https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065387#M200349 <HTML><HEAD></HEAD><BODY><P>Just a standard domain user account will do the job, as long as the user has permission to add a machine to the domain. Sometimes accounts are allowed 10 grace machine additions, but regularly now admins disable this option.</P><P>That's all it needs.</P></BODY></HTML> Wed, 10 Oct 2012 10:05:09 GMT bikespace 2012-10-10T10:05:09Z https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065384#M200343 <P>Does anyone have the actual permissions needed for the service account ISE uses to validate user information. I know it needs to be able to query AD to verify valid username/password and whether the account is disabled. But does anyone actually have the specific rigths that need to be granted through AD for those accounts without making the account a Domain Admin.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 02:37:33 GMT https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065384#M200343 Nicholas Copeland 2019-03-11T02:37:33Z https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065385#M200346 <HTML><HEAD></HEAD><BODY><P>Hope this helps:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011">http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011</A></P><P></P><P>The Active Directory&nbsp; username that you provide while joining to an Active Directory domain&nbsp; should be predefined in Active Directory and should have the permission&nbsp; to create and update for computer account objects and change password in&nbsp; the domain you are joining. </P><P></P><P><IMG src="http://www.cisco.com/en/US/i/templates/note.gif" /></P><HR /><P></P><P><A name="wp1296670"></A> </P><P> <STRONG>Note </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="6" />If&nbsp; your Active Directory domain has subdomains and the user belongs to one&nbsp; of the subdomains, then, the username should also include the subdomain&nbsp; name. For example, for a domain abc.com, if there are two subdomains&nbsp; sub1 and sub2, and the user belongs to sub1, then the username should be&nbsp; sub1\user1. </P><P></P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 02 Oct 2012 15:49:37 GMT https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065385#M200346 Tarik Admani 2012-10-02T15:49:37Z https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065386#M200348 <HTML><HEAD></HEAD><BODY><P> I saw that in the user guide. Was wondering if anyone had more specific instructions for creating the account in AD without giving Domain Admin privelages to to the user account.</P></BODY></HTML> Tue, 02 Oct 2012 18:50:14 GMT https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065386#M200348 Nicholas Copeland 2012-10-02T18:50:14Z https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065387#M200349 <HTML><HEAD></HEAD><BODY><P>Just a standard domain user account will do the job, as long as the user has permission to add a machine to the domain. Sometimes accounts are allowed 10 grace machine additions, but regularly now admins disable this option.</P><P>That's all it needs.</P></BODY></HTML> Wed, 10 Oct 2012 10:05:09 GMT https://community.cisco.com/t5/network-access-control/ise-service-account-criteria-for-ad-enviroment/m-p/2065387#M200349 bikespace 2012-10-10T10:05:09Z