https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567434#M75602 <P>Marvin, Neno,</P><P>&nbsp;</P><P>Many thanks for you guys response!</P><P>&nbsp;</P><P>Tina</P> Thu, 11 Dec 2014 14:38:43 GMT Tong Zhang 2014-12-11T14:38:43Z https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567431#M75598 <P>Hi,</P><P>&nbsp;</P><P>Very often, when we integrate ISE with customer AD and try to join ISE into domains, customer will ask what kind of service account they'll create for us to use to join the domain.&nbsp; Based on Cisco documentation, the service account should allow ISE to read the AD user/machine records, and should also "has sufficient privileges to create and remove machine accounts in the domain, or alter the passwords for previously created machine accounts".&nbsp; Often, the latter part alerts the customer, and we've been pushed back and asked why.&nbsp; Based on the normal use cases, seems ISE only need to read the record rather than create account, what is the reason we need the capability to create the machine account?&nbsp; If the credential not support creating machine account, what's the impact?</P><P>&nbsp;</P><P>Many thanks in advance!</P><P>Tina</P> Mon, 11 Mar 2019 05:15:37 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567431#M75598 Tong Zhang 2019-03-11T05:15:37Z https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567432#M75599 <P>When you integrate ISE with AD, one of the things done by the service account (or other account used) is to join the ISE servers themselves to AD.</P><P>Once that is done, you could probably remove that particular privilege from the defined account if it's inconsistent with organizational security policy.</P><P>(Note that a 1.3 upgrade requires rejoining the ISE nodes so the privilege would need to be reinstated during the post-upgrade rejoin.)</P> Thu, 11 Dec 2014 00:42:27 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567432#M75599 Marvin Rhoads 2014-12-11T00:42:27Z https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567433#M75600 <P>Hello Tina, Marvin makes a very good point that ISE does not require a "Service Account" like ACS does. With ISE, once the deployment is joined to the domain, the AD account is no longer used so it can be disabled or even deleted. In addition, many of my customers don't even use a "service" account to join ISE. Instead, they use their own account or some other network related account.&nbsp;</P><P>I hope this helps!</P><P>&nbsp;</P><P><EM>Thank you for rating helpful posts!</EM></P> Thu, 11 Dec 2014 06:49:28 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567433#M75600 nspasov 2014-12-11T06:49:28Z https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567434#M75602 <P>Marvin, Neno,</P><P>&nbsp;</P><P>Many thanks for you guys response!</P><P>&nbsp;</P><P>Tina</P> Thu, 11 Dec 2014 14:38:43 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567434#M75602 Tong Zhang 2014-12-11T14:38:43Z https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567435#M75604 <P>Tina,</P><P>You're welcome.</P><P>Please take a moment to rate helpful posts.</P> Thu, 11 Dec 2014 14:59:28 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration/m-p/2567435#M75604 Marvin Rhoads 2014-12-11T14:59:28Z