Source:
MIM Service Accounts, Groups and Permission Details (MIM and AD Integration)
The purpose of this document is to provide the details of service accounts, security groups and permission required to install and configure Microsoft Identity Manger (M(M) 2016 in your environment. This article also provides a PowerShell script to automate service accounts and group creation process.
MIM Service Account Details
The following table provides the details of various service and administrative accounts required for MIM installation and administration. The requirements and functionality details of these accounts are included in the “Function” column in the below table:
| Account Name | Application | Function | Mail Enabled |
| MIM_Sync | MIM | MIM synchronization service account. “Microsoft Identity Manager Synchronization Service” will run under this account. This account must be secured using (GPO) | No |
| MIM_Service | MIM | MIM Service account. MIM service will run under this account. Must be secured (GPO). The service email account is uses to process request and approvals. This account should be created for the exclusive use of the identity Management service | Yes |
| MIM_MIMMA | MIM | MIM management agent account. | No |
| MIM_ADMA | MIM | AD management agent account. Used to read and modify AD objects and attributes. | No |
| MIM_SSPR | MIM – Service and Portal | Account under which the MIM Password Registration and Reset application pool will run in IIS. | No |
| MIM_SP | SharePoint | Database Access Account and used to run SharePoint App Pool for FIM portal. | No |
| SMIM__SQL | SQL | SQL Server service account | No |
| MIM_SqlAgent | SQL | Used to Run SQL agent | |
| MIM_SPPA | SharePoint | SharePoint collection to host MIM Portal (PrimaryOwnerAlias) | No |
| MIM_SPBA | SharePoint | SharePoint collection to host MIM Portal (SecondaryOwnerAlias) | No |
Service Account Creation Using a Script
The following PowerShell based script can be used to automate the service account creation process:
import-module activedirectory
$sp = ConvertTo-SecureString "YourPassword" –asplaintext –force
New-ADUser –SamAccountName MIM_Sync –name MIM_Sync -OtherAttributes @{'description'="MIM Sync Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_Sync –NewPassword $sp
Set-ADUser –identity MIM_Sync –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_Service –name MIM_Service -OtherAttributes @{'description'="MIM Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_Service –NewPassword $sp
Set-ADUser –identity MIM_Service –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_MIMMA –name MIM_MIMMA -OtherAttributes @{'description'="MIM Management Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_MIMMA –NewPassword $sp
Set-ADUser –identity MIM_MIMMA –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_ADMA –name MIM_ADMA -OtherAttributes @{'description'="MIM AD Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_ADMA –NewPassword $sp
Set-ADUser –identity MIM_ADMA –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_SSPR –name MIM_SSPR -OtherAttributes @{'description'="MIM Password Registration Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_SSPR –NewPassword $sp
Set-ADUser –identity MIM_SSPR –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_SP –name MIM_SP -OtherAttributes @{'description'="MIM SharePoint Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_SP –NewPassword $sp
Set-ADUser –identity MIM_SP –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_Sql –name MIM_Sql -OtherAttributes @{'description'="MIM SQL Database Access Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_Sql –NewPassword $sp
Set-ADUser –identity MIM_Sql –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_SqlAgent –name MIM_SqlAgent -OtherAttributes @{'description'="MIM SQL Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_SqlAgent –NewPassword $sp
Set-ADUser –identity MIM_SqlAgent –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_SPPA –name MIM_SPPA -OtherAttributes @{'description'="MIM SharePoint Primary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_SPPA –NewPassword $sp
Set-ADUser –identity MIM_SPPA –Enabled 1 -PasswordNeverExpires 1
New-ADUser –SamAccountName MIM_SPBA –name MIM_SPBA -OtherAttributes @{'description'="MIM SharePoint Secondary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"
Set-ADAccountPassword –identity MIM_SPBA –NewPassword $sp
Set-ADUser –identity MIM_SPBA –Enabled 1 -PasswordNeverExpires 1
MIM Security Group Details
The following table provides the details of various service and administrative accounts required for MIM installation and administration. The requirements and functionality details of these accounts are included in the “Function” column in the below table:
Security Group Creation Using a Script
The following table provides the details of required security groups:
| Group Name | Type | Members | Function |
| MIM Administrators | Global | Your MIM administrators | MIM Administrators. · Logon locally to all MIM servers · Local admin on all MIM servers · SQL Sysadmin |
| 2MIM SQL Admins | Global | MIM Administrators | |
| MIMSyncAdmins | Global | MIMService | Microsoft Identity Manager Synchronization security group - Administrator |
| MIMSyncOperators | Global | | Operator |
| MIMSyncJoiners | Global | | Joiner |
| MIMSyncBrowse | Global | | Connector Browse |
| MIMSyncPasswordReset | Global | | WMI Password Management |
The creation and group membership management of these groups can automated using the following PowerShell script:
New-ADGroup –name "MIM Administrators" –GroupCategory Security –GroupScope Global –SamAccountName "MIM Administrators" -Description "Sysco MIM Administrators" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name "MIM SQL Admins" –GroupCategory Security –GroupScope Global –SamAccountName "MIM SQL Admins" -Description "Sysco MIM SQL Administrators" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins -Description "MIM Sysnc Admins" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators -Description "MIM Sync Operators" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners -Description "MIM Sync Joiners" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse -Description "MIM Sync Browse" -Path "OU=Groups,DC=domain,DC=com"
New-ADGroup –name MIMSyncPasswordReset –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordReset -Description "MIM WMI Password Management" -Path "OU=Groups,DC=domain,DC=com"
Update Group Membership using a script
The following PowerShell cmdlet can be used to update the required group membership:
Add-ADGroupMember -identity MIMSyncAdmins -Members "MIM Administrators"
Add-ADGroupmember -identity MIMSyncAdmins -Members MIM_Service
Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIMSyncAdmins"
Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIM_Sql"
Permissions and Group Policy Objects
There are two service accounts that are used to run the MIM server components. They are called the MIM Service service account (MIM_Sync) and the MIM Synchronization Service service (MIM_Service) account. The MIM MA account is not considered a service account, and it should be a regular user account. For the MIM Synchronization Service service account to be able to impersonate the MIM MA account, the MIM MA must be able to log on locally. It is also recommended to enforce the following restrictions on the service accounts:
· Deny logon as a batch job
· Deny logon locally
· Deny access to this computer from the network
The following Group Policy Object (GPO) settings can be used to achieve this:
| Policy | Accounts |
| Policies/Security Settings/Local Policies/User Rights Assignments/Log On as a service | DOMAIN\MIM_Sync DOMAIN\MIM_MIMMA DOMAIN\MIM_ADMA DOMAIN\MIM_Service DOMAIN\MIM_SP DOMAIN\MIM_Sql DOMAIN\MIM_SSPR DOMAIN\MIM_SqlAgent DOMAIN\MIM_SPPA DOMAIN\MIM_SPBA |
| Deny Access to this computer from the network | DOMAIN\MIM_Sync DOMAIN\MIM_Service |
| Deny Logon Locally | DOMAIN\MIM_Sync DOMAIN\MIM_Service |
| Policies/Windows Settings/Security Settings/Restricted Group | DOMAIN\MIM Administrators Administrators DOMAIN\MIM_SPPA Administrators |
Source:
0 comments:
Post a Comment