I'm developing a Windows Service in C# which performs various synchronizations between a HR system and Active Directory. A requirement is to edit some attributes whenever it changes in HR (mobile number, last name, etc.). The service runs under a **managed **service account and relies upon System.DirectoryServices. Everything works fine as long as the service account is a member of the Domain Administrators group. When I try to tighten and restrict rights, I always stumble upon an Access Denied error, no matter the individual access rights I set on the service account.
To define the service account specific rights I go to the "Active Directory Administration Center" on the Domain Controller and edit Special Permissions for the root OU and its descendants. I tried first with individual attribute read and write properties, then tried with Full Control on all objects but still with no luck. ADCU does not allow me to select a *Managed *service account in delegation wizard : only standard service accounts can be used. When I look at the "Effective Rights" tab in administration center it actually reflects my changes, but no matter which privilege is set I always get an Access Denied when the code attempts to modifiy attributes. Including the service account in Domain Administrators group fixes the issue but I'd prefer staying on a reduced set of privileges.