Selecting an ADAM service account
Applies To: Windows Server 2003 R2
Selecting an ADAM service account
On the Service Account Selection page of the ADAM Setup Wizard, you must select a service account for use by the Active Directory Application Mode (ADAM) instance. The account that you select determines the security context in which the ADAM instance runs. Changing the service account after installation may require some additional configuration.
Note
The first ADAM instance in a configuration set determines the default replication authentication method.
Service account requirements
ADAM runs as a service, and it requires a service account. ADAM service account requirements depend on the Windows workgroup or domain environment into which you install ADAM, as well as the computer on which ADAM is running.
For ADAM instances that are joined to a configuration set, the service account is also used to authenticate against other ADAM instances in the configuration set for replication. The type of authentication that is used between replication partners is determined by the environment in which ADAM is running and by the service accounts in use. For more information, see Understanding ADAM replication and configuration sets.
The following table outlines ADAM service account requirements.
| Security context | Service account for first ADAM instance | Service account for replica ADAM instances | Default replication authentication method** |
|---|---|---|---|
Workgroup |
Network Service |
Replica ADAM instances not allowed |
Not applicable |
Workstation user |
Workstation user |
Negotiated pass-through* |
Not applicable |
Windows 2000 domain or forest -or- Windows Server 2003 domain or forest |
Network Service -or- Domain user |
Network Service -or- Domain user |
Negotiated |
Workstation user |
Workstation user |
Negotiated pass-through* |
Not applicable |
Domain user |
Domain user -or- Network Service |
Negotiated |
Not applicable |
Windows NT 4.0 domain |
Workstation user Domain user |
Workstation user Domain user |
Negotiated pass-through* Negotiated |
*When a workstation user account is used on the first ADAM instance in a configuration set, all subsequent ADAM instances in the same configuration set must use an identical local workstation account name and password as the ADAM service account.
**When the Network Service account is used as the ADAM service account, the replication authentication mode is set to Negotiated by default.
Notes
The Network Service account is a special, built-in account, with authority similar to that of an authenticated user account. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account.
To enable auditing for an ADAM instance running under a service account other than the Network Service account, you must grant the Generate security audits right to the account that is used as the ADAM service account.
To enable a workstation or domain user account as a service account, you must grant the Log on as a service right to the account that is used as the ADAM service account. For more information, see Add the Log on as a service right to an account.
The account that is used as the ADAM service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.
For more information, see Understanding ADAM architecture.