📘 Creating an Active Directory (AD) Service Account for RapidIdentity

This article guides you through the process of creating a service account in Active Directory (AD) for use with RapidIdentity. This account is typically used by RapidIdentity Connect or other RapidIdentity components to read and write user data in your AD environment.

⚠️ Important Permission Notes:

• The service account must be granted the Replicating Directory Changes permission at the domain level to enable directory synchronization.
  

• Membership in the Account Operators group is sufficient for most read/write operations (e.g., password resets for standard users, attribute updates).
  

• If the account must manage Domain Admin-level users (e.g., reset passwords or modify attributes), it must be granted Domain Admin privileges.
  

🧾 Step-by-Step Instructions

Step 1: Open Active Directory Users and Computers

1. Log in to a domain controller or a server/workstation with RSAT tools installed.
   

2. Launch Active Directory Users and Computers (ADUC).
   

3. Navigate to the desired Organizational Unit (OU) where you want to create the service account.
   

Step 2: Create a New User

1. Right-click the OU and select New > User.
   

2. Enter a First Name, Last Name, and User logon name (e.g., svc_ri).
   

3. Click Next.
   

Step 3: Set the Password

1. Assign a strong password for the service account.
   

2. Uncheck "User must change password at next logon".
   

3. Check "Password never expires".
   

4. Click Next, then Finish.
   

Step 4: Assign Group Membership (Minimum Required)

1. Right-click the newly created user and select Properties.
   

2. Go to the Member Of tab.
   

3. Click Add, then type Account Operators, and click Check Names.
   

4. Click OK to confirm.
   

🔐 If you need to manage Domain Admin users, add the account to the Domain Admins group instead.

Step 5: Assign "Replicating Directory Changes" Permission

This permission allows the service account to read password hashes and track changes for synchronization.

1. Open Active Directory Users and Computers with Advanced Features enabled (View > Advanced Features).
   

2. Right-click the domain node (e.g., yourdomain.local) and select Properties.
    
   

3. Go to the Security tab, then click Add.
   

4. Click Add > Select a Principal, then search for the service account.
    
   

5. Choose the following:
   

   • Permissions: Check Replicating Directory Changes
     

Step 6: Save Credentials in Connect

As the final step, save the credentials inside the SharedGlobals.properties file as described below.

1. Navigate to Connect via Log in to Portal > Select "Connect" in the main dropdown at the top.
   

2. On the left, click "Files".
   

3. Under Files, select the "SharedGlobals.properties" file, and click "Edit" at the bottom of the page.
   

4. Add in the following highlighted variables (screenshot) into the Shared Globals for Active Directory.
   

5. Click "Save" at the bottom of the page.