ILM 2 Beta 3 - Built-In Synchronization Account Goodness

In my last thrilling expose on the nocturnal habits of service accounts (they authenticate even when you're not looking, eww) I talked a bit about the need for the ILM MA account. In some circles it's also called the SyncEngineAccount (not to be confused with the actual account used to run the Sync Engine, seriously) and in the ILM 2 portal it lurks as the unassuming Built-In Synchronization Account (BISA anyone?). Whatever you call it, there are a few interesting things you should know about this cantankerous chameleon:

• It should be separate from the account you're using to run the ILM Sync Engine (miiserver) - more out of the need to enforce least privilege than any hard or fast rule
• It does not need to be a Local Admin, although making it one alleviates the need for the next item if SQL is on the same box; nonetheless keep the privileges light
• It does require as much as db_owner access to the MSILM database - at first I didn't think this was necessary but after further testing (and removing it from Local Administrators) this turns out to be true; there is probably a least privilege combination but I haven't found it yet since the whole Beta 3 is so touchy
• It does have to be in the MIISAdmins group for it to be able to create Sync Rules and make configuration changes within ILM Sync
• There is a bug (seen it twice myself and Joe Stepongzi confirmed it as well) where somehow this account gets an ExpectedRulesEntry applied even though it doesn't fall into the scope or sets defined by the MPR

So, what do we call this thing?

• Sync Engine Account - too easy to confuse with the service account you're using to run the ILM Sync Service (miiserver) and I don't think they should be the same account although I expect many people will take a shortcut here and do just that
• ILM MA Account - a little better but a little too self limiting perhaps as it does have a role, however nebulous and nefarious in the ILM 2 Portal
• Built-In Synchronization Account - a little long but probably the best description and it is less confusing than just Sync Account or Sync Engine Account

So, my vote is for the Built-In Synchronization Account, I'd like to see the language around how the product exposes it become more consistent so that there is less confusion.