cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
0
Helpful
3
Replies

Passive ID - Non Domain Admin - Permissions question.

radotodo
Cisco Employee
Cisco Employee

Hello Experts,

 

Based on the information provided in the following guide :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html

 

Required Permissions when AD User not in Domain Admin Group

For Windows 2012 R2, give the Active Directory user Full Control permissions on the following registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

  • HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

The following permissions also are required when an Active Directory user is not in the Domain Admin group, but is in the Domain Users group:

 

I have some questions about this permissions :

1.When we use ISE-PIC Agent does the user need the same set of permissions including the DCOM and WMI ?

2.If they are required how exactly the permissions will be used / For example to look for Group Membership of the users / Reading Event logs / Deleting some events etc ?

 

If somebody know more about this permissions or has more information about that will be very appreciated .

 

Thanks,

 

1 Accepted Solution

Accepted Solutions

The PIC agent is acting as a WMI client. The DCOM permissions are required by Microsoft to allow a WMI client to make the WMI requests.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

If the AD infrastructure has no special hardening and if using the credentials of an AD domain admin user to monitor the domain controllers, then this is usually sufficient without needing any additional changes. If using those of a user without domain admin privileges, then the changes are usually required unless they already done for another integration, etc. If the AD infrastructure has some special hardening, then no changes are likely required. As AD hardening is out of scope for our support, please ask the customer to consult with Microsoft.

Hello hslai,

 

Thank you for the answers !

The most important part for my customer is to understand how exactly the agent will use the permissions for WMI and DCOM ?

 

Thanks,

Radostin

The PIC agent is acting as a WMI client. The DCOM permissions are required by Microsoft to allow a WMI client to make the WMI requests.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers