What permissions does the DRA service account require to administer a managed domain? (NETIQKB10609)

  • Document ID:7710609
  • Creation Date:02-Feb-2007
  • Modified Date:09-Feb-2011
    • Micro Focus Products:
      Directory and Resource Administrator

Environment

Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x

Situation

What is the purpose of the DRA Service Account?

What permissions does the Directory and Resource Administrator service account require to administer a managed domain?

What is the DRA Service Account?

Does the DRA service account need to be a Domain Admin?

What is the significance of the DRA Service Account?

What is the impact of changing the DRA Service Account password?

What is the impact of changing the DRA Service Account?

Resolution

The Directory and Resource Administrator (DRA) Service Account is the account in Active Directory that the Administration server uses to log on to Windows domains. The flexibility of DRA allows you to specify a different service account for the Administration server to use for each managed domain. Therefore, you can use the DRA Service Account to manage the objects in the domain of the Administration server and a different service account (called an Override account) to manage objects in different managed domains, on a member server, or on a workstation.

The DRA service account requires the following permissions:

  • Make the DRA service account a member of the Domain Admins group in the Administration server domain.
  • Make the DRA service account a member of the Users group in all trusted domains.
  • Make the DRA service account a member of the Account Operators group and make it an Exchange Full Administrator (if managing Exchange organizations).
  • If you plan to manage multiple domains with the DRA service account instead of using Override accounts, make the DRA service account a member of the local Administrators group for each managed domain.
  • Make the DRA service account and all Override accounts members of the ADAM group you create to manage ADAM instances (For DRA 8.1 and later).
  • After the installation of Netiq Reporting Center (DRA 8.5 and latter) if the DRA Service account is used in the DRA Collectors; the account will need to have a SQL Login as well as DBOwner over the Netiq Reporting Center Databases.

The DRA Service Account is the account used to make all read/write operations to Active Directory, the account used to authenticate into managed Exchange Organizations, the account the NetIQ Administration Service logs on as (runs as) and under which the DRA Agent is deployed as to domain controllers in managed domains.  As such, it is highly recommended that the DRA Service Account should be refrained from being changed once specified.  Likewise, the password for the DRA Service Account (or Override Account) should not be routinely changed.  The impact to DRA of changing the credentials for the DRA Service Account or for changing the account itself can cause any of the following:

  • Inability to connect to a DRA server using any console
  • Inability to log on as a DRA Administrator to the Delegation and Configuration console and see any node other than Account and Resource Management
  • Inability to log on as the DRA Service Account
  • Inability to collect Last Logon statistics
  • Inability to manage Exchange 5.5, 2000/2003 or 2007 Organizations
  • Inability to manage domain objects for Managed Domains
  • Inability to perform Account Cache refreshes
  • Inability to run DRA Reports
  • Inability to connect to the ADAM instance

 

If Secure Password Administrator (SPA) is also installed, the DRA Service Account is the accout used for making the actual write changed made in SPA as well.  The impact to SPA of changing the credentials for the DRA Service Account or for changing the account itself can cause any of the following:

  • Inability to update password resets
  • Inability to unlock accounts
  • Inability to access the SPA database in SQL

If File Security Administrator (FSA) is also enabled, the DRA Service Account is the account used for FSA as well.  It is the account under which all FSA Agents are deployed to file servers or workstations as and is also the account used to make certain write changes within FSA.  The impact to FSA of changing the credentials for the DRA Service Account or for changing the account itself can cause any of the following:

  • Inability to connect to or manage systems where FSA Agents have previously been deployed (Servers and/or Workstations)
  • Inability to make changes to shares or share permissions
  • Inability to run FSA Reports
If the credentials for the DRA service account have been changed or need to be changed, please contact NetIQ Technical Support.

Additional Information

Formerly known as NETIQKB10609