I have given the AD Driver admin account all the rights mentioned in
IDM AD Driver Documentation


At a minimum, this account must have Read and Replicating Directory
Changes rights at the root of the domain for the publisher channel to
operate. You will also need Write rights to any object modified by the
subscriber channel. Write rights can be restricted to the containers
and attributes that are written by the subscriber channel.

When I tried to sync edir and IDM, I got this in trace

<ldap-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">
<client-err ldap-rc="50"
<server-err>00000005: SecErr: DSID-03151E04, problem 4003

I also found this TID10093579
that says,

In a Windows 2000 Active Directory Domain, rights can be assigned to
the service account as detailed out in the IDM documentation. However,
if you have implemented a Windows 2003 Active Directory Domain then the
service account being used MUST be a member of the Domain Admins group.

I am using windows 2003 AD.

Which one should I follow? If it is TID, do I need to make the AD admin
account a member of Domain Admins Group.

Please advice.

Thanks in advance.

raverich's Profile: http://forums.novell.com/member.php?userid=1659
View this thread: http://forums.novell.com/showthread.php?t=309730