Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1742
Views
0
Helpful
3
Replies

Passive ID - Non Domain Admin - Permissions question.

Go to solution
radotodo
Cisco Employee
Cisco Employee

‎07-18-2019 05:19 AM

Hello Experts,

 

Based on the information provided in the following guide :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html

 

Required Permissions when AD User not in Domain Admin Group

For Windows 2012 R2, give the Active Directory user Full Control permissions on the following registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

  • HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

The following permissions also are required when an Active Directory user is not in the Domain Admin group, but is in the Domain Users group:

 

I have some questions about this permissions :

1.When we use ISE-PIC Agent does the user need the same set of permissions including the DCOM and WMI ?

2.If they are required how exactly the permissions will be used / For example to look for Group Membership of the users / Reading Event logs / Deleting some events etc ?

 

If somebody know more about this permissions or has more information about that will be very appreciated .

 

Thanks,

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to radotodo

‎07-22-2019 06:46 AM

The PIC agent is acting as a WMI client. The DCOM permissions are required by Microsoft to allow a WMI client to make the WMI requests.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-20-2019 09:35 AM

If the AD infrastructure has no special hardening and if using the credentials of an AD domain admin user to monitor the domain controllers, then this is usually sufficient without needing any additional changes. If using those of a user without domain admin privileges, then the changes are usually required unless they already done for another integration, etc. If the AD infrastructure has some special hardening, then no changes are likely required. As AD hardening is out of scope for our support, please ask the customer to consult with Microsoft.

0 Helpful

Go to solution
radotodo
Cisco Employee
Cisco Employee
In response to hslai

‎07-22-2019 06:30 AM

Hello hslai,

 

Thank you for the answers !

The most important part for my customer is to understand how exactly the agent will use the permissions for WMI and DCOM ?

 

Thanks,

Radostin

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to radotodo

‎07-22-2019 06:46 AM

The PIC agent is acting as a WMI client. The DCOM permissions are required by Microsoft to allow a WMI client to make the WMI requests.

0 Helpful
Customers Also Viewed These Support Documents