Change the Forefront Identity Manager 2010 R2 Synchronization Service Account

  • Article

For this procedure, you can change the Microsoft Forefront Identity Manager 2010 R2 service account used by FIM 2010 R2. You can also add this account to several local group policies, increasing security. To complete this procedure, you must be logged on as a member of the FIMSyncAdmins security group.

To change the FIM service account on a stand-alone server

  1. Back up the encryption key set by running MIISkmu.exe.

  2. Click Start, point to Administrative Tools, and then click Computer Management.

  3. Double click Local Users and Computers, right click Users, and then click New User.

  4. Type the user information and password.

  5. Clear the User must change password at next logon check box, and then click Create.

  6. Click Start, point to Programs, click Administrative Tools, and then click Local Security Policy.

  7. Double click Local Policies, and then click User Rights Assignment.

  8. Double click Deny logon locally, and then click Add user or group.

  9. In Enter the object names to select, type the account name created in step 4.

  10. Repeat steps 8 and 9 by adding this account to Deny access to this computer from the network, Deny logon as a batch job, and Deny log on through Terminal Services.

  11. Run Setup from the FIM installation CD in maintenance mode and change the Microsoft Forefront Identity Manager 2010 R2 service account credentials from the old account to the new one. During the setup process, you are prompted for the encryption key set

To change the FIM service account on a domain controller

  1. Back up the encryption key set by running Miiskmu.exe.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Under the root domain, right-click Users, point to New, and then click User.

  4. Type the user information, and then click Next.

  5. Type the password, and then click Next.

  6. Click Finish.

  7. Click Start, point to Programs, click Administrative Tools, and then click Local Security Policy.

  8. Double click Local Policies, and then click User Rights Assignment.

  9. Double click Deny access to this computer from the network, and then click Add user or group.

  10. In Enter the object names to select, type the account name created in step 4.

  11. Repeat steps 9 and 10 by adding this account to Deny logon as a batch job, and Deny log on through Terminal Services.

  12. Run setup from the FIM installation CD in maintenance mode and change the Microsoft Forefront Identity Manager 2010 R2 service account credentials from the old account to the new one. During the setup process, you are prompted for the encryption key set.

Important

To prevent attacks to the registry and system files by malicious users, it is strongly recommended that you do not add the Microsoft Forefront Identity Manager 2010 R2 service account to the local administrators group.

Note

No additional lock-down procedures are needed to secure the Microsoft Forefront Identity Manager 2010 R2 service account in a domain. By default, you cannot log on locally with the Microsoft Forefront Identity Manager 2010 R2 service account.

See Also

Concepts

MIISkmu: Encryption Key Management Tool
Forefront Identity Manager 2010 R2 Best Practices for Security
Using Security Groups