Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
10
Helpful
3
Replies

Join ISE to AD domain

dgaikwad
Contributor
Contributor

‎12-15-2022 02:26 AM - edited ‎12-15-2022 02:41 AM

Hi Experts,
We are in the process of joining a crashed back to AD.
Issue:
AD user has certain rights removed due to security concerns.
It was later determined that this user will need to have domain admin rights to be able to join AD.

AD team has a concern regarding this assignment of rights for the user.
The question is does this user utilise LSA (Local Security Authority) to perform read/write operations in AD?

Due to this concern we are stuck since 2 months and going in circles...!

Any suggestions?

0 Helpful
3 Replies 3

Rob Ingram
VIP Master VIP Master
VIP Master

‎12-15-2022 02:34 AM

@dgaikwad the user account does not need domain admin rights to join the ISE node to AD.

Once the ISE node is joined to the AD domain, a machine account is created - the link below lists the permissions required for that machine account, if you wish to restrict its permissions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217351-ad-integration-for-cisco-ise-gui-and-cli.html

dgaikwad
Contributor
Contributor
In response to Rob Ingram

‎12-15-2022 11:38 PM - edited ‎12-15-2022 11:38 PM

Thanks for the info.
I was going through the document, and the document does talk about mandatory domain rights:

dgaikwad_0-1671176251510.png

Thus there is this concern if the LSA is being utilised to make changes to the AD domain.

0 Helpful

dgaikwad
Contributor
Contributor
In response to dgaikwad

‎01-17-2023 11:31 PM

The issue has been resolved and confirmed that domain rights are needed to join AD.
The domain rights are only utilised during the creation of the machine account in AD, post that domain rights are not needed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents