What is the least set of permissions you can give the program?

Question

Hello,

New to this program and we are setting it up now. I wanted to know if there is a least permissions setup for the Service account. I dont want to have an account that has access to domain admins group. Something that can still be a service account for Adaxes and manage limited OU's in my AD.

Answer 1

Hello,

The Adaxes service account (specified during the software installation) only requires the permissions to publish Adaxes in AD. For details on how to grant the permissions, have a look at section How do I grant permissions to publish Adaxes service of our installation guide: https://www.adaxes.com/help/InstallationGuide/#grant-permissions-to-publish-adaxes-service.

At the same time, all operations in a managed domain are performed using the account specified for the domain in Adaxes. The account must have all the native AD permissions for the operations you will be performing in Adaxes. For example, if you are only going to be resetting user passwords in an OU, you can only grant the account native AD permissions to see the OU, users in it and reset passwords of the users. It is recommended that the account is a member of the BUILTIN\Administrators group, but it is not a requirement.

It is also not recommended to use the Adaxes service account for managed domains. For information on how to check/change the account for a managed domain, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

Comments

Thanks. I was able to fix it out via the installation guide.