EmpowerID uses highly privileged user accounts when connecting to user directories such as Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).

If you will be managing an Active Directory Domain, the proxy account must be able to access the deleted items container in AD. Access to the Deleted Items container requires Domain Admin access unless the container security is edited to allow non-domain admins to read it. Instructions for editing the security of the deleted items container can be found in the Microsoft Article, "How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server" which can be viewed in full at http://support.microsoft.com/kb/892806.

Active Directory Proxy Account Requirements