Showing results for 
Search instead for 
Did you mean: 

Join ISE to AD domain


Hi Experts,
We are in the process of joining a crashed back to AD.
AD user has certain rights removed due to security concerns.
It was later determined that this user will need to have domain admin rights to be able to join AD.

AD team has a concern regarding this assignment of rights for the user.
The question is does this user utilise LSA (Local Security Authority) to perform read/write operations in AD?

Due to this concern we are stuck since 2 months and going in circles...!

Any suggestions?

3 Replies 3

Rob Ingram
VIP Master VIP Master
VIP Master

@dgaikwad the user account does not need domain admin rights to join the ISE node to AD.

Once the ISE node is joined to the AD domain, a machine account is created - the link below lists the permissions required for that machine account, if you wish to restrict its permissions.

Thanks for the info.
I was going through the document, and the document does talk about mandatory domain rights:


Thus there is this concern if the LSA is being utilised to make changes to the AD domain.

The issue has been resolved and confirmed that domain rights are needed to join AD.
The domain rights are only utilised during the creation of the machine account in AD, post that domain rights are not needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers