If you are having trouble joining your FAC to your domain, the service account may need elevated permissions. If you are not comfortable just making it a Domain Administrator temporarily, I was able to confirm this list of permissions as being necessary for a service account to create/update a machine account into the domain:
[ul]This information was taken from this post:
 
					
				
		
Created on 02-24-2023 12:56 AM Edited on 02-24-2023 01:49 AM
Hi ergotherego,
Thanks for the contribution, I will look for an official document explaining that for sharing.
Best regards.
 
					
				
		
Created on 04-12-2023 02:49 AM
Hi ergotherego,
Here you can find our official documentation regarding account privileges:
https://docs.fortinet.com/document/fortiauthenticator/6.5.1/administration-guide/569230/ldap
To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.
Best regards.
Ezequiel.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.