Just replying to say 'thanks' to Alexander and the list in general. This was exactly what I needed. The tech answers and signal:noise ratio in this list is pretty fantastic.

-Chris


Alexander Bokovoy
June 13, 2018 at 7:33 AM

What do you use this 'idmbind' account for?

If you are using it to establish trust to AD which is a one-time
operation, then by Microsoft's own requirements that account should be a
member of Enterprise Admin group in the AD forest _or_ a member of
Domain Admins group in the forest root domain for AD forest.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-entadmins
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainadmins

See details at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)

----
To create a forest trust, the administrator creating the trust must be a
member of the Domain Admins group (in the forest root domain) or the
Enterprise Admins group in Active Directory. Each trust is assigned a
password that the administrators in both forests must know. Members of
Enterprise Admins in both forests can create the trusts in both forests
at once and, in this scenario, a password that is cryptographically
random is automatically generated and written for both forests.

Members of the Incoming Forest Trust Builders group can create one-way,
incoming forest trusts. For example, members of this group residing in
Forest A can create a one-way, incoming forest trust from Forest B. This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain. This
group has no default members.
----

As you can see, for one-way trust there is another group that could be
used but we never tested whether those permissions would be enough.