M100720: Minimum Active Directory Rights required to merge policy on an administration server


This article describes the minimum rights required by ManageSoft to an Active Directory domain in order to successfully merge policy from a ManageSoft administration server. 

The polmerge.exe executable on ManageSoft administration servers is used to merge policy for computers and users in a set of Active Directory domains and populate the calculated Resultant Set of Policy (RSoP) information in to the ManageSoft database. In order to successfully merge policy for a domain, the account used to execute polmerge.exe must have some minimum rights to read information from the domain being merged.

Policy merging only requires read access to the domain being merged; write access is not required. Write access isrequired in order to edit policy in a domain; see ManageSoft Knowledge Base article M100718 (Delegating policy editing rights in ManageSoft) for details on rights required to edit policy.

Rights required

The account used to execute polmerge.exe must have read access to the following objects in each domain that is merged:

  • The full contents of all policies (under CN=Policies,CN=System) that contain any ManageSoft packages.
  • The CN=System container.
  • All users and computers which are to be managed using ManageSoft.
  • All security groups which are used to:
    • Filter policies and packages.
    • Restrict and control access to ManageSoft administration functions.
  • Organizational units and other container objects containing any user, computer, group or other container object that is readable.
  • Objects under the CN=Extended-Rights container (only required if using ManageSoft 7.2 or earlier).

In addition, rights are required to access the root domain of the forest containing the domain being merged and read the following objects:

  • All groups which are used to filter policies and packages in the domain being merged.

The -x command line option to polmerge.exe can be used with ManageSoft 7.6.5 and later versions to restrict the policy merging process so that it does not require access to the root domain if it is known that the root domain contains no security groups that are used to filter policies and packages. 


Access is not required to:

  • Users and computers which are not being managed using ManageSoft.
  • Groups which are not used in filtering of policies or individual packages in policies, or for restricting and controlling access to ManageSoft administration functions.
  • Organizational units and containers which contain no users, computers, groups or other container objects which are readable by the account used to perform the policy merge.


If read access is not available to any required object in the domain, the policy merging process may either:

  • Terminate with an error. For example, an error will be reported if a computer object is readable but the organizational unit containing the object is not readable.
  • Terminate successfully but leave an unexpected result recorded in the ManageSoft database. For example, this could occur if a computer account that is being managed using ManageSoft was not readable; in that case, the computer would be deleted from the ManageSoft database by the policy merging process.

Related Document


Powered by Zendesk