I had three recent questions from the customers server administrations. The question was on the account to setup the passive-ID agent provider in ISE 2.3.
First question, does the agent provider really need to be a Domain admin? If not what rights does it need.
Second question, we have other services using WMI, today without domain admin rights. Why does the ISE passive id WMI provider need to be a domain admin account.
And lastly, third question, if the ISE agent provider is installed by using domain admin account XYZ, Can the account be changed after the agent is installed to domain account ABC? So, that the ISE admin doesn’t know the password or the account ABC. My assumption on question three is that if changed it will break the passive ID agent communication with ISE.
To add to Danny's response, the account does not need to be a domain admin. For all the details, please see the admin guide and look in the monitor and troubleshooting section for all the changes that need to be made to active directory for PassiveID to work.