Re: Join ISE to AD domain

dgaikwad · ‎12-15-2022

Hi Experts,
We are in the process of joining a crashed back to AD.
Issue:
AD user has certain rights removed due to security concerns.
It was later determined that this user will need to have domain admin rights to be able to join AD.

AD team has a concern regarding this assignment of rights for the user.
The question is does this user utilise LSA (Local Security Authority) to perform read/write operations in AD?

Due to this concern we are stuck since 2 months and going in circles...!

Any suggestions?

Rob Ingram · ‎12-15-2022

@dgaikwad the user account does not need domain admin rights to join the ISE node to AD.

Once the ISE node is joined to the AD domain, a machine account is created - the link below lists the permissions required for that machine account, if you wish to restrict its permissions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217351-ad-integration-for-cisco-ise-gui-and-cli.html

dgaikwad · ‎12-15-2022

Thanks for the info.
I was going through the document, and the document does talk about mandatory domain rights:

Thus there is this concern if the LSA is being utilised to make changes to the AD domain.

dgaikwad · ‎01-17-2023

The issue has been resolved and confirmed that domain rights are needed to join AD.
The domain rights are only utilised during the creation of the machine account in AD, post that domain rights are not needed.