In a test environment, use the Administrator account until you get the Active Directory driver working. Then create an administrative account that has the proper rights (including restricted rights) for the Active Directory driver to use exclusively to authenticate to Active Directory.
Doing this keeps the Identity Manager administrative account insulated from changes to other administrative accounts. Advantages to this design are:
You can use Active Directory auditing to track the activity of the Active Directory driver.
You can implement a password change policy as with other accounts, then make necessary updates to the driver configuration.
This account name and password are stored in the driver configuration. Therefore, you must change this password whenever the account password changes. If you change the account password without updating the driver configuration, authentication fails the next time the driver is restarted.
At a minimum, this account must have Read and Replicating Directory Changes rights at the root of the domain for the Publisher channel to operate. You also need Write rights to any object modified by the Subscriber channel. Write rights can be restricted to the containers and attributes that are written by the Subscriber channel.
NOTE:In order to avoid any confusion, it is worth mentioning that ‘Replicate Directory Changes’ in Windows Server 2003 is same as ‘Replicating Directory Changes’ in Windows Server 2008.
To provision Exchange mailboxes, your Identity Manager account must have “Act as part of the Operating System” permission for the logon account.