cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

233
Views
0
Helpful
2
Replies
bwongtho
Cisco Employee

Passive ID credentials

I had three recent questions from the customers server administrations.  The question was on the account to setup the passive-ID agent provider in ISE 2.3. 

First question, does the agent provider really need to be a Domain admin? If not what rights does it need.

Second question, we have other services using WMI, today without domain admin rights.  Why does the ISE passive id WMI provider need to be a domain admin account. 

And lastly, third question,  if the ISE agent provider is installed by using domain admin account XYZ, Can the account be changed after the agent is installed to domain account ABC?  So, that the ISE admin doesn’t know the password or the account ABC.  My assumption on question three is that if changed it will break the passive ID agent communication with ISE.

Looking forward to hearing your thoughts.

1 ACCEPTED SOLUTION

Accepted Solutions
ldanny
Cisco Employee

- The script for configuring WMI in AD was built based on admin rights only , that said it can be done but is cumbersome as you would need to modify DCOM, Registry, and Permissions settings.

Here is a CDA guide explaining the changes needed if you wish to use domain users for example.

Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Installing and Configuring Context Direc…

- Once agent is installed admin has no more meaning , the agent though is monitoring DCs so if the user changes on the DCs you will need to update the DCs

View solution in original post

2 REPLIES 2
ldanny
Cisco Employee

- The script for configuring WMI in AD was built based on admin rights only , that said it can be done but is cumbersome as you would need to modify DCOM, Registry, and Permissions settings.

Here is a CDA guide explaining the changes needed if you wish to use domain users for example.

Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Installing and Configuring Context Direc…

- Once agent is installed admin has no more meaning , the agent though is monitoring DCs so if the user changes on the DCs you will need to update the DCs

View solution in original post

Timothy Abbott
Cisco Employee

To add to Danny's response, the account does not need to be a domain admin.  For all the details, please see the admin guide and look in the monitor and troubleshooting section for all the changes that need to be made to active directory for PassiveID to work.

Regards,

-Tim

Content for Community-Ad