Specific account permissions for service account to join Windows Active Directory domain
If you are having trouble joining your FAC to your domain, the service account may need elevated permissions. If you are not comfortable just making it a Domain Administrator temporarily, I was able to confirm this list of permissions as being necessary for a service account to create/update a machine account into the domain:
Configure minimum privilege Windows AD user account
To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.
In the Active Directory, create a user account with the following options selected:
User cannot change password
Password never expires
InActive Directory Users and Computers, right-click the container under which you want the computers added, then clickDelegate Control. The Delegation of Control Wizard opens.
ClickAdd, then enter the user account created in step 1.
SelectCreate custom task to delegate, then clickNext.
SelectOnly the following objects in the folder, and then selectComputer objects.
SelectCreate selected objects in this folder, then clickNext.
UnderPermissions, selectCreate All Child Objects,Write All Properties, andChange password.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.