA MIM MIM management agent account . No MIM_ADMA MIM AD management agent account . Used to read and modify AD objects and attributes. No MIM_SSPR MIM Service and Portal account under which the MIM Password Registration and Reset application pool will run in IIS. No MIM_SP SharePoint Database Access account and used to run SharePoint App Pool for FIM portal. No SMIM__SQL SQL SQL Server Service account No MIM_SqlAgent SQL Used to Run SQL agent MIM_SPPA SharePoint SharePoint collection to host MIM Portal (PrimaryOwnerAlias) No MIM_SPBA SharePoint SharePoint collection to host MIM Portal (SecondaryOwnerAlias) No Service account Creation Using a Script The following PowerShell based script can be used to automate the Service account creation process.
3 Import-module activedirectory $sp = ConvertTo-SecureString "YourPassword" asplaintext force New-ADUser SamAccountName MIM_Sync name MIM_Sync -OtherAttributes @{'description'="MIM Sync Service account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_Sync NewPassword $sp Set-ADUser identity MIM_Sync Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_Service name MIM_Service -OtherAttributes @{'description'="MIM Service account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_Service NewPassword $sp Set-ADUser identity MIM_Service Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_MIMMA name MIM_MIMMA -OtherAttributes @{'description'="MIM Management Agent account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_MIMMA NewPassword $sp Set-ADUser identity MIM_MIMMA Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_ADMA name MIM_ADMA -OtherAttributes @{'description'="MIM AD Agent account "} -Path "OU= Service Accounts, DC=MyDomain.
4 DC=com" Set-ADAccountPassword identity MIM_ADMA NewPassword $sp Set-ADUser identity MIM_ADMA Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_SSPR name MIM_SSPR -OtherAttributes @{'description'="MIM Password Registration Pool account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_SSPR NewPassword $sp Set-ADUser identity MIM_SSPR Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_SP name MIM_SP -OtherAttributes @{'description'="MIM SharePoint Pool account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_SP NewPassword $sp Set-ADUser identity MIM_SP Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_Sql name MIM_Sql -OtherAttributes @{'description'="MIM SQL Database Access account "} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_Sql NewPassword $sp Set-ADUser identity MIM_Sql Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_SqlAgent name MIM_SqlAgent -OtherAttributes @{'description'="MIM SQL Agent account "} -Path "OU= Service Accounts, DC=MyDomain.
5 DC=com" Set-ADAccountPassword identity MIM_SqlAgent NewPassword $sp Set-ADUser identity MIM_SqlAgent Enabled 1 PasswordNeverExpires 1 New-ADUser SamAccountName MIM_SPPA name MIM_SPPA -OtherAttributes @{'description'="MIM SharePoint Primary Owner Alias"} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_SPPA NewPassword $sp Set-ADUser identity MIM_SPPA Enabled 1 -PasswordNeverExpires 1 New-ADUser SamAccountName MIM_SPBA name MIM_SPBA -OtherAttributes @{'description'="MIM SharePoint Secondary Owner Alias"} -Path "OU= Service Accounts, DC=MyDomain,DC=com" Set-ADAccountPassword identity MIM_SPBA NewPassword $sp Set-ADUser identity MIM_SPBA Enabled 1 -PasswordNeverExpires 1 MIM Security group Details The following table provides the details of various Service and administrative accounts required for MIM installation and administration.
6 The requirements and functionality details of these accounts are included in the Function column in the below table: Security group Creation Using a Script The following table provides the details of required security Groups : group Name Type Members Function MIM Administrators Global Your MIM administrators MIM Administrators. Logon locally to all MIM servers Local admin on all MIM servers SQL Sysadmin 2 MIM SQL Admins Global MIM Administrators MIMSyncAdmins Global MIMS ervice Microsoft Identity Manager Synchronization security group - Administrator MIMSyncOperators Global Operator MIMSyncJoiners Global Joiner MIMSyncBrowse Global Connector Browse MIMSyncPasswordReset Global WMI Password Management The creation and group membership management of these Groups can automated using the following PowerShell script.
7 New-ADGroup name "MIM Administrators" GroupCategory Security GroupScope Global SamAccountName "MIM Administrators" -Description "Sysco MIM Administrators" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name "MIM SQL Admins" GroupCategory Security GroupScope Global SamAccountName "MIM SQL Admins" -Description "Sysco MIM SQL Administrators" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name MIMSyncAdmins GroupCategory Security GroupScope Global SamAccountName MIMSyncAdmins -Description "MIM Sysnc Admins" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name MIMSyncOperators GroupCategory Security GroupScope Global SamAccountName MIMSyncOperators -Description "MIM Sync Operators" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name MIMSyncJoiners GroupCategory Security GroupScope Global SamAccountName MIMSyncJoiners -Description "MIM Sync Joiners" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name MIMSyncBrowse GroupCategory Security GroupScope Global SamAccountName MIMSyncBrowse -Description "MIM Sync Browse" -Path "OU= Groups ,DC=domain,DC=com" New-ADGroup name MIMSyncPasswordReset GroupCategory Security GroupScope Global SamAccountName MIMSyncPasswordReset -Description "MIM WMI Password Management" -Path "OU= Groups ,DC=domain,DC=com" Update group Membership using a script The following PowerShell cmdlet can be used to update the required group membership.
8 Add-ADGroupMember -identity MIMSyncAdmins -Members "MIM Administrators" Add-ADGroupmember -identity MIMSyncAdmins -Members MIM_Service Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIMSyncAdmins" Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIM_Sql" Permissions and group Policy Objects There are two Service accounts that are used to run the MIM server components. They are called the MIM Service Service account (MIM_Sync) and the MIM Synchronization Service Service (MIM_Service) account . The MIM MA account is not considered a Service account , and it should be a regular user account . For the MIM Synchronization Service Service account to be able to impersonate the MIM MA account , the MIM MA must be able to log on locally. It is also recommended to enforce the following restrictions on the Service accounts: Deny logon as a batch job Deny logon locally Deny access to this computer from the network The following group Policy Object (GPO) settings can be used to achieve this.
9 Policy Accounts Policies/Security Settings/Local Policies/User Rights Assignments/Log On as a Service DOMAIN\MIM_Sync DOMAIN\MIM_MIMMA DOMAIN\MIM_ADMA DOMAIN\MIM_Service DOMAIN\MIM_SP DOMAIN\MIM_Sql DOMAIN\MIM_SSPR DOMAIN\MIM_SqlAgent DOMAIN\MIM_SPPA DOMAIN\MIM_SPBA Deny Access to this computer from the network DOMAIN\MIM_Sync DOMAIN\MIM_Service Deny Logon Locally DOMAIN\MIM_Sync DOMAIN\MIM_Service Policies/Windows Settings/Security Settings/Restricted group DOMAIN\MIM Administrators Administrators DOMAIN\MIM_SPPA Administrators I have included more details in the following Wiki article.
