Microsoft® Forefront Identity Manager (FIM) 2010 creates three groups during installation that control which tasks in Synchronization Service Manager that users can perform. The following groups are created by FIM:


During installation and setup, FIM adds the user account that is running the installation to the FIMSyncAdmins group, but only if the FIMSyncAdmins group is also created during setup. If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group.

FIM also creates two security groups during installation that do not have access to Synchronization Service Manager but are used for authentication during password management operations:

The following table lists the permissions granted during the default FIM installation.

  • Special permission is defined as all permissions, with the following exceptions:
    • Full Control

    • Change permission

    • Take Ownership


The default location of INSTALLDIR is Program Files\Microsoft Forefront Identity Server\2010\Synchronization Service

Folder Assigned Permissions


(Inherited from Program Files)

Administrators – Full Control

SYSTEM – Full Control

Creator Owner – Special

TrustedInstaller – Special

Users – Read & Execute






Inherit from parent.





Does not inherit from parent.

Permissions removed:

  • Users – Read & Execute

Permissions assigned:

  • FIMSyncServiceSvc – Special

  • FIMSyncAdmins – Special


Inherit from parent.

Program Files\Common Files\Microsoft Shared\Forefront Identity Manager

Inherit from parent.


Does not inherit from parent.

Permissions assigned:

  • FIMSyncServiceSvc – Special


The local computer administrator account also has full rights to all FIM folders.

Local computer groups and domain local groups

By default, FIM setup creates these groups as local computer groups, rather than domain local groups. Local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain. There might be cases where you need to use domain local groups for these roles. For example, the following situations demonstrate why you might need to use domain local groups:

  • If you plan to have two servers running FIM share a database for the purposes of redundancy, it is recommended that the same users be members of the security groups that you create, and that they be recognized as such by FIM. You can accomplish this by using domain local groups.

  • If FIM management is distributed across the organization, using domain local groups enables you to grant access to the appropriate people within your organization.

  • If the FIM configuration needs to be moved from one server to another, using domain local groups enables you manage access from a single location.

  • If your log files from other systems are located on other servers or in folders that are not accessible to FIM, you can use domain local groups to control access to these folders and remote servers.

  • If you are enabling password synchronization on FIM, you must use a domain account for the FIM Synchronization Service service account.


If you plan to use domain local groups, create the groups before installing FIM. For more information about creating domain local groups in Active Directory, see Windows Server® 2008 operating system Help.

[an error occurred while processing this directive]