Description
FortiAuthenticator join Windows AD with a non-administrator account configured with minimum privileges.
Scope
FortiAuthenticator.
Solution
A domain administrator account should not be used to associate FortiAuthenticator to be joined to Windows AD. Instead, create another user with minimum privileges accounts for FortiAuthenticator to successfully joined to Windows AD.
In the Active Directory create a user account with the following options:
-User cannot change the password.
-Password never expires.
In Active Directory Users and Computers, right-click the container under which the computers need to be added, then select Delegate Control.
The Delegation of Control Wizard opens.
Select Next.
Select Add, then enter the user 'test' account created before.
Select Next.
Select Create a custom task to delegate, then select Next.
Select Only the following objects in the folder, and then select Computer objects.
Select Create selected objects in this folder, then select Next.
Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
Select Next, then Select Finish.
On FortiAuthenticator go under Authentication-Remote Auth.
Server-LDAP and enable Windows Active Directory Domain Authentication and fill the fields with new user created.
Also make sure that on Active Directory under Computers, delete if there is an old entry and try again to test it with the new username.
Additionally, the minimum permissions for joining the stage computer on OU are:
1) Reset Password.
2) Write account restrictions.
3) Write DNS hostname attributes.
4) Read personal information.
5) Write public information.
After successfully joining, the following can be seen from GUI, go to Monitor->Authentication->Windows AD.
