Monday, October 31, 2016

MIM Service Accounts, Groups and Permission Details (MIM and AD Integration)

Source:

 

http://social.technet.microsoft.com/wiki/contents/articles/36005.mim-service-accounts-groups-and-permission-details-mim-and-ad-integration.aspx

 

MIM Service Accounts, Groups and Permission Details (MIM and AD Integration)

The purpose of this document is to provide the details of service accounts, security groups and permission required to install and configure Microsoft Identity Manger (M(M) 2016 in your environment.  This article also provides a PowerShell script to automate service accounts and group creation process. 

MIM Service Account Details

The following table provides the details of various service and administrative accounts required for MIM installation and administration.   The requirements and functionality details of these accounts are included in the “Function” column in the below table:

 Account  Name

Application

Function

Mail Enabled

MIM_Sync

MIM

MIM synchronization service account.  “Microsoft Identity Manager Synchronization Service” will run under this account.  This account must be secured using (GPO)

No

MIM_Service

MIM

MIM Service account.  MIM service will run under this account. Must be secured (GPO).  The service email account is uses to process request and approvals.  This account should be created for the exclusive use of the identity Management service

Yes

MIM_MIMMA

MIM

MIM management agent account.

No

MIM_ADMA

MIM

AD management agent account. Used to read and modify AD objects and attributes. 

No

MIM_SSPR

MIM – Service and Portal

Account under which the MIM Password Registration and Reset application pool will run in IIS.

No

MIM_SP

SharePoint

Database Access Account and used to run SharePoint App Pool for FIM portal.

No

SMIM__SQL

SQL

SQL Server service account

 

No

MIM_SqlAgent

SQL

Used to Run SQL agent

 

MIM_SPPA

SharePoint

SharePoint collection to host MIM Portal (PrimaryOwnerAlias)

No

MIM_SPBA

SharePoint

SharePoint collection to host MIM Portal (SecondaryOwnerAlias)

No

 

Service Account Creation Using a Script

The following PowerShell based script can be used to automate the service account creation process:

import-module activedirectory

$sp = ConvertTo-SecureString "YourPassword" –asplaintext –force

 

New-ADUser –SamAccountName MIM_Sync –name MIM_Sync -OtherAttributes @{'description'="MIM Sync Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Sync –NewPassword $sp

Set-ADUser –identity MIM_Sync –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_Service –name MIM_Service -OtherAttributes @{'description'="MIM Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Service –NewPassword $sp

Set-ADUser –identity MIM_Service –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_MIMMA –name MIM_MIMMA -OtherAttributes @{'description'="MIM Management Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_MIMMA –NewPassword $sp

Set-ADUser –identity MIM_MIMMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_ADMA –name MIM_ADMA -OtherAttributes @{'description'="MIM AD Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_ADMA –NewPassword $sp

Set-ADUser –identity MIM_ADMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SSPR –name MIM_SSPR -OtherAttributes @{'description'="MIM Password Registration Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SSPR –NewPassword $sp

Set-ADUser –identity MIM_SSPR –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SP –name MIM_SP -OtherAttributes @{'description'="MIM SharePoint Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SP –NewPassword $sp

Set-ADUser –identity MIM_SP –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_Sql –name MIM_Sql -OtherAttributes @{'description'="MIM SQL Database Access Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Sql  –NewPassword $sp

Set-ADUser –identity MIM_Sql –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SqlAgent –name MIM_SqlAgent -OtherAttributes @{'description'="MIM SQL Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SqlAgent –NewPassword $sp

Set-ADUser –identity MIM_SqlAgent –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SPPA –name MIM_SPPA -OtherAttributes @{'description'="MIM SharePoint Primary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SPPA –NewPassword $sp

Set-ADUser –identity MIM_SPPA –Enabled 1 -PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SPBA –name MIM_SPBA -OtherAttributes @{'description'="MIM SharePoint Secondary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SPBA –NewPassword $sp

Set-ADUser –identity MIM_SPBA –Enabled 1 -PasswordNeverExpires 1

MIM Security Group Details

The following table provides the details of various service and administrative accounts required for MIM installation and administration.   The requirements and functionality details of these accounts are included in the “Function” column in the below table:

 

Security Group Creation Using a Script

The following table provides the details of required security groups:

Group Name

Type

Members

Function

MIM Administrators

Global

Your MIM administrators

MIM Administrators.

·       Logon locally to all MIM servers

·       Local admin on all MIM servers

·       SQL Sysadmin

 

2MIM SQL Admins

Global

MIM Administrators

 

MIMSyncAdmins

Global

MIMService

Microsoft Identity Manager Synchronization security group  - Administrator

MIMSyncOperators

Global

 

Operator

MIMSyncJoiners

Global

 

Joiner

MIMSyncBrowse

Global

 

Connector Browse

MIMSyncPasswordReset

Global

 

WMI Password Management

 

The creation and group membership management of these groups can automated using the following PowerShell script:

New-ADGroup –name "MIM Administrators" –GroupCategory Security –GroupScope Global –SamAccountName "MIM Administrators" -Description "Sysco MIM Administrators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name "MIM SQL Admins" –GroupCategory Security –GroupScope Global –SamAccountName "MIM SQL Admins" -Description "Sysco MIM SQL Administrators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins -Description "MIM Sysnc Admins" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators -Description "MIM Sync Operators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners -Description "MIM Sync Joiners" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse -Description "MIM Sync Browse" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncPasswordReset –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordReset -Description "MIM WMI Password Management" -Path "OU=Groups,DC=domain,DC=com"

 

Update Group Membership using a script

The following PowerShell cmdlet can be used to update the required group membership:

Add-ADGroupMember -identity MIMSyncAdmins -Members "MIM Administrators"

Add-ADGroupmember -identity MIMSyncAdmins -Members MIM_Service

Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIMSyncAdmins"

Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIM_Sql"

 

Permissions and Group Policy Objects

There are two service accounts that are used to run the MIM server components. They are called the MIM Service service account (MIM_Sync) and the MIM Synchronization Service service (MIM_Service) account. The MIM MA account is not considered a service account, and it should be a regular user account. For the MIM Synchronization Service service account to be able to impersonate the MIM MA account, the MIM MA must be able to log on locally.  It is also recommended to enforce the following restrictions on the service accounts:

·       Deny logon as a batch job

·       Deny logon locally

·       Deny access to this computer from the network

The following Group Policy Object (GPO) settings can be used to achieve this:

Policy

Accounts

Policies/Security Settings/Local Policies/User Rights Assignments/Log On as a service

DOMAIN\MIM_Sync

DOMAIN\MIM_MIMMA

DOMAIN\MIM_ADMA

DOMAIN\MIM_Service

DOMAIN\MIM_SP

DOMAIN\MIM_Sql

DOMAIN\MIM_SSPR

DOMAIN\MIM_SqlAgent

DOMAIN\MIM_SPPA

DOMAIN\MIM_SPBA

Deny Access to this computer from the network

DOMAIN\MIM_Sync

DOMAIN\MIM_Service

Deny Logon Locally

DOMAIN\MIM_Sync

DOMAIN\MIM_Service

Policies/Windows Settings/Security Settings/Restricted Group

DOMAIN\MIM Administrators Administrators

DOMAIN\MIM_SPPA  Administrators

 

Source:

 

http://social.technet.microsoft.com/wiki/contents/articles/36005.mim-service-accounts-groups-and-permission-details-mim-and-ad-integration.aspx

 

0 comments:

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More