Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

Specific account permissions for service account to join Windows Active Directory domain

If you are having trouble joining your FAC to your domain, the service account may need elevated permissions. If you are not comfortable just making it a Domain Administrator temporarily, I was able to confirm this list of permissions as being necessary for a service account to create/update a machine account into the domain:

[ul]
  • Reset Password
  • Read and write Account Restrictions
  • Validated write to DNS host name
  • Validated write to service principal name[/ul]

    This information was taken from this post:

    https://social.technet.microsoft.com/Forums/lync/en-US/1185fb93-913c-42e3-bcfc-dfbbba57a2bc/joining-...

  • 2 REPLIES 2
    ebujedo
    Staff
    Staff

    Hi ergotherego,
    Thanks for the contribution, I will look for an official document explaining that for sharing.

    Best regards.

    Staff
    ebujedo
    Staff
    Staff

    Hi ergotherego,
    Here you can find our official documentation regarding account privileges:
    https://docs.fortinet.com/document/fortiauthenticator/6.5.1/administration-guide/569230/ldap

    Configure minimum privilege Windows AD user account

    To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.

    1. In the Active Directory, create a user account with the following options selected:
      • User cannot change password
      • Password never expires
    2. In Active Directory Users and Computers, right-click the container under which you want the computers added, then click Delegate Control.
      The Delegation of Control Wizard opens.
    3. Click Next.
    4. Click Add, then enter the user account created in step 1.
    5. Click Next.
    6. Select Create custom task to delegate, then click Next.
    7. Select Only the following objects in the folder, and then select Computer objects.
    8. Select Create selected objects in this folder, then click Next.
    9. Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
    10. Click Next, then click Finish.




    Best regards.

    Ezequiel.

    Staff
    Staff
    Labels
    Top Kudoed Authors