Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


LDAP Account Permission

what permission does the LDAP account need in our Active Directory?


Accepted Solutions

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

View solution in original post

Ken Stieers
VIP Advocate

Assuming you're just using it for the various queries, just read access... generally a user that is a member of Domain Users and nothing else should work.

When the account is Domain Admins things work

When the account is only Domain Users things don't work

when I say things work or don't work I mean a group query in an Outgoing Policy is not kicking in, so in other words we say if a user is in a group called "Super Duper Users" then do something to their mail, well our IronPort account needs to be a Domain Admin in order to do a lookup in Active Directory, I don't get why as even Domain Users have read only permissions

so off to experiment

I'm glad i found this, I could not get it to work with the LDAP account user being a domain user. Did you find a solution to this? I would prefer not to have another admin account.



Our case is still open as we are trying to convince IronPort support this is still an issue, and not working as expected.  I am beginning to think that the engieener may not know how his LDAP account is permissioned on the backend since it may have been configured by another group.  Also sometimes in the lab people set things up with Domain Admin permissions you know just "to get things working", and then they never go back to make them secure.

anyway, more as the news develops

So we spoke with John over at IronPort support he is one of our favorite Support Engineers well up until now, LOL, he confirmed that the IronPort LDAP account indeed needs to be a Domain Admin unless we contact Microsoft and they can tell us how to set it up differently he also recommended some utilities along the lines LDP and ADSI Edit to see if we can get to the OUs with that account.  I told him we can use our IronPort account in read only mode (ie not Domain Admin) using those utilities and browser any group membership we need, it's only through the IronPort appliances that it doesn't work when it's not a Domain Admin.

We will be contacting Microsoft for sure to get this looked at, at this time having a "service" account be a Domain Admin is not acceptable.

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

Ken, I love you man !!! that works, now to call IronPort Tech Support and edumecate them, LOL

It's odd that it doesn't work for you as a Domain User, because that's exactly how we have it configured here (I just checked). It works just fine for us. I suspect that there's something different about the fundamental protection settings of our respective ADs, but that's just a guess. I'm just the e-mail guy, I don't mess with AD.


Recognize Your Peers
Content for Community-Ad