I thought I had published this earlier, but have been asked for this example a few times.
2018-08-27: Update. Use this link below to help "refresh" the IMPS ADS endpoint if Exchange TAB or other ADS AT do no display Exchange attribute TABS. If the ADS permissions for the new service ID are not correct, there may be a refresh delay after they are updated.
ldapsearch -h `hostname` -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w Password01 -b "eTADSDirectoryName=<ADS_ENDPOINT_NAME_HERE>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s base "(objectClass=eTADSDirectory)" eTADSexchangeStores
This is a process designed to limit use of an ADS service account (proxy ID) for managing Active Directory users & Exchange mail boxes; and avoid the use of the AD group of "Domain Admin" for the CA Identity Suite/Identity Manager or Identity Governance solutions. This process may also be used for other solutions.
This process leverages the Microsoft ADUC (Active Directory Users & Computers) tool, to create a new AD group and use the included "Delegation of Control Wizard" process.
I have also included validation steps & how to confirm the new delegated service account has the proper access.
- See attachment for details.
Summary of screens/process:
Example of the "Delegation of Control Wizard"
If the Proxy ID / Service ID does NOT have enough access, then this service ID will NOT be able to view Exchange Servers within the Active Directory domain.
Example: IMPS GUI of the Active Directory Endpoints' Exchange General Tab (with missing access/permission)
Add READ access/permission to the Active Directory Domain Folder where Microsoft Exchange is located.
After update, the new Proxy ID/Service ID will now have access to view Exchange Servers in the Active Directory Domain.