Description

By default the application has been tested and is known to work with Domain Admin permissions

In cases were granting such permission is not allowed owing to company security restriction the following procedure has been used

This procedure would need to be understood and executed by a confident Active Directory administrator

Firstly we grant permissions for the CloudLink service account to view objects to be synched

1.        Open Active Directory Users and Computers.

2.        Create a domain user account.

3.        Right-click the domain object, and then select Delegate Control.

4.        In the Delegation of Control Wizard, click next, and then click Add.

5.        In the Select Users, Computers, or Groups dialog box, enter the required account name, and then click OK, and then click next.

6.        In the Tasks to Delegate page, in Delegate the following common tasks, check the following tasks, and then click Next:
a. Read all user information
b. Read all inetOrgPerson information

7.        Click Finish.

We are then required to grant access to deletion container so that CloudLink can see the users that should be disabled when deleted

As a Domain Administrator complete the following

Open a command prompt and enter

dsacls "CN=Deleted Objects,DC=cloudshare001,DC=local" /takeownership - this shows you what is currently premissioned

dsacls "CN=Deleted Objects,DC=cloudshare001,DC=local" /g cloudshare001\CloudlinkN:LCRP this adds in your account

For more information on adding an account to view the deletion container please review https://support.microsoft.com/kb/892806