I will be doing a one (primary) to many one-way outbound sync into over 60 target forests. I am syncing standard user "System Engineer" accounts from the primary into the target forests where they are added to a group "DomAmins-ETG" which is a member of the built-in Domain Admins group.
My ADMA Target service account was created based upon FIM step by step docs. Standard user granted replication rights at the forest level and granted read\write etc rights at the "Managed" OU level expecting inheritance.
I ran into my first issue with Protect Groups yesterday. I lost the ability to manage the target group membership after AD ran it's Protect Group scan and disabled Inheritance on the group and set adminCount to 1. I resolved this issue by granting manually granting the ADMA service accounts explicit rights on the group.
I just performed troubleshooting on Password Sync and it is failing as each FIM created user that bacme a member of the security group is now part of a protected group.
How can FIM managed protect Groups & users?
Is my only choice to make the ADMA service account a Domain Admin rather than standard user?
-Stu