In the OpenIDM installation guide, “To Install OpenIDM as a Windows Service”, the following steps are described:
4. Change the user account for this service from the default (local system) account to an account with administrative privileges. The local system account has limited permissions and an OpenIDM service that runs with this account will encounter problems during synchronization.
4c. Select This Account and browse for an Active Directory administrative account.
Running a service as a Windows administrator account is bad practice. In most enterprises, a Windows domain administrator account is the most privileged account in the enterprise. Running a service as a domain administrator (as 4c implies) is dangerous.
Accounts can be given specific file system permissions, registry permissions and user rights in the local security policy such as the “Log on as a service” right. If privileges are required in active directory, these can easily be assigned using any of the “delegate control” wizards.
It is highly unlikely that OpenIDM requires user rights such as “allow logon locally” and “perform volume maintenance tasks”, which administrative accounts have. (4c) implies that an account is required to have domain admin privileges. It is unlikely that OpenIDM requires anything further than the ability to read and modify certain user accounts on an active directory domain.
I recommend updating the documents to describe what file system/registry permissions are required, what user rights are required and what active directory permissions are required (if any).
I am willing to assist in this if need be.